Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
O0I14144.exe

Overview

General Information

Sample name:O0I14144.exe
renamed because original name is a hash value
Original sample name:Serfinanzas sas obligacin de pago pendiente 632012447844D024400C0401I747O9965002152002178968523365101404253177A00270010O0I14144.exe
Analysis ID:1486300
MD5:2edc069ff3ad923a690b87b479a5730b
SHA1:6a2b61caaee1a01e07600733817b0fd246df0aef
SHA256:11eb08d4313711c1753029776d19d11eaabba4af381b456ccc405cd1d5784752
Tags:exenjrat
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
Yara detected DcRat
.NET source code references suspicious native API functions
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Sample file is different than original file name gathered from version info
Yara signature match

Classification

Process Tree

  • System is w10x64
  • O0I14144.exe (PID: 1196 cmdline: "C:\Users\user\Desktop\O0I14144.exe" MD5: 2EDC069FF3AD923A690B87B479A5730B)
    • conhost.exe (PID: 5276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "dxpam.duckdns.org", "Ports": "5999", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "jvLtElaMrTwMxP1PP38PSfO1IDqo4CS5", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "eROjiuz0PWs+xgxamB7sdm3kB9OKtq8I1pPHgtkdiF0h9pw4eJzyp0fCw7zAO7/Q6+ftDqxvY+0OnHCoiErkMARDy55VYX6/gB5S0xXaoVgAqsvboJJN7EtFrwNTMUTPnslStHIwjEI/4a7JpzD5BLO0KCD9qZ2yVxSo7MwJXPE=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x236f6:$b2: DcRat By qwqdanchun1

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000003.3609001047.00000179F673C000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x9490:$b2: DcRat By qwqdanchun1
  • 0x10b8c:$b2: DcRat By qwqdanchun1
00000000.00000003.2569990328.00000179F58C0000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x4a8c:$b2: DcRat By qwqdanchun1
00000000.00000003.3893502294.00000179F673C000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x9490:$b2: DcRat By qwqdanchun1
  • 0x10b8c:$b2: DcRat By qwqdanchun1
00000000.00000003.3286320057.00000179F673C000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x9490:$b2: DcRat By qwqdanchun1
  • 0x10b8c:$b2: DcRat By qwqdanchun1
00000000.00000003.3164758658.00000179F673C000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
  • 0x9490:$b2: DcRat By qwqdanchun1
  • 0x10b8c:$b2: DcRat By qwqdanchun1
Click to see the 54 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
0.2.O0I14144.exe.179f5a50000.0.raw.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    0.2.O0I14144.exe.179f5a50000.0.raw.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x65f7:$a1: havecamera
    • 0x9af0:$a2: timeout 3 > NUL
    • 0x9b10:$a3: START "" "
    • 0x999b:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
    • 0x9a50:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    0.2.O0I14144.exe.179f5a50000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x9a50:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x999b:$s2: L2Mgc2NodGFza3MgL2
    • 0x991a:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x9968:$s4: VmlydHVhbFByb3RlY3Q
    0.2.O0I14144.exe.179f5a50000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x9cd2:$q1: Select * from Win32_CacheMemory
    • 0x9d12:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x9d60:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x9dae:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    0.2.O0I14144.exe.179f5a50000.0.raw.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0xa14a:$s1: DcRatBy
    Click to see the 5 entries

    Sigma Signatures

    No Sigma rule has matched

    Snort Signatures

    No Snort rule has matched

    Suricata Signatures

    Timestamp:2024-08-01T22:39:28.038485+0200
    SID:2848048
    Source Port:5999
    Destination Port:58852
    Protocol:TCP
    Classtype:Domain Observed Used for C2 Detected

