Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xXQ39a5f9EJP.exe

Overview

General Information

Sample name:xXQ39a5f9EJP.exe
Analysis ID:1428454
MD5:b385264019d78c7225e7e088d5ad6042
SHA1:544ef98e04e0218af42302970199dd1f66182118
SHA256:4eb22bcde9c1f6978506647ab39e9e4245cb4bde3a359c0348e37ec3f9c12116
Tags:DcRatexe
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected AsyncRAT
Yara detected DcRat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xXQ39a5f9EJP.exe (PID: 6860 cmdline: "C:\Users\user\Desktop\xXQ39a5f9EJP.exe" MD5: B385264019D78C7225E7E088D5AD6042)
    • cmd.exe (PID: 3164 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp679F.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 3396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 6032 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["7094"], "Server": ["liverpool777.duckdns.org"], "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAMaBeR9P3Ul+SdXWCbf4dEVfPoRFMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDIwNDE1MDcxN1oXDTMzMTExMzE1MDcxN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKc8o3jPsEuo8oWGV/dKkjetOpEe003VLgZvyH72e4hhVOKpVhCoXfNzypj62QwbJzZNiJEjKbHcMIBTj6FXTcN0crxDt9y9Zkqcv5bHQt7qEhSGlQDWusiPiFi/ZUm5aABL1L3ZDlEq0EomTSE+zogqLxeR4JBAsV0AR4buL7SRAgMBAAGjMjAwMB0GA1UdDgQWBBQmwIernSRvdh/MqJJVki/p4G9lwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAIQGk5vP6qdN4EaKNY/YrbRS91Tu9QPKlufTNOzSlJxuxr062vtdFPTQylkVTc+MeL3xUB8gBMAixsOc/vHhhjk6N+XsPz/AvA0eRze9Tje1kzVx/fH+uv1/dBFR0/I8hyBB6C1MxQ5E4tNT4z0yGxYsRw0P9j2sVHbmQKMh1R2n", "Server Signature": "SEbLPMahs9JeJC0j5v4/FMTverhEsUQlMFhAvhUdfeRa6auTTJ/otpfbZiZfWEuXgBArX1bR9yS1pN9NEsBwBkkPOvTRwmm8puXW45QjxRW2+dfh2iaylWKUfQAfbeVT73kMNtF5SZh2AwPOl40y8sslWQkiHCmlNWGjYoKVW+s="}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
xXQ39a5f9EJP.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    xXQ39a5f9EJP.exeWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x65f7:$a1: havecamera
    • 0x9ae8:$a2: timeout 3 > NUL
    • 0x9b08:$a3: START "" "
    • 0x9993:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
    • 0x9a48:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    xXQ39a5f9EJP.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x9a48:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x9993:$s2: L2Mgc2NodGFza3MgL2
    • 0x9912:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x9960:$s4: VmlydHVhbFByb3RlY3Q
    xXQ39a5f9EJP.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x9cca:$q1: Select * from Win32_CacheMemory
    • 0x9d0a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x9d58:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x9da6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    xXQ39a5f9EJP.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0xa142:$s1: DcRatBy

