Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1583461
MD5:76969acc42256771162be6f285de947c
SHA1:071c5791d9ca1c2382450c6ef09432e12e8b3ca2
SHA256:155854758b79cdee58f7df5c1a4a07d3b19b3d64a0a58b2e8faf6d8b67042f3c
Tags:NETexeMSILnjratuser-jstrosch
Infos:

Detection

DcRat, JasonRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected DcRat
Yara detected JasonRAT
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Creates an autostart registry key pointing to binary in C:\Windows
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4696 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 76969ACC42256771162BE6F285DE947C)
    • Mxscspd_BelphegorShell.exe (PID: 4084 cmdline: "C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe" MD5: 412A8BBC3366FEC40120821A598EA26F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: JasonRAT

{"Server": "127.0.0.1,winner2025me.duckdns.org", "Ports": "7777", "Version": "JASON 2.1.1.0", "Autorun": "false", "Install_Folder": "AppData", "Install_File": "ScJlsrsfsks", "AES_key": "Jason\u2620LetThereBeCarnage", "Mutex": "Jason_CnzagnrahJcsdJcnzns", "AntiDetection": "null", "External_config_on_Pastebin": "false", "Startup_Delay": 1, "Certificate": "MIICRzCCAbCgAwIBAgIVANvS14Czjez/SMBBbB3uWUcyWLrFMA0GCSqGSIb3DQEBDQUAMHsxFTATBgNVBAMMDEphc29uIFNlcnZlcjEiMCAGA1UECwwZSmFzb27imKBMZXRUaGVyZUJlQ2FybmFnZTEkMCIGA1UECgwbSmFzb24g4pigIExldFRoZXJlQmVDYXJuYWdlMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwMTExMjMxNjM2WhcNMzQxMDIwMjMxNjM2WjAQMQ4wDAYDVQQDDAVKYXNvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjynhKPrWMiHM2a9rMcQru2BGPNnbfYw5w+W/mUM/lDUQ5E5yx5wWth03JiB+yflQvUkZ/3sDm/4JQfZxiqclLIAzkXrlBxhKbaLxcxa5slQJUaypWXxwdTTu2U2bgqrOINQFGqA4qGXWVqVelz75q5QEn3PVsM9ItRcx49FsqgsCAwEAAaMyMDAwHQYDVR0OBBYEFEhI7v6kRtjV16ycOMQ1r14L2GjJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAFnxCg0+lHwa/Nkl7yer/lKO2aejOkcEGbtTxKgLGEpVClTuTTw4wQX8lc7gd0Ik5pL5VtO37O+Aj/Ysl71zgh3dd9gDKb9Uil7SP3WK2fbC/kETm++Pxi4vl4W3C6j1l9jtMOHmaNZem3Z+o+8bfkBbWtFDqp7Sul3yagpHaQzU=", "ServerSignature": "PjTTtyMY2go0IqkgPP0auxgXaWgJgSfBrFldD2kTofVnrfY4Q95vIUygNkOfDvXg9exvugXRXULtJ8VIYdVAUyOCtJjL5nFEhxkiFTV+c2RYqmHMIDydwtPnsh4BRMNcgibqvLlT2WK6OP/jVV1EV8GVrduZ74e6ok24M2khfR0=", "Group": "HOME"}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeJoeSecurity_JasonRATYara detected JasonRATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
      00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
        00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
          00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_JasonRATYara detected JasonRATJoe Security
            Process Memory Space: file.exe PID: 4696JoeSecurity_JasonRATYara detected JasonRATJoe Security
              Click to see the 2 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                1.0.Mxscspd_BelphegorShell.exe.a10000.0.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                  0.2.file.exe.39c3d90.1.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                    0.2.file.exe.3995570.2.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                      1.2.Mxscspd_BelphegorShell.exe.12b0000.0.unpackJoeSecurity_JasonRATYara detected JasonRATJoe Security
                        Click to see the 4 entries