    Joe Sandbox Signatures

    Click to jump to signature section

    Show All Signature Results

    AV Detection

    barindex
    Found malware configuration
    Source: 0.2.O0I14144.exe.179f5a50000.0.unpackMalware Configuration Extractor: AsyncRAT {"Server": "dxpam.duckdns.org", "Ports": "5999", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "jvLtElaMrTwMxP1PP38PSfO1IDqo4CS5", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "eROjiuz0PWs+xgxamB7sdm3kB9OKtq8I1pPHgtkdiF0h9pw4eJzyp0fCw7zAO7/Q6+ftDqxvY+0OnHCoiErkMARDy55VYX6/gB5S0xXaoVgAqsvboJJN7EtFrwNTMUTPnslStHIwjEI/4a7JpzD5BLO0KCD9qZ2yVxSo7MwJXPE=", "BDOS": "null", "External_config_on_Pastebin": "false"}
    Multi AV Scanner detection for submitted file
    Source: O0I14144.exeReversingLabs: Detection: 57%
    AI detected suspicious sample
    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
    Machine Learning detection for sample
    Source: O0I14144.exeJoe Sandbox ML: detected
    Source: O0I14144.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: Binary string: ntdll.pdb source: O0I14144.exe, 00000000.00000003.2037353881.00000179F5A6A000.00000004.00000020.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000002.4487408350.00000179F5BF6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdbUGP source: O0I14144.exe, 00000000.00000003.2037353881.00000179F5A6A000.00000004.00000020.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000002.4487408350.00000179F5BF6000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FDE144 FindFirstFileExW,0_2_00007FF624FDE144

    Networking

    barindex
    C2 URLs / IPs found in malware configuration
    Source: Malware configuration extractorURLs: dxpam.duckdns.org
    Uses dynamic DNS services
    Source: unknownDNS query: name: dxpam.duckdns.org
    Source: global trafficTCP traffic: 192.168.2.5:58852 -> 89.117.23.25:5999
    Source: Joe Sandbox ViewIP Address: 89.117.23.25 89.117.23.25
    Source: Joe Sandbox ViewASN Name: LRTC-ASLT LRTC-ASLT
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
    Source: global trafficDNS traffic detected: DNS query: dxpam.duckdns.org
    Source: O0I14144.exe, 00000000.00000002.4485937377.00000179F3FBE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
    Source: O0I14144.exe, 00000000.00000002.4486562668.00000179F58B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
    Source: O0I14144.exe, 00000000.00000002.4484756612.0000017980001000.00000004.00000800.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000002.4484756612.0000017980085000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

    Key, Mouse, Clipboard, Microphone and Screen Capturing

    barindex
    Yara detected AsyncRAT
    Source: Yara matchFile source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: O0I14144.exe PID: 1196, type: MEMORYSTR