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x433:$b2: DcRat By qwqdanchun1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2722186865.000000000292B000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x49c4:$b2: DcRat By qwqdanchun1
    • 0x4c14:$b2: DcRat By qwqdanchun1
    00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x63f7:$a1: havecamera
      • 0x98e8:$a2: timeout 3 > NUL
      • 0x9908:$a3: START "" "
      • 0x9793:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x9848:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      00000000.00000002.2722186865.0000000002A44000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
        00000000.00000002.2722186865.0000000002A44000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x7750:$b2: DcRat By qwqdanchun1
        • 0xf16c:$b2: DcRat By qwqdanchun1
        • 0xf3bc:$b2: DcRat By qwqdanchun1
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.xXQ39a5f9EJP.exe.470000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.0.xXQ39a5f9EJP.exe.470000.0.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
          • 0x65f7:$a1: havecamera
          • 0x9ae8:$a2: timeout 3 > NUL
          • 0x9b08:$a3: START "" "
          • 0x9993:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
          • 0x9a48:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
          0.0.xXQ39a5f9EJP.exe.470000.0.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
          • 0x9a48:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
          • 0x9993:$s2: L2Mgc2NodGFza3MgL2
          • 0x9912:$s3: QW1zaVNjYW5CdWZmZXI
          • 0x9960:$s4: VmlydHVhbFByb3RlY3Q
          0.0.xXQ39a5f9EJP.exe.470000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
          • 0x9cca:$q1: Select * from Win32_CacheMemory
          • 0x9d0a:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
          • 0x9d58:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
          • 0x9da6:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
          0.0.xXQ39a5f9EJP.exe.470000.0.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
          • 0xa142:$s1: DcRatBy
          Click to see the 4 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:04/19/24-00:20:55.692486
          SID:2034847
          Source Port:7094
          Destination Port:49730
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/19/24-00:20:55.692486
          SID:2848152
          Source Port:7094
          Destination Port:49730
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: xXQ39a5f9EJP.exeAvira: detected
          Found malware configuration
          Source: xXQ39a5f9EJP.exeMalware Configuration Extractor: AsyncRAT {"Ports": ["7094"], "Server": ["liverpool777.duckdns.org"], "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAMaBeR9P3Ul+SdXWCbf4dEVfPoRFMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIzMDIwNDE1MDcxN1oXDTMzMTExMzE1MDcxN1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKc8o3jPsEuo8oWGV/dKkjetOpEe003VLgZvyH72e4hhVOKpVhCoXfNzypj62QwbJzZNiJEjKbHcMIBTj6FXTcN0crxDt9y9Zkqcv5bHQt7qEhSGlQDWusiPiFi/ZUm5aABL1L3ZDlEq0EomTSE+zogqLxeR4JBAsV0AR4buL7SRAgMBAAGjMjAwMB0GA1UdDgQWBBQmwIernSRvdh/MqJJVki/p4G9lwDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAIQGk5vP6qdN4EaKNY/YrbRS91Tu9QPKlufTNOzSlJxuxr062vtdFPTQylkVTc+MeL3xUB8gBMAixsOc/vHhhjk6N+XsPz/AvA0eRze9Tje1kzVx/fH+uv1/dBFR0/I8hyBB6C1MxQ5E4tNT4z0yGxYsRw0P9j2sVHbmQKMh1R2n", "Server Signature": "SEbLPMahs9JeJC0j5v4/FMTverhEsUQlMFhAvhUdfeRa6auTTJ/otpfbZiZfWEuXgBArX1bR9yS1pN9NEsBwBkkPOvTRwmm8puXW45QjxRW2+dfh2iaylWKUfQAfbeVT73kMNtF5SZh2AwPOl40y8sslWQkiHCmlNWGjYoKVW+s="}
          Machine Learning detection for sample
          Source: xXQ39a5f9EJP.exeJoe Sandbox ML: detected
          Source: xXQ39a5f9EJP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 179.13.0.175:7094 -> 192.168.2.4:49730
          Source: TrafficSnort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 179.13.0.175:7094 -> 192.168.2.4:49730
          Uses dynamic DNS services
          Source: unknownDNS query: name: liverpool777.duckdns.org
          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 179.13.0.175:7094
          Source: Joe Sandbox ViewIP Address: 179.13.0.175 179.13.0.175
          Source: Joe Sandbox ViewASN Name: ColombiaMovilCO ColombiaMovilCO
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownDNS traffic detected: queries for: liverpool777.duckdns.org
          Source: xXQ39a5f9EJP.exe, 00000000.00000002.2721166545.0000000000963000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: xXQ39a5f9EJP.exe, 00000000.00000002.2721166545.00000000008F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabRead
          Source: xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: xXQ39a5f9EJP.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xXQ39a5f9EJP.exe PID: 6860, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: xXQ39a5f9EJP.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: xXQ39a5f9EJP.exe, type: SAMPLEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: xXQ39a5f9EJP.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: xXQ39a5f9EJP.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
          Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 00000000.00000002.2722186865.000000000292B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2722186865.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2724541084.000000001B1C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2724197817.000000001B054000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2721545621.0000000000BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
          Source: 00000000.00000002.2721166545.0000000000963000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2722186865.00000000027AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2722186865.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: Process Memory Space: xXQ39a5f9EJP.exe PID: 6860, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B8883460_2_00007FFD9B888346
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B8890F20_2_00007FFD9B8890F2
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B8830E20_2_00007FFD9B8830E2
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B88FFE00_2_00007FFD9B88FFE0
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B88FF580_2_00007FFD9B88FF58
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B88DE0D0_2_00007FFD9B88DE0D
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B88C56F0_2_00007FFD9B88C56F
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B89DD000_2_00007FFD9B89DD00
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B88FBFA0_2_00007FFD9B88FBFA
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B88F4600_2_00007FFD9B88F460
          Source: xXQ39a5f9EJP.exe, 00000000.00000002.2721545621.0000000000BB0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOptions.dll" vs xXQ39a5f9EJP.exe
          Source: xXQ39a5f9EJP.exe, 00000000.00000002.2723423960.0000000012761000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOptions.dll" vs xXQ39a5f9EJP.exe
          Source: xXQ39a5f9EJP.exe, 00000000.00000000.1613534341.000000000047E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe" vs xXQ39a5f9EJP.exe
          Source: xXQ39a5f9EJP.exeBinary or memory string: OriginalFilenameClient.exe" vs xXQ39a5f9EJP.exe
          Source: xXQ39a5f9EJP.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: xXQ39a5f9EJP.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: xXQ39a5f9EJP.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: xXQ39a5f9EJP.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
          Source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 00000000.00000002.2722186865.000000000292B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2722186865.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2724541084.000000001B1C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2724197817.000000001B054000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2721545621.0000000000BB0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
          Source: 00000000.00000002.2721166545.0000000000963000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2722186865.00000000027AA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2722186865.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: Process Memory Space: xXQ39a5f9EJP.exe PID: 6860, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, Task.csTask registration methods: 'RegisterChanges', 'CreateTask'
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskService.csTask registration methods: 'CreateFromToken'
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, ITaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask'
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, TaskFolder.csTask registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
          Source: xXQ39a5f9EJP.exe, Settings.csBase64 encoded string: 'quD89VklbLlWuXA8KTZXqzNYbW24Nfz7n7hOk1vOwu0lCUiDSdtLexUBAYLjNYlz6c7Mcx77B5oFBswiOvcoMQ==', 'ZOqRNr8kUQheezl6G9UcGpZEVSIvoRdQZQ0sCNk9a7W5exAmHcP6VkDgMa3Q5wxLpXge1eCVQ1BOI1J62syVbXaEmfbLREe9lwsi0Lmh95k=', 'ndWrB5bSaroCSX8InKS8uc1A/8TUgGdRwEBU7FU+BR5SjDDc7V6u+Dz5WmDKkdrrLSL/H2wm/+RXiC7riMX4/QT1SPs6OrIoLDZdhWMhjcU=', 'kZCc6gfvNQEpzD5mm0BTPaiSspTLCbLSSWsxDbXLcGVftSVwr1UXxQqu9+o1JcaHXqwrwnzHla18HC1lSluswfSmURjA12xKX0iBq3mHasg4ES2JQNFYo62LQSVvJXdsrmLXAEzd60YM7hZcGo5+y241zOLhA7o6B0J8A2aQj/T/r3j9APZQqEZhgBKKrMVoZCzGoymj+bu600yCV7fMQprFRzn15FfnJx5D1ilp7JTEN11hAvdWlo3KPpRZVIAlRX8cG56sLe9hxQsy9S8o0xSJvg8rVY9xnMqpox+cxL64aj205EWlepJE0O9+1gISnlJybcSBjs8o7QWKp4UWwaZxd2OyvhrpfXkqZdTn1SFwwLO3f7ElC45JrhvMUVLBkAQytJvsutiHwAMcWtryDdBVu1qNLtge9Nl90yk6uTzRQTUciNukVuHe+a37BPTOM+dmXTLPEriAvnAjgW80U1sht90u+zegLOWnqxAEClyUlmg5pbp69VIf/ZANInQcGgUZ53UU5l8R6iFZoETksZQQeMZhe8j9gYMlrUrcKFE6Y/dd9KSCi1xWCp5Pb8S2RHehawNZZbDZALwXR8XUFxSxjJzplyV9e3BOWhSs34waWctzcgQ22tjcHuwD86XCS5+GEq9jcg5RtXLUl3tcwE5/kRoq75FxKymEsGcFr/zkTwYHj1Vd/pOtxKzK882tp/QY2xwwLwZL8/3k/MyD+vfTJn/+LJY21kMMfcFOiYeoNtjJSECwIsiMUGPOuU8yeWY7hUxXRaKGMtaDLl4x7AL/BqaJt56D4gncB1Br0/A0TJcWIbcRToCCHNtHjIk5Vcg5MzVxoN7culJ7i2oKnHkxvWeZ8DnhvGTq8IbUZXCr09lsrIwqIMaOSoO4jIg5j9Y4EhM0Vndv+MsZgG8gersJ0bdvkLWKyquiYxIa1OAgHwkUc1YNxDO24f1ipNxVnHE+p6ajRZs8jyCZyVGN5aCc2pF9gOX3NZq1ElTMm6N3OldLX7blrnRjTPFk3nUY7iq7RXEPIaNYw/p94tKut8jUr7sSwOkAgistCc3uGIUONtZ1HBGnTCXR7w1bEjdy', 'SobhorC+zh6T8g0QmTis74cZUXzTGv8Kr0KaTC0Bhil75w9UtQyIeyxINAlF+0JJpYCqWqH23bPNer+4phR4ilPHWHsajjGNb3KIIm8fUU0aCNcfMuzsQKBiCvqJ7pfPno5sMuEFggMmMe+9SKv2UD+vacOPRJ9/3ExnTEH9J5woy1zO/5dOTGns/SYsIHI3BTTiiXuyGHKCCwtQDeBOyUd/JTYYEMpmiFT+XICJbXkrECAVQ5EESwFI6g3guC8AMIZMN0FuIJ9XJQkn3fM8vJKLB4gMT5g2pgYcOcHUJWU=', 'nU2RVe+a+JNyRZ0kkgA0JG/VT0ga++Ax+UocVa2vDw/L36A0eoQcjjAocH9Pgquq9oXyFg/3Ci6hQuPDnORoaA==', 'nvp3ctvHs3A7rxsqSx8wu1sCh6h356TtfKXGnuMB5d5rbYiPP/Y/PB3egTFwEVsHYKirpv98e/Yw3JzIH29Y3w==', '/1b94d2H3dUD/r15ceCDjsrNq/uvRsU1puTernUezQuuc9JdKzLiQtrTfDbXltq3SvvfnM1itQd8Ef7fVHO37A==', 'Q9qWR8GyJqWiHaI0t1nxnix+r+YHfGzrqDGuAVv9mTJxCrtLtmEynSs3Hs/Bu/PJ/3zxkSwdymgUwbmRhr3IOQ=='
          Source: xXQ39a5f9EJP.exe, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, HandleNormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, HandleNormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, Task.csSecurity API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
          Source: xXQ39a5f9EJP.exe, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: xXQ39a5f9EJP.exe, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, TaskPrincipal.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, TaskSecurity.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, TaskSecurity.csSecurity API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, TaskFolder.csSecurity API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, User.csSecurity API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/5@1/1
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xXQ39a5f9EJP.exe.logJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeMutant created: NULL
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3396:120:WilError_03
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeFile created: C:\Users\user\AppData\Local\Temp\tmp679F.tmpJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp679F.tmp.bat""
          Source: xXQ39a5f9EJP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: xXQ39a5f9EJP.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\xXQ39a5f9EJP.exe "C:\Users\user\Desktop\xXQ39a5f9EJP.exe"
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp679F.tmp.bat""
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp679F.tmp.bat""Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: webio.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: sxs.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: devenum.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: ntmarta.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: devobj.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeSection loaded: msdmo.dllJump to behavior
          Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
          Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: xXQ39a5f9EJP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: xXQ39a5f9EJP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          .NET source code contains potential unpacker
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
          Source: 0.2.xXQ39a5f9EJP.exe.1281bd50.2.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, ReflectionHelper.cs.Net Code: InvokeMethod
          Source: 0.2.xXQ39a5f9EJP.exe.bb0000.1.raw.unpack, XmlSerializationHelper.cs.Net Code: ReadObjectProperties
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B895A5F push ebp; retf 5F4Dh0_2_00007FFD9B895AD8
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B895963 push edx; retf 0_2_00007FFD9B8959DB
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B898167 push ebx; ret 0_2_00007FFD9B89816A
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeCode function: 0_2_00007FFD9B8800BD pushad ; iretd 0_2_00007FFD9B8800C1