                        Sigma Signatures

                        System Summary

                        barindex
                        Sigma detected: Potentially Suspicious Malware Callback Communication
                        Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 87.120.113.91, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, Initiated: true, ProcessId: 4084, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49704
                        Sigma detected: CurrentVersion Autorun Keys Modification
                        Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: , EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, ProcessId: 4084, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ScJlsrsfsks

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2025-01-02T20:14:02.195868+010028424781Malware Command and Control Activity Detected87.120.113.917777192.168.2.549704TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: file.exeAvira: detected
                        Found malware configuration
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackMalware Configuration Extractor: JasonRAT {"Server": "127.0.0.1,winner2025me.duckdns.org", "Ports": "7777", "Version": "JASON 2.1.1.0", "Autorun": "false", "Install_Folder": "AppData", "Install_File": "ScJlsrsfsks", "AES_key": "Jason\u2620LetThereBeCarnage", "Mutex": "Jason_CnzagnrahJcsdJcnzns", "AntiDetection": "null", "External_config_on_Pastebin": "false", "Startup_Delay": 1, "Certificate": "MIICRzCCAbCgAwIBAgIVANvS14Czjez/SMBBbB3uWUcyWLrFMA0GCSqGSIb3DQEBDQUAMHsxFTATBgNVBAMMDEphc29uIFNlcnZlcjEiMCAGA1UECwwZSmFzb27imKBMZXRUaGVyZUJlQ2FybmFnZTEkMCIGA1UECgwbSmFzb24g4pigIExldFRoZXJlQmVDYXJuYWdlMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwMTExMjMxNjM2WhcNMzQxMDIwMjMxNjM2WjAQMQ4wDAYDVQQDDAVKYXNvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjynhKPrWMiHM2a9rMcQru2BGPNnbfYw5w+W/mUM/lDUQ5E5yx5wWth03JiB+yflQvUkZ/3sDm/4JQfZxiqclLIAzkXrlBxhKbaLxcxa5slQJUaypWXxwdTTu2U2bgqrOINQFGqA4qGXWVqVelz75q5QEn3PVsM9ItRcx49FsqgsCAwEAAaMyMDAwHQYDVR0OBBYEFEhI7v6kRtjV16ycOMQ1r14L2GjJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAFnxCg0+lHwa/Nkl7yer/lKO2aejOkcEGbtTxKgLGEpVClTuTTw4wQX8lc7gd0Ik5pL5VtO37O+Aj/Ysl71zgh3dd9gDKb9Uil7SP3WK2fbC/kETm++Pxi4vl4W3C6j1l9jtMOHmaNZem3Z+o+8bfkBbWtFDqp7Sul3yagpHaQzU=", "ServerSignature": "PjTTtyMY2go0IqkgPP0auxgXaWgJgSfBrFldD2kTofVnrfY4Q95vIUygNkOfDvXg9exvugXRXULtJ8VIYdVAUyOCtJjL5nFEhxkiFTV+c2RYqmHMIDydwtPnsh4BRMNcgibqvLlT2WK6OP/jVV1EV8GVrduZ74e6ok24M2khfR0=", "Group": "HOME"}
                        Multi AV Scanner detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeReversingLabs: Detection: 52%
                        Multi AV Scanner detection for submitted file
                        Source: file.exeReversingLabs: Detection: 39%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for dropped file
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeJoe Sandbox ML: detected
                        Machine Learning detection for sample
                        Source: file.exeJoe Sandbox ML: detected
                        Sample uses string decryption to hide its real strings
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: 7777
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: 127.0.0.1,winner2025me.duckdns.org
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: JASON 2.1.1.0
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: Jason_CnzagnrahJcsdJcnzns
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: MIICRzCCAbCgAwIBAgIVANvS14Czjez/SMBBbB3uWUcyWLrFMA0GCSqGSIb3DQEBDQUAMHsxFTATBgNVBAMMDEphc29uIFNlcnZlcjEiMCAGA1UECwwZSmFzb27imKBMZXRUaGVyZUJlQ2FybmFnZTEkMCIGA1UECgwbSmFzb24g4pigIExldFRoZXJlQmVDYXJuYWdlMQswCQYDVQQHDAJTSDELMAkGA1UEBhMCQ04wHhcNMjQwMTExMjMxNjM2WhcNMzQxMDIwMjMxNjM2WjAQMQ4wDAYDVQQDDAVKYXNvbjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAjynhKPrWMiHM2a9rMcQru2BGPNnbfYw5w+W/mUM/lDUQ5E5yx5wWth03JiB+yflQvUkZ/3sDm/4JQfZxiqclLIAzkXrlBxhKbaLxcxa5slQJUaypWXxwdTTu2U2bgqrOINQFGqA4qGXWVqVelz75q5QEn3PVsM9ItRcx49FsqgsCAwEAAaMyMDAwHQYDVR0OBBYEFEhI7v6kRtjV16ycOMQ1r14L2GjJMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADgYEAFnxCg0+lHwa/Nkl7yer/lKO2aejOkcEGbtTxKgLGEpVClTuTTw4wQX8lc7gd0Ik5pL5VtO37O+Aj/Ysl71zgh3dd9gDKb9Uil7SP3WK2fbC/kETm++Pxi4vl4W3C6j1l9jtMOHmaNZem3Z+o+8bfkBbWtFDqp7Sul3yagpHaQzU=
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: PjTTtyMY2go0IqkgPP0auxgXaWgJgSfBrFldD2kTofVnrfY4Q95vIUygNkOfDvXg9exvugXRXULtJ8VIYdVAUyOCtJjL5nFEhxkiFTV+c2RYqmHMIDydwtPnsh4BRMNcgibqvLlT2WK6OP/jVV1EV8GVrduZ74e6ok24M2khfR0=
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: null
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: HOME
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpackString decryptor: false
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 87.120.113.91:7777 -> 192.168.2.5:49704
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: winner2025me.duckdns.org
                        Uses dynamic DNS services
                        Source: unknownDNS query: name: winner2025me.duckdns.org
                        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 87.120.113.91:7777
                        Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: global trafficDNS traffic detected: DNS query: winner2025me.duckdns.org
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3291327110.000000001D935000.00000004.00000020.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3291032924.000000001D830000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.1.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3288869079.0000000001353000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en89k
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003E62000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Yara detected JasonRAT
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.Mxscspd_BelphegorShell.exe.a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4696, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, type: DROPPED