    System Summary

    barindex
    Malicious sample detected (through community Yara rule)
    Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
    Source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
    Source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
    Source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
    Source: 00000000.00000003.3609001047.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.2569990328.00000179F58C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3893502294.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3286320057.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3164758658.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.2975716985.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.2456977547.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.4167565251.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.4479290218.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3422261313.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000002.4486989808.00000179F5940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
    Source: 00000000.00000003.3175992535.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.4220604796.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000002.4487765659.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3635692766.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3643963176.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000002.4486924059.00000179F58C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3172097914.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3852099703.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000002.4486562668.00000179F5840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 Author: unknown
    Source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
    Source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
    Source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
    Source: 00000000.00000003.4331716148.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.2980365684.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.4172144002.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.4325221172.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.2880319799.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.2565382447.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.2348032885.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.2756003699.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3898327239.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3830502451.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.4471042057.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.2760409553.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000002.4484756612.0000017980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3070691319.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3169213864.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.4001942793.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3503972303.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.2467759953.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3121126867.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3508303558.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3426951741.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3030221509.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.2569860231.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3075988779.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3846495356.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000002.4484756612.000001798030F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3372677514.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000003.3116631490.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: 00000000.00000002.4484756612.0000017980085000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: Process Memory Space: O0I14144.exe PID: 1196, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FC10A0 Sleep,SleepEx,GetConsoleWindow,GetConsoleWindow,ShowWindow,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtDelayExecution,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,Sleep,SleepEx,0_2_00007FF624FC10A0
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FD3DC40_2_00007FF624FD3DC4
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FD661C0_2_00007FF624FD661C
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FD60800_2_00007FF624FD6080
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FD6F3C0_2_00007FF624FD6F3C
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FDDF380_2_00007FF624FDDF38
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FDE1440_2_00007FF624FDE144
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FE41C80_2_00007FF624FE41C8
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FD4CC80_2_00007FF624FD4CC8
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FE65100_2_00007FF624FE6510
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FE05080_2_00007FF624FE0508
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FDB33C0_2_00007FF624FDB33C
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FE1BEC0_2_00007FF624FE1BEC
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FE3C280_2_00007FF624FE3C28
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00000179F594E99C0_2_00000179F594E99C
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00000179F594ED780_2_00000179F594ED78
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00000179F594F1A80_2_00000179F594F1A8
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00000179F59524540_2_00000179F5952454
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00000179F594DAC00_2_00000179F594DAC0
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00000179F594FC5C0_2_00000179F594FC5C
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF848FC01F80_2_00007FF848FC01F8
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF848FC0A7E0_2_00007FF848FC0A7E
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF848FC88D20_2_00007FF848FC88D2
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF848FC7B260_2_00007FF848FC7B26
    Source: O0I14144.exe, 00000000.00000003.2037353881.00000179F5BE2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs O0I14144.exe
    Source: O0I14144.exe, 00000000.00000002.4487408350.00000179F5D6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs O0I14144.exe
    Source: O0I14144.exe, 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameClient.exe" vs O0I14144.exe
    Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
    Source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
    Source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
    Source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
    Source: 00000000.00000003.3609001047.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.2569990328.00000179F58C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3893502294.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3286320057.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3164758658.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.2975716985.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.2456977547.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.4167565251.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.4479290218.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3422261313.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000002.4486989808.00000179F5940000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
    Source: 00000000.00000003.3175992535.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.4220604796.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000002.4487765659.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3635692766.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3643963176.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000002.4486924059.00000179F58C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3172097914.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3852099703.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000002.4486562668.00000179F5840000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Donutloader_f40e3759 os = windows, severity = x86, creation_date = 2021-09-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Donutloader, fingerprint = 6400b34f762cebb4f91a8d24c5fce647e069a971fb3ec923a63aa98c8cfffab7, id = f40e3759-2531-4e21-946a-fb55104814c0, last_modified = 2022-01-13