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: xXQ39a5f9EJP.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xXQ39a5f9EJP.exe PID: 6860, type: MEMORYSTR
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\F723E1B88FDFE54EEC0E F7A2CF016280A5E7A24A46D6E81A704BFCCD6486B35AFEFC4601A8330895F85FJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: xXQ39a5f9EJP.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xXQ39a5f9EJP.exe PID: 6860, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: xXQ39a5f9EJP.exeBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeMemory allocated: CC0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeMemory allocated: 1A750000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeWindow / User API: threadDelayed 9810Jump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe TID: 6540Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe TID: 4500Thread sleep time: -1844674407370954s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe TID: 6092Thread sleep count: 9810 > 30Jump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exe TID: 6092Thread sleep count: 49 > 30Jump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: xXQ39a5f9EJP.exe, 00000000.00000002.2724197817.000000001B054000.00000004.00000020.00020000.00000000.sdmp, xXQ39a5f9EJP.exe, 00000000.00000002.2724541084.000000001B1C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: xXQ39a5f9EJP.exe, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
          Source: xXQ39a5f9EJP.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: xXQ39a5f9EJP.exe, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
          Source: xXQ39a5f9EJP.exe, Amsi.csReference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp679F.tmp.bat""Jump to behavior
          Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
          Source: xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.00000000029BC000.00000004.00000800.00020000.00000000.sdmp, xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.0000000002A81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeQueries volume information: C:\Users\user\Desktop\xXQ39a5f9EJP.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: xXQ39a5f9EJP.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.xXQ39a5f9EJP.exe.470000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xXQ39a5f9EJP.exe PID: 6860, type: MEMORYSTR
          Source: xXQ39a5f9EJP.exe, 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MSASCui.exe
          Source: xXQ39a5f9EJP.exe, 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procexp.exe
          Source: xXQ39a5f9EJP.exe, 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MsMpEng.exe
          Source: C:\Users\user\Desktop\xXQ39a5f9EJP.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Stealing of Sensitive Information

          barindex
          Yara detected DcRat
          Source: Yara matchFile source: 00000000.00000002.2722186865.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xXQ39a5f9EJP.exe PID: 6860, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected DcRat
          Source: Yara matchFile source: 00000000.00000002.2722186865.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xXQ39a5f9EJP.exe PID: 6860, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity Information1
          Scripting          		Valid Accounts1
          Windows Management Instrumentation          		1
          Scripting          		12
          Process Injection          		1
          Masquerading          		OS Credential Dumping1
          Query Registry          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts11
          Scheduled Task/Job          		11
          Scheduled Task/Job          		11
          Scheduled Task/Job          		1
          Modify Registry          		LSASS Memory121
          Security Software Discovery          		Remote Desktop ProtocolData from Removable Media1
          Non-Standard Port          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API          		1
          DLL Side-Loading          		1
          DLL Side-Loading          		1
          Disable or Modify Tools          		Security Account Manager1
          Process Discovery          		SMB/Windows Admin SharesData from Network Shared Drive1
          Non-Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook31
          Virtualization/Sandbox Evasion          		NTDS31
          Virtualization/Sandbox Evasion          		Distributed Component Object ModelInput Capture11
          Application Layer Protocol          		Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
          Obfuscated Files or Information          		Cached Domain Credentials13
          System Information Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          Software Packing          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1428454 Sample: xXQ39a5f9EJP.exe Startdate: 19/04/2024 Architecture: WINDOWS Score: 100 17 liverpool777.duckdns.org 2->17 21 Snort IDS alert for network traffic 2->21 23 Found malware configuration 2->23 25 Malicious sample detected (through community Yara rule) 2->25 29 7 other signatures 2->29 8 xXQ39a5f9EJP.exe 2 5 2->8         started        signatures3 27 Uses dynamic DNS services 17->27 process4 dnsIp5 19 liverpool777.duckdns.org 179.13.0.175, 49730, 49739, 7094 ColombiaMovilCO Colombia 8->19 11 cmd.exe 1 8->11         started        process6 process7 13 conhost.exe 11->13         started        15 timeout.exe 1 11->15         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          xXQ39a5f9EJP.exe100%AviraHEUR/AGEN.1307404
          xXQ39a5f9EJP.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          liverpool777.duckdns.org
          		179.13.0.175
          		truetrue
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexXQ39a5f9EJP.exe, 00000000.00000002.2722186865.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, xXQ39a5f9EJP.exe, 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmpfalse
              		high

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              179.13.0.175
              		liverpool777.duckdns.orgColombia
              		27831ColombiaMovilCOtrue

              General Information

              Joe Sandbox version:40.0.0 Tourmaline
              Analysis ID:1428454
              Start date and time:2024-04-19 00:20:06 +02:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 5m 3s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:8
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:xXQ39a5f9EJP.exe
              Detection:MAL
              Classification:mal100.troj.evad.winEXE@7/5@1/1
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 58%
              • Number of executed functions: 10
              • Number of non-executed functions: 2
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded IPs from analysis (whitelisted): 72.21.81.240
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              • VT rate limit hit for: xXQ39a5f9EJP.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              00:20:55API Interceptor2x Sleep call for process: xXQ39a5f9EJP.exe modified

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              179.13.0.175xmrhZ7VhlJjD.exeGet hashmaliciousQuasarBrowse
                xBoD1uCJo8Dc.exeGet hashmaliciousXWormBrowse
                  xffRCvQIkXWb.exeGet hashmaliciousXWormBrowse
                    xApyUPoAYp9c.exeGet hashmaliciousAsyncRATBrowse
                      xVDnoXtgbTMW.exeGet hashmaliciousAsyncRATBrowse
                        xApyUPoAYp9c.exeGet hashmaliciousAsyncRATBrowse
                          xVDnoXtgbTMW.exeGet hashmaliciousAsyncRATBrowse
                            x1h52dJdta0O.exeGet hashmaliciousNjratBrowse
                              xH9gjpK4z9CH.exeGet hashmaliciousNjratBrowse
                                xf9obZbyKks2.exeGet hashmaliciousNjratBrowse

                                  Domains

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  liverpool777.duckdns.orgx1h52dJdta0O.exeGet hashmaliciousNjratBrowse
                                  • 179.13.0.175

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  ColombiaMovilCO6VXQ3TUNZo.elfGet hashmaliciousMiraiBrowse
                                  • 181.207.246.71
                                  wFtZih4nN9.elfGet hashmaliciousMiraiBrowse
                                  • 191.90.223.182
                                  tu.exeGet hashmaliciousRemcosBrowse
                                  • 179.14.10.110
                                  xmrhZ7VhlJjD.exeGet hashmaliciousQuasarBrowse
                                  • 179.13.0.175
                                  enEQvjUlGl.elfGet hashmaliciousMiraiBrowse
                                  • 181.207.212.107
                                  Ns1xkTsDQO.elfGet hashmaliciousMiraiBrowse
                                  • 181.68.139.5
                                  7t5zI3LtK8.elfGet hashmaliciousMiraiBrowse
                                  • 181.207.212.113
                                  MYb7GhRJl7.elfGet hashmaliciousMiraiBrowse
                                  • 181.69.231.0
                                  xBoD1uCJo8Dc.exeGet hashmaliciousXWormBrowse
                                  • 179.13.0.175
                                  xffRCvQIkXWb.exeGet hashmaliciousXWormBrowse
                                  • 179.13.0.175

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                  Download File
                                  Process:C:\Users\user\Desktop\xXQ39a5f9EJP.exe
                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                  Category:dropped
                                  Size (bytes):69993
                                  Entropy (8bit):7.99584879649948
                                  Encrypted:true
                                  SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                                  MD5:29F65BA8E88C063813CC50A4EA544E93
                                  SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                                  SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                                  SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                  Download File
                                  Process:C:\Users\user\Desktop\xXQ39a5f9EJP.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):330
                                  Entropy (8bit):3.141494007698779
                                  Encrypted:false
                                  SSDEEP:6:kK9ZlDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:zlMkPlE99SNxAhUeVLVt
                                  MD5:F8434D5CFA720139E31894AB43807D4B
                                  SHA1:5902936B530151D272E09D013FB09C6A5105A3DC
                                  SHA-256:C6087B5954A1233D0C21D33E32C87F58C4E244E3D0A428CA47F26178B64DD22C
                                  SHA-512:9B0BB6FE03056CA4D8F709CCEF69E1F0C8B04076F66799B72CA75EF90539E2B4FA77ED8F31A235B57A4378386F6B41A9F1A4AABE1510025167C90B8A577C2B25
                                  Malicious:false
                                  Reputation:low
                                  Preview:p...... ........U.C....(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xXQ39a5f9EJP.exe.log