                        System Summary

                        barindex
                        .NET source code contains very large array initializations
                        Source: Mxscspd_BelphegorShell.exe.0.dr, Program.csLarge array initialization: Main: array initializer size 180224
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F561C61_2_00007FF848F561C6
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F593681_2_00007FF848F59368
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F4FBF01_2_00007FF848F4FBF0
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F40D051_2_00007FF848F40D05
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F415D11_2_00007FF848F415D1
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F510A51_2_00007FF848F510A5
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F56F721_2_00007FF848F56F72
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F41A5E1_2_00007FF848F41A5E
                        Source: Mxscspd_BelphegorShell.exe.0.drStatic PE information: No import functions for PE file found
                        Source: file.exe, 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAbezethibou64.exe" vs file.exe
                        Source: file.exe, 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMxscspd_BelphegorShell.exe4 vs file.exe
                        Source: file.exe, 00000000.00000002.2044783649.0000000000C7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
                        Source: file.exe, 00000000.00000000.2039897335.00000000006A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamewrapper_jre_offline.exeP vs file.exe
                        Source: file.exeBinary or memory string: OriginalFilenamewrapper_jre_offline.exeP vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: file.exe, -.csCryptographic APIs: 'TransformFinalBlock'
                        Source: file.exe, -.csCryptographic APIs: 'TransformFinalBlock'
                        Source: classification engineClassification label: mal100.troj.evad.winEXE@3/4@4/2
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.logJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeMutant created: NULL
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeMutant created: \Sessions\1\BaseNamedObjects\Jason_CnzagnrahJcsdJcnzns
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeJump to behavior
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: file.exeReversingLabs: Detection: 39%
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe "C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe "C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe" Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: dlnashext.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wpdshext.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: mscoree.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: secur32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: cryptnet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: dhcpcsvc6.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: dhcpcsvc.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: webio.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: cabinet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: sxs.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: devenum.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: devobj.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeSection loaded: msdmo.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                        Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                        Data Obfuscation