    Source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
    Source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
    Source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
    Source: 00000000.00000003.4331716148.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.2980365684.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.4172144002.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.4325221172.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.2880319799.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.2565382447.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.2348032885.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.2756003699.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3898327239.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3830502451.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.4471042057.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.2760409553.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000002.4484756612.0000017980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3070691319.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3169213864.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.4001942793.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3503972303.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.2467759953.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3121126867.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3508303558.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3426951741.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3030221509.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.2569860231.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3075988779.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3846495356.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000002.4484756612.000001798030F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3372677514.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000003.3116631490.00000179F673C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 00000000.00000002.4484756612.0000017980085000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: Process Memory Space: O0I14144.exe PID: 1196, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, Settings.csBase64 encoded string: 'so6g8x/eplbfvXco0YjpK61piELa5aaeIrmAy4YRQQg12B3O/4OssgFxOasBcXePktPc8OHNkuWzvsHTq9816w==', 'wOBTH/LB4xcVlp60+l/GiL1RJDeCvRc1k0j2FkLdtiKb1N9s8E8y9ZB1WTxXTsbeAI27X9uqsuTfQVPCIqAlasCEcykvatsAs4zX6owV7YQ=', 'zf/CF/z6BAwgKNyFDxWfgDmZ5BrTVQ+ueymGu63piwojDK6/xnTrT8b+nfpRel6VnMrQAN1QEdOxBfEm7Rp7Kw==', 'MGXxjJpPq1eucRt3GWYF551CI4rRGUn2efpmOxwfSqxjCyggrFAvFnQ1iAdXRWVZ+T7nFXH2uObt8fFtHJeBVA+BLpaueDatEgtrQ7+m5Hw=', 'zRACpORMeGzkzAVexlLwub13RLhFRubUknBt1Bfl6QpYwQWlRRYotHBgsrStBLoPojWlwI7UuXeSNhLtEF1+CMmWv8p7ufhgLokbyKtK5wAeX4jZ/De0klugpTLMphdTaMmH6vDDtvA3nZ3JEnJHkhGSukt5Z5c+ZHw4wGCY90BkdoIkDaRg2AI+MkfQYPKi1NIprGlDaBwnSmFHm8+L2opZFD2j3hqQx8rK7Z9R5wLpgE89l5LllhSbB3hz9Anf149zao/Ex7qE1gLq1Q2IptxpvANbTLDCelQJ2uZ70bRzFtZULxJJf+jH/m7arIpGeEkNrtDBs/4LJmg9txFMSzurOSwJc5/2SJFRhlYzS9QdOn7x3jpOJ9JcUV3Ocg9+2/OYeBTk7C8IwpO+nwTtbBbYod5stnisZfq9blBxVhpU//a9F8/c4RuMmCNO50zIucMkhrVqqxUoa/nSHbi0JoMFt1Ejl4MTm/0FVFHb2EDAdukodR+noPLPMR80NrEkx95b5//KETTM0glp8tHMkoXbq5h18JLuSmpzIvZuTCzht0me2Yu5q/cdjy9yrYRE3ZExUpVNF2yvDpuKEuP/PAnbsoALAa5pJyjgD4/rk/1KarTLCvJ5b6ZOpR7jnk2CvDUB4kz/qq+H/NFW/ryM3kfcQZzPT+YHu6pD8apkBI5zw4rZmRhALSckHRrwzsvg9PcUtHUb7p5rNrJ7FurTUxex78845Guvq8MHne4PU+4aUoVVGrGhUOQAzHbsno/TCDwNX0AQNy2NXk7t2LJSKxpa1HwdjMwwHepAfAtwMWeegwPahFZLTONqL7v+8uvvBF94YiWxdiRJH1Ot0lWPUu9syFuhor2bTE30CQKTKvjjPWtC40h0osQ2873VJUUbIjtnDPOvahe125/r1id3nG9nvcm4dzIG8FzjhuD8XlyNVVf/ek/aAMfwlz68jtPcNID9PfTYvn6EAB4oaCzwoZ+T/7WQjuhW+FrOym53bNSkRaUauqZSPA1vlK4F7KnFINgkuwpIcxoXTQnwThCo/qCURYMBHkwjTBIT5i41GgdGH1kHdgSjSoXS5nDE1l47', 'nNB4duZsqTXXJhPbIn21qvAyaPcvIs+dxUFmPFY7aHZtcxsym7AgPk2gBWzQQZcIfrf5LHlOe7dFTTuuoC+t+da5acKzzc80neyHO8Dl7lBvn6cg4zCLwfAU7EcejmXp7IGiMYNy/NvXXqT5gxyu7d5Y2xQSz2EzzCQ5bbb2RnHw9JCWuqwCIbXZgwJnVP2sAJ3E3uEjseQpxoToM27QDRFG8zV5gWKCzXzOLJDWWLO/AIaNVvUEvw3zbzuUdPw4Q7gM3wYaghOb9oIgsVAociw9Xy8j+yI86nfDhzUDpyM=', 'tSF/UchRkcTn1ZApgUy+YoFKxI01SWx7d4jbekqktXcSZUS2OC1KYKYwhB98vVteWIRnzIIbebsQPMh4y2NZJw==', 'UM28kXtlB2aa3s2iXYPt6vS9J0JiuASU6llohJaHQ/6L/SRIIHiQ9+v49D/GeVTcS0A2gLdWhjGLGKEY78IFpA=='
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, NormalStartup.csBase64 encoded string: 'L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g', 'U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA=='
    Source: classification engineClassification label: mal100.troj.evad.winEXE@2/0@7/1
    Source: C:\Users\user\Desktop\O0I14144.exeMutant created: NULL
    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5276:120:WilError_03
    Source: C:\Users\user\Desktop\O0I14144.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
    Source: O0I14144.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\O0I14144.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: O0I14144.exeReversingLabs: Detection: 57%
    Source: unknownProcess created: C:\Users\user\Desktop\O0I14144.exe "C:\Users\user\Desktop\O0I14144.exe"
    Source: C:\Users\user\Desktop\O0I14144.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: apphelp.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: wininet.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: mscoree.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: amsi.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: kernel.appcore.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: cryptsp.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: rsaenh.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: cryptbase.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: wldp.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: userenv.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: profapi.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: windows.storage.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: sspicli.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: msasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: mswsock.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: dnsapi.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: iphlpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: rasadhlp.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: fwpuclnt.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: secur32.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: schannel.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: mskeyprotect.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: ntasn1.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: ncrypt.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: ncryptsslp.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: gpapi.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: cryptnet.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: winnsi.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: wbemcomn.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: sxs.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: devenum.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: winmm.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: ntmarta.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: devobj.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeSection loaded: msdmo.dllJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
    Source: O0I14144.exeStatic PE information: Image base 0x140000000 > 0x60000000
    Source: O0I14144.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
    Source: O0I14144.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: ntdll.pdb source: O0I14144.exe, 00000000.00000003.2037353881.00000179F5A6A000.00000004.00000020.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000002.4487408350.00000179F5BF6000.00000004.00000020.00020000.00000000.sdmp
    Source: Binary string: ntdll.pdbUGP source: O0I14144.exe, 00000000.00000003.2037353881.00000179F5A6A000.00000004.00000020.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000002.4487408350.00000179F5BF6000.00000004.00000020.00020000.00000000.sdmp
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FC10A0 Sleep,SleepEx,GetConsoleWindow,GetConsoleWindow,ShowWindow,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtDelayExecution,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,Sleep,SleepEx,0_2_00007FF624FC10A0
    Source: O0I14144.exeStatic PE information: section name: _RDATA