                                  Download File
                                  Process:C:\Users\user\Desktop\xXQ39a5f9EJP.exe
                                  File Type:CSV text
                                  Category:dropped
                                  Size (bytes):1907
                                  Entropy (8bit):5.375380268342155
                                  Encrypted:false
                                  SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkl+vxp3/ell1qHGIs0HKJHNptLHqHj:iqbYqGSI6oPtzHeqKksZp/ellwmj0qJi
                                  MD5:4CEAC8E156C9A1D90AB03AF9133D7A38
                                  SHA1:39ACAE4267BF940B8995DD12CC797DE497B4D73E
                                  SHA-256:7BB4ADB915FC1C1076B35CC3D69402A22EB89878D6269FAF5826FF06958ED0D6
                                  SHA-512:597A202013C9E046449D71BF4C816E98BC7203EDBEB17F3D181400590C36E9E545B6FD7449635719EEF595B8730C066313912B1DA1A7F87AC818082B2C330A7B
                                  Malicious:false
                                  Reputation:low
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V

                                  C:\Users\user\AppData\Local\Temp\tmp679F.tmp.bat

                                  Download File
                                  Process:C:\Users\user\Desktop\xXQ39a5f9EJP.exe
                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):153
                                  Entropy (8bit):5.139737252440667
                                  Encrypted:false
                                  SSDEEP:3:mKDDCMNqTtv3Dt+WfHvhs9d9E5Dcq10d9DwU1hGDt+kiE2J5xAInTRI5iL1ZPy:hWKqTtLwQO9/iDc5DNewkn23fT1k
                                  MD5:2A715442718477F4ACE5FC6E7DB52688
                                  SHA1:E9BA28439F9294F1B0CEBF3BF6D23DBF57A55487
                                  SHA-256:7A9920C759A7347D896D900ABBD0EF53CCAB6BE841DF6BE674AC233EEA9E2289
                                  SHA-512:AC1B08A077050295B15B2B20A1B8C620BCF81E447FEAE5485071B05C7BBC84CCD8910E108CA0B1D2EE8F73FE209B1B2090D1F30828A960B561C9043DDAEFE70C
                                  Malicious:false
                                  Reputation:low
                                  Preview:@echo off..timeout 3 > NUL..CD C:\Users\user\Desktop..DEL "xXQ39a5f9EJP.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp679F.tmp.bat" /f /q..

                                  \Device\Null

                                  Download File
                                  Process:C:\Windows\System32\timeout.exe
                                  File Type:ASCII text, with CRLF line terminators, with overstriking
                                  Category:dropped
                                  Size (bytes):69
                                  Entropy (8bit):4.643906340459884
                                  Encrypted:false
                                  SSDEEP:3:hYFqdLGAR+mQRKVxLZXt04hovn:hYFqGaNZK4Qn
                                  MD5:A95BB132FBBAD82B9DC8D474497E4B61
                                  SHA1:EFF67571370682301B518C7DC6F6BF09BBA7C940
                                  SHA-256:4CBE1DA45AB844939D9E506733ED61E0FF3641B779AC057FA35749E5C9CDA453
                                  SHA-512:A37FAECFFEB9ACC03861D96520FFE4BDBC91DDF12078CEEF35523A0EC9BFF43C25344C37251BBFEBCE8B3477512B5A75B360B48BA1DCFDD1B24C0172B23A62E1
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:..Waiting for 3 seconds, press a key to continue ....2.1.4294967295..

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):5.615876081246294
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:xXQ39a5f9EJP.exe
                                  File size:48'640 bytes
                                  MD5:b385264019d78c7225e7e088d5ad6042
                                  SHA1:544ef98e04e0218af42302970199dd1f66182118
                                  SHA256:4eb22bcde9c1f6978506647ab39e9e4245cb4bde3a359c0348e37ec3f9c12116
                                  SHA512:2a7b118a8c7c9e38884d884891c9342fafa80ec65a6f54c1ac7daefd23c33aada89250e2fbaa3507e802440c9bcbc9288bf0fd8391dabd3587e140330d7e1587
                                  SSDEEP:768:4q+s3pUtDILNCCa+DiptelDSN+iV08YbygeiOOW1tWtirvEgK/JvZVc6KN:4q+AGtQOptKDs4zb13OOW1tWErnkJvZI
                                  TLSH:96235D4037D88136F2BD4BB4ACF2E14586B5D2676903CA9D6CC814EA1F13BC59A136FE
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0x40cbbe
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x60930A0B [Wed May 5 21:11:39 2021 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                  Entrypoint Preview

                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xcb640x57.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000xdf7.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xabc40xac0021c919d4bb2022b37b2a380177fe0763False0.5020439680232558data5.640623955928705IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0xe0000xdf70xe002083376922615c09cdda9acfd9305376False0.4017857142857143data5.110607648061562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x100000xc0x20082148d01c3935cf90ef81a3dd1fad607False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                  Resources

                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                  RT_VERSION0xe0a00x2d4data0.4350828729281768
                                  RT_MANIFEST0xe3740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

                                  Imports

                                  DLLImport
                                  mscoree.dll_CorExeMain

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  04/19/24-00:20:55.692486TCP2034847ET TROJAN Observed Malicious SSL Cert (AsyncRAT)709449730179.13.0.175192.168.2.4
                                  04/19/24-00:20:55.692486TCP2848152ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)709449730179.13.0.175192.168.2.4

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 19, 2024 00:20:55.283459902 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:20:55.457745075 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:20:55.457851887 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:20:55.490252018 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:20:55.692486048 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:20:55.698606968 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:20:55.878040075 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:20:55.932013988 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:20:56.664951086 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:20:56.889107943 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:20:56.889175892 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:20:57.112657070 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:08.278161049 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:08.508018970 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:08.508344889 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:08.693154097 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:08.744586945 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:08.916750908 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:08.963236094 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:10.207216978 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:10.433042049 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:10.433162928 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:10.663716078 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:19.901542902 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:20.123373985 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:20.123606920 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:20.337183952 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:20.337266922 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:20.703603029 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:20.703694105 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:20.706836939 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:20.918540955 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:20.918626070 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:21.141761065 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:31.526016951 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:31.742800951 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:31.742872000 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:31.926377058 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:31.978816986 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:32.162178993 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:32.164033890 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:32.387516975 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:32.387603045 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:32.632879972 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:43.151360035 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:43.393104076 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:43.393234015 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:43.572755098 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:43.619420052 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:43.801678896 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:43.803864956 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:44.022526026 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:44.022664070 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:44.237818003 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:50.448080063 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:50.494509935 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:50.842600107 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:50.885149956 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:54.776056051 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:55.010835886 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:55.010988951 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:55.191595078 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:55.244380951 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:55.420875072 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:55.422667980 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:55.647516012 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:21:55.647655964 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:21:55.877212048 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:06.569555044 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:06.797266006 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:06.797379017 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:06.982219934 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:07.025610924 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:07.211014986 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:07.213219881 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:07.453299046 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:07.453408957 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:07.686240911 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:18.182667971 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:18.413059950 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:18.413155079 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:18.593055964 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:18.635226965 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:18.822474003 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:18.824476957 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:19.046228886 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:19.046307087 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:19.268564939 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:20.324033976 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:20.369339943 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:20.857744932 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:20.857912064 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:20.877545118 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:20.877785921 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:21.171648026 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:21.171789885 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:29.807471991 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:30.032625914 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:30.032705069 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:30.213116884 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:30.260160923 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:30.428096056 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:30.432220936 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:30.663058996 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:30.663122892 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:30.892462969 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:36.863116026 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:36.916351080 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:37.098105907 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:37.100912094 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:37.336452007 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:37.336561918 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:37.576682091 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:37.607085943 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:37.607209921 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:37.607270002 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:37.786994934 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:37.787395954 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:37.787471056 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:37.962282896 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:37.962753057 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:37.962769985 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:37.962820053 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:37.963109016 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:37.963145018 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.144299984 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.144319057 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.144335985 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.144377947 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.144618034 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.144661903 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.144758940 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.144777060 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.144794941 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.144834042 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.145088911 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.145132065 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.321271896 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.322248936 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.322299004 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.323216915 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.323932886 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.323985100 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.326297045 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.326771975 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.326878071 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.327236891 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.327733994 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.327775955 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.496309996 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.496855021 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.497023106 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.497322083 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.497865915 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.497915983 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.497920036 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.501682997 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.501740932 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.502062082 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.502545118 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.502589941 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.502840996 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.556843042 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.676426888 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.676945925 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.676999092 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.681396961 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.681411028 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.681449890 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.681880951 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.682370901 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.682424068 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.690737009 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.742762089 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.742847919 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.856441021 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.857023954 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.857042074 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.857088089 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.857450962 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.857465982 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.857503891 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.857683897 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.857727051 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:38.926980972 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.927362919 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:38.927428961 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.039211988 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.039401054 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.039485931 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.039659023 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.039875984 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.039913893 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.039946079 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.040399075 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.040453911 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.101763964 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.102047920 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.102121115 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.228363991 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.228975058 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.229043007 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.229165077 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.229202032 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.229252100 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.230305910 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.236952066 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.237164974 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.280946016 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.280986071 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.281024933 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.281059027 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.322551966 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.414624929 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.415080070 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.415158033 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.415735006 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.416058064 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.416163921 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.425213099 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.425472975 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.425540924 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.459374905 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.468544960 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.468671083 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.504611969 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.556772947 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.605256081 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.605535030 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.605587006 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.606276035 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.614144087 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.614167929 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.614192009 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.614665031 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.614710093 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.647620916 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.648016930 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.648087978 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.736454964 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.791207075 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.792207956 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.793437958 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.793479919 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.793495893 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.793596983 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.793643951 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.794631004 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.794673920 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.794714928 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.805620909 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.827332973 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.827392101 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.831423044 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.884936094 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.971425056 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.971851110 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.971935034 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.972418070 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.972836018 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.972899914 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.973320007 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.973800898 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:39.973850012 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:39.974265099 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.012115955 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.012289047 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.012478113 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.056802034 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.072472095 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.081553936 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.081624985 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.157094002 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.157557964 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.157604933 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.158005953 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.158509970 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.158554077 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.159015894 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.167150021 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.167207003 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.197082043 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.197480917 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.197537899 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.236984015 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.257036924 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.257148981 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.257925987 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.306782961 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.341109037 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.341608047 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.341670036 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.342107058 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.342564106 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.342607021 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.351155043 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.351615906 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:40.351677895 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.950201035 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:40.951529026 CEST497397094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:41.133196115 CEST709449739179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:41.133320093 CEST497397094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:41.133678913 CEST497397094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:41.171084881 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:41.171330929 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:41.327919006 CEST709449739179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:41.328609943 CEST497397094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:41.406184912 CEST709449730179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:41.430273056 CEST497397094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:41.437047005 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:41.445925951 CEST497307094192.168.2.4179.13.0.175
                                  Apr 19, 2024 00:22:41.563982010 CEST709449739179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:41.603636026 CEST709449739179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:41.623239994 CEST709449739179.13.0.175192.168.2.4
                                  Apr 19, 2024 00:22:41.623290062 CEST497397094192.168.2.4179.13.0.175