                        barindex
                        .NET source code contains potential unpacker
                        Source: Mxscspd_BelphegorShell.exe.0.dr, Program.cs.Net Code: LoadAndExecuteAssemblyInMemory System.Reflection.Assembly.Load(byte[])
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04E9004B push edx; retf 0_2_04E90072
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04E9002C push ebx; retf 0_2_04E9004A
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04E901A4 push ebx; retf 0_2_04E901BA
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_04E9026B push 3C00CB50h; retf 0_2_04E90292
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeCode function: 1_2_00007FF848F4755E push ds; iretd 1_2_00007FF848F4755F
                        Source: file.exeStatic PE information: section name: .text entropy: 7.7525499842123144
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeJump to dropped file

                        Boot Survival

                        barindex
                        Yara detected JasonRAT
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.Mxscspd_BelphegorShell.exe.a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4696, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, type: DROPPED
                        Creates an autostart registry key pointing to binary in C:\Windows
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ScJlsrsfsksJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ScJlsrsfsksJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ScJlsrsfsksJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Yara detected JasonRAT
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.Mxscspd_BelphegorShell.exe.a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4696, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, type: DROPPED
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 2900000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 2990000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: 4990000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeMemory allocated: 1290000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeMemory allocated: 1BD70000 memory reserve | memory write watchJump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeWindow / User API: threadDelayed 1606Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeWindow / User API: threadDelayed 8229Jump to behavior
                        Source: C:\Users\user\Desktop\file.exe TID: 6980Thread sleep time: -922337203685477s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe TID: 6640Thread sleep count: 1606 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe TID: 6532Thread sleep time: -30000s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe TID: 6568Thread sleep count: 8229 > 30Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe TID: 6752Thread sleep time: -22136092888451448s >= -30000sJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeThread delayed: delay time: 922337203685477Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Documents\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\userJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\TempJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppDataJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\LocalJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3291579026.000000001DA02000.00000004.00000020.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3288869079.0000000001353000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe "C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe" Jump to behavior
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DF7000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DEA000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3291381905.000000001D953000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managern
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DF7000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DEA000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003DF3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
                        Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe VolumeInformationJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Lowering of HIPS / PFW / Operating System Security Settings

                        barindex
                        Yara detected JasonRAT
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.0.Mxscspd_BelphegorShell.exe.a10000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 1.2.Mxscspd_BelphegorShell.exe.12b0000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39c3d90.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.39957c0.0.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.file.exe.3995570.2.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: file.exe PID: 4696, type: MEMORYSTR
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR
                        Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, type: DROPPED
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3291327110.000000001D935000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MsMpeng.exe
                        Source: Mxscspd_BelphegorShell.exe, 00000001.00000002.3291579026.000000001DA02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected DcRat
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected DcRat
                        Source: Yara matchFile source: Process Memory Space: Mxscspd_BelphegorShell.exe PID: 4084, type: MEMORYSTR

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Windows Management Instrumentation                        		1
                        Scheduled Task/Job                        		12
                        Process Injection                        		1
                        Masquerading                        		OS Credential Dumping1
                        Query Registry                        		Remote Services11
                        Archive Collected Data                        		1
                        Encrypted Channel                        		Exfiltration Over Other Network MediumAbuse Accessibility Features
                        CredentialsDomainsDefault Accounts1
                        Scheduled Task/Job                        		11
                        Registry Run Keys / Startup Folder                        		1
                        Scheduled Task/Job                        		1
                        Disable or Modify Tools                        		LSASS Memory121
                        Security Software Discovery                        		Remote Desktop ProtocolData from Removable Media1
                        Non-Standard Port                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAt1
                        DLL Side-Loading                        		11
                        Registry Run Keys / Startup Folder                        		31
                        Virtualization/Sandbox Evasion                        		Security Account Manager2
                        Process Discovery                        		SMB/Windows Admin SharesData from Network Shared Drive1
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        DLL Side-Loading                        		12
                        Process Injection                        		NTDS31
                        Virtualization/Sandbox Evasion                        		Distributed Component Object ModelInput Capture21
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                        Deobfuscate/Decode Files or Information                        		LSA Secrets1
                        Application Window Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                        Obfuscated Files or Information                        		Cached Domain Credentials2
                        File and Directory Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                        Software Packing                        		DCSync13
                        System Information Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        DLL Side-Loading                        		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe39%ReversingLabsWin32.Exploit.Generic
                        file.exe100%AviraHEUR/AGEN.1307423
                        file.exe100%Joe Sandbox ML