    Boot Survival

    barindex
    Yara detected AsyncRAT
    Source: Yara matchFile source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: O0I14144.exe PID: 1196, type: MEMORYSTR
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion

    barindex
    Yara detected AsyncRAT
    Source: Yara matchFile source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: O0I14144.exe PID: 1196, type: MEMORYSTR
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
    Source: O0I14144.exe, 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
    Source: C:\Users\user\Desktop\O0I14144.exeMemory allocated: 179F5A00000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeMemory allocated: 179F5E40000 memory reserve | memory write watchJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeWindow / User API: threadDelayed 2186Jump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeWindow / User API: threadDelayed 7638Jump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exe TID: 2072Thread sleep time: -37815825351104557s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FDE144 FindFirstFileExW,0_2_00007FF624FDE144
    Source: C:\Users\user\Desktop\O0I14144.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: O0I14144.exe, 00000000.00000003.2569990328.00000179F58C0000.00000004.00000020.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000003.3504100086.00000179F58E2000.00000004.00000020.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000003.3609957547.00000179F58E3000.00000004.00000020.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000002.4486962642.00000179F58E4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FD2E2C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF624FD2E2C
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FC10A0 Sleep,SleepEx,GetConsoleWindow,GetConsoleWindow,ShowWindow,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,NtDelayExecution,NtAllocateVirtualMemory,NtWriteVirtualMemory,NtCreateThreadEx,Sleep,SleepEx,0_2_00007FF624FC10A0
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FDF910 GetProcessHeap,0_2_00007FF624FDF910
    Source: C:\Users\user\Desktop\O0I14144.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FD2E2C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF624FD2E2C
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FCB0A4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00007FF624FCB0A4
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FE8744 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00007FF624FE8744
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FCB250 SetUnhandledExceptionFilter,0_2_00007FF624FCB250
    Source: C:\Users\user\Desktop\O0I14144.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion