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Apr 19, 2024 00:20:55.139539003 CEST5029053192.168.2.41.1.1.1
                                  Apr 19, 2024 00:20:55.278522015 CEST53502901.1.1.1192.168.2.4

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Apr 19, 2024 00:20:55.139539003 CEST192.168.2.41.1.1.10xa8faStandard query (0)liverpool777.duckdns.orgA (IP address)IN (0x0001)false

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Apr 19, 2024 00:20:55.278522015 CEST1.1.1.1192.168.2.40xa8faNo error (0)liverpool777.duckdns.org179.13.0.175A (IP address)IN (0x0001)false

                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:00:20:51
                                  Start date:19/04/2024
                                  Path:C:\Users\user\Desktop\xXQ39a5f9EJP.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Users\user\Desktop\xXQ39a5f9EJP.exe"
                                  Imagebase:0x470000
                                  File size:48'640 bytes
                                  MD5 hash:B385264019D78C7225E7E088D5AD6042
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2722186865.000000000292B000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.1613517269.0000000000472000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                  • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2722186865.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2722186865.0000000002A44000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2724541084.000000001B1C3000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2724197817.000000001B054000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: 00000000.00000002.2721545621.0000000000BB0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2721166545.0000000000963000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2722186865.00000000027AA000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2722186865.00000000029C8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2722186865.0000000002751000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                  Reputation:low
                                  Has exited:true

                                  General

                                  Target ID:5
                                  Start time:00:22:40
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp679F.tmp.bat""
                                  Imagebase:0x7ff7a4100000
                                  File size:289'792 bytes
                                  MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:6
                                  Start time:00:22:40
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7699e0000
                                  File size:862'208 bytes
                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high
                                  Has exited:true

                                  General

                                  Target ID:7
                                  Start time:00:22:40
                                  Start date:19/04/2024
                                  Path:C:\Windows\System32\timeout.exe
                                  Wow64 process (32bit):false
                                  Commandline:timeout 3
                                  Imagebase:0x7ff7291b0000
                                  File size:32'768 bytes
                                  MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:moderate
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:21%
                                    Dynamic/Decrypted Code Coverage:100%
                                    Signature Coverage:0%
                                    Total number of Nodes:6
                                    Total number of Limit Nodes:0
                                    execution_graph 14664 7ffd9b8829e1 14665 7ffd9b8829eb LoadLibraryA 14664->14665 14667 7ffd9b882ad2 14665->14667 14668 7ffd9b882d3d 14669 7ffd9b882d4b VirtualProtect 14668->14669 14671 7ffd9b882e2b 14669->14671