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe100%Joe Sandbox ML
                        C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe53%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        winner2025me.duckdns.org0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        bg.microsoft.map.fastly.net
                        		199.232.214.172
                        		truefalse
                          		high
                          winner2025me.duckdns.org
                          		87.120.113.91
                          		truetrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            winner2025me.duckdns.orgtrue
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameMxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003D71000.00000004.00000800.00020000.00000000.sdmp, Mxscspd_BelphegorShell.exe, 00000001.00000002.3289268084.0000000003E62000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              8.8.8.8
                              		unknownUnited States
                              		15169GOOGLEUSfalse
                              87.120.113.91
                              		winner2025me.duckdns.orgBulgaria
                              		25206UNACS-AS-BG8000BurgasBGtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1583461
                              Start date and time:2025-01-02 20:13:01 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 5m 14s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:5
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@3/4@4/2
                              EGA Information:
                              • Successful, ratio: 50%
                              HCA Information:
                              • Successful, ratio: 94%
                              • Number of executed functions: 45
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Found application associated with file extension: .exe

                              Warnings

                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                              • Excluded IPs from analysis (whitelisted): 199.232.214.172, 4.175.87.197, 13.107.246.45
                              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                              • Execution Graph export aborted for target file.exe, PID 4696 because it is empty
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • VT rate limit hit for: file.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              14:14:01API Interceptor1x Sleep call for process: Mxscspd_BelphegorShell.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              87.120.113.91009274965.lnkGet hashmaliciousDarkVision RatBrowse
                              • 87.120.113.91/image.exe
                              LPO-0048532025.lnkGet hashmaliciousDarkVision RatBrowse
                              • 87.120.113.91/image.exe

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              bg.microsoft.map.fastly.netiviewers.dllGet hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                              • 199.232.214.172
                              wrcaf.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                              • 199.232.210.172
                              iubn.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                              • 199.232.210.172
                              rwvg1.exeGet hashmaliciousDcRat, KeyLogger, StormKitty, VenomRATBrowse
                              • 199.232.210.172
                              ersyb.exeGet hashmaliciousDcRat, KeyLogger, StormKitty, VenomRATBrowse
                              • 199.232.214.172
                              Hornswoggle.exeGet hashmaliciousGuLoaderBrowse
                              • 199.232.214.172
                              8n26gvrXUM.exeGet hashmaliciousUnknownBrowse
                              • 199.232.214.172
                              https://gldkzr-lpqw.buzz/script/ut.js?cb%5C=1735764124690Get hashmaliciousUnknownBrowse
                              • 199.232.210.172
                              5fr5gthkjdg71.exeGet hashmaliciousQuasar, R77 RootKitBrowse
                              • 199.232.214.172
                              dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                              • 199.232.210.172

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              UNACS-AS-BG8000BurgasBG009274965.lnkGet hashmaliciousDarkVision RatBrowse
                              • 87.120.113.91
                              hoEtvOOrYH.exeGet hashmaliciousSmokeLoaderBrowse
                              • 87.120.115.216
                              rebirth.arm4t.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.spc.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.sh4.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.arm5.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.x86.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.ppc.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.arm6.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63
                              rebirth.m68.elfGet hashmaliciousGafgytBrowse
                              • 87.120.113.63