    barindex
    .NET source code references suspicious native API functions
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, Win32.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibraryA(ref name), ref method), typeof(CreateApi))
    Source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, Amsi.csReference to suspicious API methods: Win32.VirtualAllocEx(procAddress, (UIntPtr)(ulong)patch.Length, 64u, out var _)
    Source: O0I14144.exe, 00000000.00000003.2348032885.00000179F666D000.00000004.00000020.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000002.4484756612.0000017980083000.00000004.00000800.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000002.4484756612.0000017980064000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
    Source: O0I14144.exe, 00000000.00000002.4484756612.0000017980083000.00000004.00000800.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000002.4484756612.0000017980064000.00000004.00000800.00020000.00000000.sdmp, O0I14144.exe, 00000000.00000002.4484756612.000001798034F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FE4880 cpuid 0_2_00007FF624FE4880
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF624FE2644
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: EnumSystemLocalesW,0_2_00007FF624FDA54C
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: EnumSystemLocalesW,0_2_00007FF624FE25AC
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: GetLocaleInfoW,0_2_00007FF624FE2890
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: GetLocaleInfoW,0_2_00007FF624FE2A98
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: try_get_function,GetLocaleInfoW,0_2_00007FF624FDAACC
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,0_2_00007FF624FE2190
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_00007FF624FE29E8
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: EnumSystemLocalesW,0_2_00007FF624FE24DC
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_00007FF624FE2BC4
    Source: C:\Users\user\Desktop\O0I14144.exeCode function: 0_2_00007FF624FCB320 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF624FCB320
    Source: C:\Users\user\Desktop\O0I14144.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

    Lowering of HIPS / PFW / Operating System Security Settings

    barindex
    Yara detected AsyncRAT
    Source: Yara matchFile source: 0.2.O0I14144.exe.179f5a50000.0.raw.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 0.2.O0I14144.exe.179f5a50000.0.unpack, type: UNPACKEDPE
    Source: Yara matchFile source: 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: O0I14144.exe PID: 1196, type: MEMORYSTR
    Source: O0I14144.exe, 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: MSASCui.exe
    Source: O0I14144.exe, 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: procexp.exe
    Source: O0I14144.exe, 00000000.00000003.2348032885.00000179F677C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
    Source: O0I14144.exe, 00000000.00000002.4487276511.00000179F5A50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: MsMpEng.exe
    Source: C:\Users\user\Desktop\O0I14144.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

    Stealing of Sensitive Information

    barindex
    Yara detected DcRat
    Source: Yara matchFile source: 00000000.00000002.4484756612.0000017980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.4484756612.000001798030F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: O0I14144.exe PID: 1196, type: MEMORYSTR

    Remote Access Functionality

    barindex
    Yara detected DcRat
    Source: Yara matchFile source: 00000000.00000002.4484756612.0000017980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: 00000000.00000002.4484756612.000001798030F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
    Source: Yara matchFile source: Process Memory Space: O0I14144.exe PID: 1196, type: MEMORYSTR

    Mitre Att&ck Matrix

    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
    Windows Management Instrumentation    		1
    Scheduled Task/Job    		2
    Process Injection    		1
    Disable or Modify Tools    		OS Credential Dumping1
    System Time Discovery    		Remote Services1
    Archive Collected Data    		1
    Encrypted Channel    		Exfiltration Over Other Network MediumAbuse Accessibility Features
    CredentialsDomainsDefault Accounts1
    Scheduled Task/Job    		1
    DLL Side-Loading    		1
    Scheduled Task/Job    		31
    Virtualization/Sandbox Evasion    		LSASS Memory141
    Security Software Discovery    		Remote Desktop ProtocolData from Removable Media1
    Non-Standard Port    		Exfiltration Over BluetoothNetwork Denial of Service
    Email AddressesDNS ServerDomain Accounts11
    Native API    		Logon Script (Windows)1
    DLL Side-Loading    		2
    Process Injection    		Security Account Manager1
    Process Discovery    		SMB/Windows Admin SharesData from Network Shared Drive1
    Non-Application Layer Protocol    		Automated ExfiltrationData Encrypted for Impact
    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
    Obfuscated Files or Information    		NTDS31
    Virtualization/Sandbox Evasion    		Distributed Component Object ModelInput Capture21
    Application Layer Protocol    		Traffic DuplicationData Destruction
    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
    DLL Side-Loading    		LSA Secrets1
    Application Window Discovery    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
    File and Directory Discovery    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync24
    System Information Discovery    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.