                                    Executed Functions

                                    Function 00007FFD9B88FFE0 Relevance: 3.5, Instructions: 3486COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5f02bdd8a9133f25de6cfe3afdf24028cdd7f46784e29ad0ad55ed2f22796bbc
                                    • Instruction ID: fb3cd227eb01c150b0deb76697f832196f9900622c50442b4957809c913c7a28
                                    • Opcode Fuzzy Hash: 5f02bdd8a9133f25de6cfe3afdf24028cdd7f46784e29ad0ad55ed2f22796bbc
                                    • Instruction Fuzzy Hash: 1743613062DB498FD7B8DB58C495AAAB3E1FF98700F11457DD48DC32A5DE34A942CB82
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B89DD00 Relevance: 3.3, Strings: 2, Instructions: 837COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 610 7ffd9b89dd00-7ffd9b89dd41 call 7ffd9b88f3e8 614 7ffd9b89dd55-7ffd9b89dd60 610->614 615 7ffd9b89dd43-7ffd9b89dd53 610->615 616 7ffd9b89dd66-7ffd9b89dd6a 614->616 617 7ffd9b89e0a3-7ffd9b89e0a6 614->617 615->614 621 7ffd9b89dd6c-7ffd9b89dd71 616->621 622 7ffd9b89dd7b-7ffd9b89dd83 616->622 618 7ffd9b89e0a8-7ffd9b89e0ba call 7ffd9b88f1b8 617->618 619 7ffd9b89e0bc-7ffd9b89e0cf 617->619 618->619 621->622 624 7ffd9b89dd89-7ffd9b89dda6 622->624 625 7ffd9b89e0f3-7ffd9b89e109 622->625 629 7ffd9b89ddac-7ffd9b89de20 call 7ffd9b88f380 624->629 630 7ffd9b89df81-7ffd9b89df96 624->630 632 7ffd9b89e10b-7ffd9b89e112 625->632 633 7ffd9b89e113-7ffd9b89e158 625->633 669 7ffd9b89de48 629->669 670 7ffd9b89de22-7ffd9b89de23 629->670 636 7ffd9b89df98-7ffd9b89df9e 630->636 637 7ffd9b89e013-7ffd9b89e01e 630->637 632->633 648 7ffd9b89e15a-7ffd9b89e16f 633->648 649 7ffd9b89e172-7ffd9b89e1a6 633->649 643 7ffd9b89dfa0-7ffd9b89dfb0 636->643 644 7ffd9b89dfb2-7ffd9b89dfb8 call 7ffd9b88f3f8 636->644 641 7ffd9b89e020-7ffd9b89e025 637->641 642 7ffd9b89e02f-7ffd9b89e036 637->642 641->642 642->625 645 7ffd9b89e03c-7ffd9b89e07c call 7ffd9b88f468 642->645 643->644 652 7ffd9b89dfbd-7ffd9b89dfc1 644->652 665 7ffd9b89e07e-7ffd9b89e08d call 7ffd9b88f450 645->665 666 7ffd9b89e092-7ffd9b89e0a1 call 7ffd9b88f3b8 645->666 648->649 661 7ffd9b89e1ac-7ffd9b89e1cf 649->661 662 7ffd9b89e360-7ffd9b89e388 649->662 655 7ffd9b89dfc5-7ffd9b89dfd1 652->655 655->616 660 7ffd9b89dfd7 655->660 660->617 685 7ffd9b89e1d5-7ffd9b89e1f3 661->685 686 7ffd9b89e33f-7ffd9b89e34b 661->686 683 7ffd9b89e38a-7ffd9b89e3dd 662->683 684 7ffd9b89e3fc-7ffd9b89e40a 662->684 665->666 666->617 674 7ffd9b89de4a-7ffd9b89de63 669->674 673 7ffd9b89de27-7ffd9b89de37 670->673 678 7ffd9b89de46 673->678 679 7ffd9b89de39-7ffd9b89de40 673->679 681 7ffd9b89de85-7ffd9b89de88 674->681 682 7ffd9b89de65-7ffd9b89de80 call 7ffd9b88f3f0 674->682 678->674 679->673 687 7ffd9b89de42-7ffd9b89de44 679->687 689 7ffd9b89de8a-7ffd9b89dea4 681->689 690 7ffd9b89df03-7ffd9b89df0b 681->690 682->681 683->684 724 7ffd9b89e3df-7ffd9b89e3fa 683->724 685->686 711 7ffd9b89e1f9-7ffd9b89e264 685->711 697 7ffd9b89e351-7ffd9b89e35a 686->697 687->678 700 7ffd9b89dea6-7ffd9b89dec2 689->700 701 7ffd9b89dec9-7ffd9b89dece 689->701 692 7ffd9b89df19-7ffd9b89df2a call 7ffd9b88f3e0 690->692 693 7ffd9b89df0d-7ffd9b89df17 call 7ffd9b897fd8 690->693 707 7ffd9b89df5a-7ffd9b89df63 call 7ffd9b88f410 692->707 708 7ffd9b89df2c-7ffd9b89df46 692->708 693->692 706 7ffd9b89df70-7ffd9b89df7d 693->706 697->661 697->662 713 7ffd9b89ded0-7ffd9b89dee2 700->713 714 7ffd9b89dec4-7ffd9b89dec7 700->714 701->690 706->655 723 7ffd9b89df7f-7ffd9b89e006 call 7ffd9b88f3d8 706->723 722 7ffd9b89df68-7ffd9b89df6c 707->722 718 7ffd9b89dfdc-7ffd9b89dfe1 708->718 719 7ffd9b89df4c-7ffd9b89df58 708->719 741 7ffd9b89e266-7ffd9b89e29f 711->741 742 7ffd9b89e2a1-7ffd9b89e2e4 711->742 720 7ffd9b89dee4-7ffd9b89defd 713->720 714->720 718->617 719->706 720->690 729 7ffd9b89e0d0-7ffd9b89e0f2 720->729 722->706 735 7ffd9b89e00b-7ffd9b89e00e 723->735 724->684 729->625 735->617 741->742 748 7ffd9b89e336-7ffd9b89e33e call 7ffd9b89e40b 742->748 749 7ffd9b89e2e6-7ffd9b89e30e 742->749 748->686 755 7ffd9b89e31c-7ffd9b89e334 749->755 756 7ffd9b89e310-7ffd9b89e315 749->756 755->748 755->749 756->755
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: BM_H$]M_H
                                    • API String ID: 0-2720215389
                                    • Opcode ID: 3121f1e061e7d8e659d5ee35a3ed0f99fd141db1c12996544c84b75931756f89
                                    • Instruction ID: f749902c5de96ee12998b5d15660adb329d677ba94dd7cc9478c48224d8ff3e2
                                    • Opcode Fuzzy Hash: 3121f1e061e7d8e659d5ee35a3ed0f99fd141db1c12996544c84b75931756f89
                                    • Instruction Fuzzy Hash: 8A42A231B19A0D8FEBA4EB5CD8A5A697BE1FF98340F1501B9E44DC32A6DE24EC418741
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B8830E2 Relevance: 2.0, Strings: 1, Instructions: 748COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 983 7ffd9b8830e2-7ffd9b883142 990 7ffd9b883381-7ffd9b8833c2 call 7ffd9b881998 983->990 991 7ffd9b883148-7ffd9b8831ed 983->991 999 7ffd9b8833c4-7ffd9b8833d5 990->999 1000 7ffd9b8833d7-7ffd9b8833e0 990->1000 1020 7ffd9b8832b3 991->1020 1021 7ffd9b8831f3-7ffd9b8832a0 991->1021 1002 7ffd9b8833e8-7ffd9b883404 999->1002 1000->1002 1009 7ffd9b883419-7ffd9b88341e 1002->1009 1010 7ffd9b883406-7ffd9b883417 1002->1010 1013 7ffd9b883425-7ffd9b88348b call 7ffd9b8819a8 call 7ffd9b8819b8 1009->1013 1010->1013 1035 7ffd9b883512 1013->1035 1036 7ffd9b883491-7ffd9b8834dd 1013->1036 1024 7ffd9b8832b8-7ffd9b8832df 1020->1024 1021->1020 1062 7ffd9b8832a2-7ffd9b8832ad 1021->1062 1042 7ffd9b8832e1-7ffd9b8832ef 1024->1042 1039 7ffd9b883517-7ffd9b88353f 1035->1039 1036->1035 1061 7ffd9b8834df-7ffd9b88350b 1036->1061 1063 7ffd9b883541-7ffd9b883558 call 7ffd9b8838d5 1039->1063 1048 7ffd9b8832f1-7ffd9b88330b 1042->1048 1049 7ffd9b883365-7ffd9b88337c 1042->1049 1057 7ffd9b883559-7ffd9b88356a 1048->1057 1059 7ffd9b883311-7ffd9b88332c 1048->1059 1049->1057 1068 7ffd9b883891 1057->1068 1069 7ffd9b883570-7ffd9b88365e call 7ffd9b8819c8 call 7ffd9b8819d8 1057->1069 1066 7ffd9b883334-7ffd9b883345 1059->1066 1061->1039 1072 7ffd9b88350d-7ffd9b883510 1061->1072 1062->1024 1065 7ffd9b8832af-7ffd9b8832b1 1062->1065 1063->1057 1065->1042 1075 7ffd9b88334c-7ffd9b88335e 1066->1075 1076 7ffd9b883347 1066->1076 1074 7ffd9b883898-7ffd9b8838a4 1068->1074 1069->1020 1095 7ffd9b883664-7ffd9b883690 1069->1095 1072->1063 1075->1059 1078 7ffd9b883360 1075->1078 1076->1057 1078->1057 1097 7ffd9b883692-7ffd9b883693 1095->1097 1098 7ffd9b883695-7ffd9b883698 1097->1098 1099 7ffd9b8836d0-7ffd9b8837a6 call 7ffd9b882418 1098->1099 1100 7ffd9b88369a 1098->1100 1123 7ffd9b8837a7-7ffd9b8837b8 1099->1123 1100->1098 1102 7ffd9b88369c-7ffd9b8836a1 1100->1102 1102->1097 1105 7ffd9b8836a3-7ffd9b8836c5 call 7ffd9b881988 call 7ffd9b880628 1102->1105 1113 7ffd9b8836ca 1105->1113 1113->1099 1126 7ffd9b8837ba-7ffd9b883889 call 7ffd9b882418 1123->1126 1136 7ffd9b88388f 1126->1136 1136->1074
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ,
                                    • API String ID: 0-3772416878
                                    • Opcode ID: 8b21fe4f055db928f031156a79bcd98766e53a1dc58ff6674c503b06834d5758
                                    • Instruction ID: 9fb5f07c1f9897bd679920289c39ea21a8aa60046fb49e4a6adfbb63a68b27cf
                                    • Opcode Fuzzy Hash: 8b21fe4f055db928f031156a79bcd98766e53a1dc58ff6674c503b06834d5758
                                    • Instruction Fuzzy Hash: 1432C331B19D0A4FEBA8EB689465679B3D2EF9C310F55057DE02EC32D6DE38A8428741
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B88C56F Relevance: 1.7, Instructions: 1722COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1220 7ffd9b88c56f-7ffd9b88c588 1222 7ffd9b88c5b7-7ffd9b88c5bd 1220->1222 1223 7ffd9b88c58a-7ffd9b88c5b2 1220->1223 1224 7ffd9b88c5c3-7ffd9b88c5c9 1222->1224 1225 7ffd9b88c6b4-7ffd9b88c6ba 1222->1225 1235 7ffd9b88d4b2-7ffd9b88d4be 1223->1235 1224->1225 1227 7ffd9b88c5cf-7ffd9b88c5e6 call 7ffd9b884a50 1224->1227 1228 7ffd9b88c75f-7ffd9b88c765 1225->1228 1229 7ffd9b88c6c0-7ffd9b88c6c6 1225->1229 1227->1235 1242 7ffd9b88c5ec-7ffd9b88c65a call 7ffd9b88abf8 1227->1242 1233 7ffd9b88c767-7ffd9b88c76d 1228->1233 1234 7ffd9b88c7cc-7ffd9b88c7d2 1228->1234 1229->1228 1232 7ffd9b88c6cc-7ffd9b88c6e6 call 7ffd9b884a50 1229->1232 1232->1235 1249 7ffd9b88c6ec-7ffd9b88c758 call 7ffd9b880ac8 1232->1249 1233->1234 1240 7ffd9b88c76f-7ffd9b88c7c7 1233->1240 1236 7ffd9b88c80e-7ffd9b88c814 1234->1236 1237 7ffd9b88c7d4-7ffd9b88c7da 1234->1237 1244 7ffd9b88c816-7ffd9b88c82b call 7ffd9b884a50 1236->1244 1245 7ffd9b88c830-7ffd9b88c836 1236->1245 1237->1236 1241 7ffd9b88c7dc-7ffd9b88c809 1237->1241 1240->1235 1241->1235 1328 7ffd9b88c65f-7ffd9b88c6a9 call 7ffd9b880ac8 1242->1328 1244->1235 1251 7ffd9b88c83c-7ffd9b88c842 1245->1251 1252 7ffd9b88d4bf-7ffd9b88d4fa 1245->1252 1329 7ffd9b88c75a 1249->1329 1258 7ffd9b88c86f-7ffd9b88c875 1251->1258 1259 7ffd9b88c844-7ffd9b88c86a 1251->1259 1283 7ffd9b88d501-7ffd9b88d586 1252->1283 1260 7ffd9b88c877-7ffd9b88c89d 1258->1260 1261 7ffd9b88c8a2-7ffd9b88c8a8 1258->1261 1259->1235 1260->1235 1266 7ffd9b88c8aa-7ffd9b88c8f6 1261->1266 1267 7ffd9b88c8fb-7ffd9b88c901 1261->1267 1266->1235 1272 7ffd9b88c907-7ffd9b88c98c call 7ffd9b88a9e8 1267->1272 1273 7ffd9b88c991-7ffd9b88c997 1267->1273 1272->1235 1276 7ffd9b88ca26-7ffd9b88ca2c 1273->1276 1277 