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe
                              File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                              Category:dropped
                              Size (bytes):71954
                              Entropy (8bit):7.996617769952133
                              Encrypted:true
                              SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                              MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                              SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                              SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                              SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                              C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                              Download File
                              Process:C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):328
                              Entropy (8bit):3.253995428229512
                              Encrypted:false
                              SSDEEP:6:kKz9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:iDImsLNkPlE99SNxAhUe/3
                              MD5:1AA3272D53B554F8EB4E3186C994B69D
                              SHA1:B361BB9EAC9B65949B50F176E97FF1461EB480A9
                              SHA-256:9008EA54347D7A5DB2E0E113F9F33A34035A0CF7D954D50E03C5BA4496E0CE22
                              SHA-512:964D5E2222E2DA9734D61F0BEB31DABB9E40D84AAAF5F86A8D25191068E446741539408F18D5F9763A012F28A1F30A0EF607663AB2E3B01A0595C12A42976B18
                              Malicious:false
                              Reputation:low
                              Preview:p...... ..........y{J]..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\file.exe
                              File Type:CSV text
                              Category:dropped
                              Size (bytes):226
                              Entropy (8bit):5.360398796477698
                              Encrypted:false
                              SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
                              MD5:3A8957C6382192B71471BD14359D0B12
                              SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
                              SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
                              SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
                              Malicious:true
                              Reputation:high, very likely benign file
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

                              C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe

                              Download File
                              Process:C:\Users\user\Desktop\file.exe
                              File Type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):190464
                              Entropy (8bit):5.655415027243687
                              Encrypted:false
                              SSDEEP:3072:vXpgDh/4L28y4UBQ9bwD9wb651a0UlDRvznBf+gk:Vry4UBQ9bX651aXxR+
                              MD5:412A8BBC3366FEC40120821A598EA26F
                              SHA1:171CC5CF93880517BA70B59C3A26FC9B249BC02D
                              SHA-256:D918B089C7CCE51352C6BCB6C3851FBF420884221BB30254179C55C42929F466
                              SHA-512:2890B21770E6C8FD432AEC2193462C19229AD9AE9E2E873784720FB40A46FFD927B58258D76D4FA38B3825A76CD2DD24F2179730783AC3FE6DA24BCBEAAF8047
                              Malicious:true
                              Yara Hits:
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, Author: Joe Security
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 53%
                              Reputation:low
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...hdng.........."...................... .....@..... ....................... ............@...@......@............... ............................................................................................................................... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..BH...............................................................................MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...v.o..........."...0.................. .....@..... ....................................@...@......@............... ............................................................................................................................... ..H............text...4.... ..

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.638702692097853
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:file.exe
                              File size:286'720 bytes
                              MD5:76969acc42256771162be6f285de947c
                              SHA1:071c5791d9ca1c2382450c6ef09432e12e8b3ca2
                              SHA256:155854758b79cdee58f7df5c1a4a07d3b19b3d64a0a58b2e8faf6d8b67042f3c
                              SHA512:c6a687236323e2ea70c89f3ad38a80d8be179ebf281ff2b5b39db9f9a3ecab67eb9ec8237df82464566d0c7fa952e5d9dfa171b61a7f1b3abeb4897f54769f52
                              SSDEEP:6144:U5nFOwQLKFIkwMs+OZBH/5kA5wJEGrNTxhd:UJFOZKFIk2ZBf5kA+JE6h
                              TLSH:7154E07EF245AE91C65D8A7384D7E83613B5DCAE8593E34E30E8353105B33EA0046E9B
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...g.vg................................. ........@.. ....................................@................................