7ffd9b88c99d-7ffd9b88c9d0 call 7ffd9b88a9e8 1273->1277 1276->1283 1284 7ffd9b88ca32-7ffd9b88ca38 1276->1284 1324 7ffd9b88c9d5-7ffd9b88ca21 1277->1324 1354 7ffd9b88d588-7ffd9b88d58e 1283->1354 1355 7ffd9b88d59b-7ffd9b88d5a1 1283->1355 1284->1283 1290 7ffd9b88ca3e-7ffd9b88ca44 1284->1290 1290->1283 1295 7ffd9b88ca4a-7ffd9b88ca50 1290->1295 1300 7ffd9b88cad6-7ffd9b88cadc 1295->1300 1301 7ffd9b88ca56-7ffd9b88ca9d call 7ffd9b88a9e8 1295->1301 1308 7ffd9b88cb62-7ffd9b88cb68 1300->1308 1309 7ffd9b88cae2-7ffd9b88cb0c 1300->1309 1387 7ffd9b88ca9f-7ffd9b88caaf 1301->1387 1388 7ffd9b88cab0-7ffd9b88cab4 1301->1388 1316 7ffd9b88cba7-7ffd9b88cbad 1308->1316 1317 7ffd9b88cb6a-7ffd9b88cba2 1308->1317 1349 7ffd9b88cb10-7ffd9b88cb1d call 7ffd9b88a9e8 1309->1349 1321 7ffd9b88cbaf-7ffd9b88cc1f call 7ffd9b88a9e8 1316->1321 1322 7ffd9b88cc24-7ffd9b88cc2a 1316->1322 1317->1235 1321->1235 1326 7ffd9b88cc2c-7ffd9b88cc99 call 7ffd9b88a9e8 1322->1326 1327 7ffd9b88cc9e-7ffd9b88cca4 1322->1327 1324->1235 1326->1235 1334 7ffd9b88cca6-7ffd9b88cd14 call 7ffd9b88a9e8 1327->1334 1335 7ffd9b88cd19-7ffd9b88cd1f 1327->1335 1328->1242 1481 7ffd9b88c6af 1328->1481 1329->1235 1334->1235 1341 7ffd9b88cd25-7ffd9b88cd82 call 7ffd9b88a9e8 call 7ffd9b884a50 1335->1341 1342 7ffd9b88cdfb-7ffd9b88ce01 1335->1342 1341->1235 1496 7ffd9b88cd88-7ffd9b88cdf4 call 7ffd9b880ac8 1341->1496 1356 7ffd9b88ce07-7ffd9b88ce64 call 7ffd9b88a9e8 call 7ffd9b884a50 1342->1356 1357 7ffd9b88cedd-7ffd9b88cee3 1342->1357 1371 7ffd9b88cb1e-7ffd9b88cb29 1349->1371 1354->1355 1362 7ffd9b88d590-7ffd9b88d596 1354->1362 1365 7ffd9b88d5b7-7ffd9b88d5bd 1355->1365 1366 7ffd9b88d5a3-7ffd9b88d5b2 1355->1366 1356->1235 1500 7ffd9b88ce6a-7ffd9b88ced6 call 7ffd9b880ac8 1356->1500 1363 7ffd9b88cee5-7ffd9b88cf02 call 7ffd9b88abf8 1357->1363 1364 7ffd9b88cf07-7ffd9b88cf0d 1357->1364 1376 7ffd9b88d658-7ffd9b88d6a0 1362->1376 1363->1235 1380 7ffd9b88d03e-7ffd9b88d044 1364->1380 1381 7ffd9b88cf13-7ffd9b88cf70 call 7ffd9b88a9e8 call 7ffd9b884a50 1364->1381 1378 7ffd9b88d609-7ffd9b88d60f 1365->1378 1379 7ffd9b88d5bf-7ffd9b88d607 call 7ffd9b88a9e8 1365->1379 1366->1376 1409 7ffd9b88cb2b-7ffd9b88cb3b 1371->1409 1410 7ffd9b88cb3c-7ffd9b88cb46 1371->1410 1378->1376 1385 7ffd9b88d611-7ffd9b88d656 call 7ffd9b88a9e8 1378->1385 1379->1376 1383 7ffd9b88d175-7ffd9b88d17b 1380->1383 1384 7ffd9b88d04a-7ffd9b88d0a7 call 7ffd9b88a9e8 call 7ffd9b884a50 1380->1384 1381->1235 1513 7ffd9b88cf76-7ffd9b88d033 call 7ffd9b88abf8 call 7ffd9b880ac8 1381->1513 1404 7ffd9b88d2aa-7ffd9b88d2b0 1383->1404 1405 7ffd9b88d181-7ffd9b88d1dc call 7ffd9b88a9e8 call 7ffd9b884a50 1383->1405 1384->1235 1523 7ffd9b88d0ad-7ffd9b88d0b8 1384->1523 1385->1376 1387->1388 1388->1349 1413 7ffd9b88cab6-7ffd9b88caba 1388->1413 1415 7ffd9b88d2b2-7ffd9b88d2cf call 7ffd9b88abf8 1404->1415 1416 7ffd9b88d2d4-7ffd9b88d2da 1404->1416 1405->1235 1531 7ffd9b88d1e2-7ffd9b88d29f call 7ffd9b88abf8 call 7ffd9b880ac8 1405->1531 1409->1410 1441 7ffd9b88cb58-7ffd9b88cb5d 1410->1441 1442 7ffd9b88cb48-7ffd9b88cb4d 1410->1442 1430 7ffd9b88cacc-7ffd9b88cace 1413->1430 1431 7ffd9b88cabc-7ffd9b88cac1 1413->1431 1415->1235 1433 7ffd9b88d2dc-7ffd9b88d2f9 call 7ffd9b88abf8 1416->1433 1434 7ffd9b88d2fe-7ffd9b88d304 1416->1434 1430->1371 1477 7ffd9b88cad0-7ffd9b88cad1 1430->1477 1445 7ffd9b88cac3-7ffd9b88cacb 1431->1445 1446 7ffd9b88cad4 1431->1446 1433->1235 1439 7ffd9b88d345-7ffd9b88d34b 1434->1439 1440 7ffd9b88d306-7ffd9b88d340 1434->1440 1461 7ffd9b88d34d-7ffd9b88d3bf call 7ffd9b88a9e8 1439->1461 1462 7ffd9b88d3c4-7ffd9b88d3ca 1439->1462 1440->1235 1441->1235 1456 7ffd9b88cb4f-7ffd9b88cb57 1442->1456 1457 7ffd9b88cb60 1442->1457 1445->1430 1446->1300 1456->1441 1457->1308 1461->1235 1478 7ffd9b88d43c-7ffd9b88d442 1462->1478 1479 7ffd9b88d3cc-7ffd9b88d43a call 7ffd9b88a9e8 1462->1479 1477->1235 1478->1235 1485 7ffd9b88d444-7ffd9b88d4ab call 7ffd9b88a9e8 1478->1485 1479->1235 1481->1235 1485->1235 1570 7ffd9b88cdf6 1496->1570 1573 7ffd9b88ced8 1500->1573 1600 7ffd9b88d039 1513->1600 1534 7ffd9b88d0ba-7ffd9b88d10c 1523->1534 1535 7ffd9b88d10e-7ffd9b88d16a call 7ffd9b88abf8 call 7ffd9b880ac8 1523->1535 1603 7ffd9b88d2a5 1531->1603 1534->1535 1535->1523 1590 7ffd9b88d170 1535->1590 1570->1235 1573->1235 1590->1235 1600->1235 1603->1235
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 74b667bdb26f323d7407a6436b1a32d46ee6d02e1ac07145e7960b9126f2942c
                                    • Instruction ID: fcd54d14e5c4ccfe33bbbc10cb85cc52d12d8cb4475b2d5782898241009444b4
                                    • Opcode Fuzzy Hash: 74b667bdb26f323d7407a6436b1a32d46ee6d02e1ac07145e7960b9126f2942c
                                    • Instruction Fuzzy Hash: 6AB20821B1DD0E4BEB6CEB6894A5A7573D2EFA8310F5541BAD02EC31EBDD38B8424741
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B88DE0D Relevance: 1.6, Strings: 1, Instructions: 381COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: DN_L
                                    • API String ID: 0-226491548
                                    • Opcode ID: 61e035e0fe78df6374d5ab57749b75c8321e7459ed94328a135bf7ec6ebc4513
                                    • Instruction ID: 5edc0d74d3fa180a4ade7ae6068294e39b05dab43cefe0fb13c28ed88babe125
                                    • Opcode Fuzzy Hash: 61e035e0fe78df6374d5ab57749b75c8321e7459ed94328a135bf7ec6ebc4513
                                    • Instruction Fuzzy Hash: 84B11371B19E494FE75C9B2CA869A7577D1EB9C300F1241BEE05DC32E3DE38A8028781
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B88FF58 Relevance: .7, Instructions: 721COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: d59da0d1fbe6ea9a14b41ea25ce1d66763e7344b7e5c5012abaf3086c80e30aa
                                    • Instruction ID: 9e2723f8e3e3b49dffae819449d687fc8715e1e5bec68b0c0cabd76b80d29edf
                                    • Opcode Fuzzy Hash: d59da0d1fbe6ea9a14b41ea25ce1d66763e7344b7e5c5012abaf3086c80e30aa
                                    • Instruction Fuzzy Hash: 02221A31B2DA494BE76CA76894666B573C2FF9C340F45417DE04EC71E7DE28B9028781
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B888346 Relevance: .5, Instructions: 472COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 4d0dee581141b03f7aba021e617dc4bad6aa7af19e8eed3adf6063ceb9884251
                                    • Instruction ID: aaf61915ddff8624f3a99dab1bbfb9ecf9c6f89318bd4d7202797602dcf0454a
                                    • Opcode Fuzzy Hash: 4d0dee581141b03f7aba021e617dc4bad6aa7af19e8eed3adf6063ceb9884251
                                    • Instruction Fuzzy Hash: B5F1A530A09E4E8FEBB8DF28C8557E937E1FF58310F04426AE85DC7295DB7499458B81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B8890F2 Relevance: .5, Instructions: 458COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9e7972202716f3fb822812e806fb53ce68566fe4ff3361456876ab24966c52dd
                                    • Instruction ID: ee862f3aa4c2a94cc17ddec717ffdd8ea3e2903453f52aa4b07d8f9aeabc89d3
                                    • Opcode Fuzzy Hash: 9e7972202716f3fb822812e806fb53ce68566fe4ff3361456876ab24966c52dd
                                    • Instruction Fuzzy Hash: 42E1D730A08E4E8FEBA8DF68C8697E977D1FF58310F04426ED81DC7295DB7499418B81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B8829E1 Relevance: 1.7, APIs: 1, Instructions: 152libraryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1675 7ffd9b8829e1-7ffd9b882ad0 LoadLibraryA 1681 7ffd9b882ad2 1675->1681 1682 7ffd9b882ad8-7ffd9b882b31 call 7ffd9b882b32 1675->1682 1681->1682
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID: LibraryLoad
                                    • String ID:
                                    • API String ID: 1029625771-0
                                    • Opcode ID: 36dbbaafa046386ac166a7464bd831da8d4c8b1320bd98972d684d2332bb324c
                                    • Instruction ID: 2b0f1d770620502f0956a786060d33cd20a959132b9ea9ad5bc0a38432bf1ef7
                                    • Opcode Fuzzy Hash: 36dbbaafa046386ac166a7464bd831da8d4c8b1320bd98972d684d2332bb324c
                                    • Instruction Fuzzy Hash: EC417270A08A1C8FDB98DF98D855BEDBBF1FF59310F1041AAD00DD7296CA75A841CB81
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B882D3D Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1688 7ffd9b882d3d-7ffd9b882d49 1689 7ffd9b882d54-7ffd9b882d63 1688->1689 1690 7ffd9b882d4b-7ffd9b882d53 1688->1690 1691 7ffd9b882d6e-7ffd9b882e29 VirtualProtect 1689->1691 1692 7ffd9b882d65-7ffd9b882d6d 1689->1692 1690->1689 1697 7ffd9b882e31-7ffd9b882e59 1691->1697 1698 7ffd9b882e2b 1691->1698 1692->1691 1698->1697
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID: ProtectVirtual
                                    • String ID:
                                    • API String ID: 544645111-0
                                    • Opcode ID: c6ed35651882532825955e5200c27e0fe3007fc1dadcca57c87b3fe8da3de23c
                                    • Instruction ID: 399a3642318144ce4070a6ed4ff01e8ac2c01a40ad818106ffd8ff88cb5a64c9
                                    • Opcode Fuzzy Hash: c6ed35651882532825955e5200c27e0fe3007fc1dadcca57c87b3fe8da3de23c
                                    • Instruction Fuzzy Hash: 3341263190DB884FDB199BA89C566A97FE1EF56321F0442AFD099C31A3CA746406C782
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Non-executed Functions

                                    Function 00007FFD9B88F460 Relevance: 4.6, Strings: 2, Instructions: 2136COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: tL_L$vW_I
                                    • API String ID: 0-3115775106
                                    • Opcode ID: c1e42ecbebfe5cc87d863e0b7ea9c23d6c4fe9b613e44001fc2fa28f30288a14
                                    • Instruction ID: 5ad51d853ad3b5292e7e27a8ce1c74b6af932cf6cd9fee3fba95188a5403b2b7
                                    • Opcode Fuzzy Hash: c1e42ecbebfe5cc87d863e0b7ea9c23d6c4fe9b613e44001fc2fa28f30288a14
                                    • Instruction Fuzzy Hash: 5AD2F531B1EE0E5FEBA8DB6C946567473D1EF68310B1601BAD00EC76A2DE25FC428791
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Function 00007FFD9B88FBFA Relevance: 3.0, Strings: 2, Instructions: 462COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.2743786229.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_7ffd9b880000_xXQ39a5f9EJP.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: HN_^$_
                                    • API String ID: 0-1249541639
                                    • Opcode ID: 0f97f97f766bfd40c63061b20eb79f541a440620b123b0992ae176fbbc21eb23
                                    • Instruction ID: 750ddc4167476283e1ec669a45cdb720f03458e8eb06ac189d75763a7fccc694
                                    • Opcode Fuzzy Hash: 0f97f97f766bfd40c63061b20eb79f541a440620b123b0992ae176fbbc21eb23
                                    • Instruction Fuzzy Hash: 04C1F057B0D8B646D31A72FDBC695E96B00CF8127AB0841B7D39DCA0D7AC48208793E5
                                    Uniqueness

                                    Uniqueness Score: -1.00%