                              File Icon

                              Icon Hash:d08c8e8ea2868a54

                              Static PE Info

                              General

                              Entrypoint:0x43fc8b
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x67760267 [Thu Jan 2 03:05:11 2025 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x3fc410x4a.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x400000x7d18.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000x3dc910x3de00be00ba236e84578e223b1173c30b8f09False0.7859296085858586data7.7525499842123144IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0x400000x7d180x7e00918509519b072686227a93f0492951a9False0.34759424603174605data5.884923281729306IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x480000xc0x2007fbb61b20dd594194e8c38485aabe777False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_ICON0x400c40x668Device independent bitmap graphic, 48 x 96 x 4, image size 0EnglishUnited States0.21890243902439024
                              RT_ICON0x407500x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishUnited States0.3400537634408602
                              RT_ICON0x40a5c0x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 0EnglishUnited States0.35450819672131145
                              RT_ICON0x40c680x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishUnited States0.46283783783783783
                              RT_ICON0x40db40xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishUnited States0.5026652452025586
                              RT_ICON0x41c800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishUnited States0.5798736462093863
                              RT_ICON0x4254c0x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 0EnglishUnited States0.40264976958525345
                              RT_ICON0x42c380x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishUnited States0.3273121387283237
                              RT_ICON0x431c40x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.27344398340248965
                              RT_ICON0x457900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.37875234521575984
                              RT_ICON0x4685c0x988Device independent bitmap graphic, 24 x 48 x 32, image size 0EnglishUnited States0.37868852459016394
                              RT_ICON0x472080x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.4796099290780142
                              RT_GROUP_ICON0x476ac0xaedataEnglishUnited States0.5977011494252874
                              RT_VERSION0x477960x35cdataEnglishUnited States0.4755813953488372
                              RT_MANIFEST0x47b2e0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminatorsEnglishUnited States0.5469387755102041

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2025-01-02T20:14:02.195868+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)187.120.113.917777192.168.2.549704TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 2, 2025 20:14:01.379029036 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:01.383846045 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:01.383945942 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:01.400010109 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:01.404804945 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:02.185301065 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:02.191057920 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:02.195868015 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:02.367734909 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:02.419197083 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:03.551254034 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:03.556164980 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:03.556217909 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:03.560991049 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:14.959703922 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:14.964713097 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:14.964814901 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:14.969571114 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:15.263408899 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:15.309828043 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:15.394859076 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:15.434983969 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:26.358086109 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:26.362925053 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:26.363883972 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:26.368664980 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:26.675950050 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:26.716252089 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:26.799747944 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:26.841099024 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:37.763591051 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:37.768320084 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:37.768379927 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:37.773216963 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:38.096590042 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:38.153585911 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:38.221914053 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:38.262952089 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:49.169670105 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:49.174635887 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:49.174743891 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:49.179577112 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:49.479302883 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:49.528523922 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:14:49.612181902 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:14:49.669166088 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:00.575818062 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:00.580912113 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:00.581012011 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:00.585863113 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:00.900336027 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:00.950438023 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:01.034948111 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:01.075571060 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:11.997792959 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:12.002756119 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:12.002859116 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:12.007597923 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:12.309508085 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:12.356694937 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:12.441042900 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:12.497256041 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:23.388670921 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:23.393526077 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:23.393623114 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:23.398469925 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:23.708152056 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:23.762868881 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:23.831518888 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:23.872361898 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:34.794539928 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:34.799428940 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:34.799490929 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:34.804239035 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:35.106250048 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:35.153528929 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:35.238431931 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:35.294157982 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:46.241620064 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:46.246479988 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:46.246546984 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:46.251359940 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:46.540797949 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:46.590958118 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:46.661737919 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:46.716011047 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:57.653762102 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:57.658647060 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:57.658714056 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:57.663446903 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:57.967681885 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:58.012890100 CET497047777192.168.2.587.120.113.91
                              Jan 2, 2025 20:15:58.098320961 CET77774970487.120.113.91192.168.2.5
                              Jan 2, 2025 20:15:58.153625011 CET497047777192.168.2.587.120.113.91

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Jan 2, 2025 20:13:57.254897118 CET5673853192.168.2.51.1.1.1
                              Jan 2, 2025 20:13:58.247528076 CET5673853192.168.2.51.1.1.1
                              Jan 2, 2025 20:13:59.263191938 CET5673853192.168.2.51.1.1.1
                              Jan 2, 2025 20:14:01.263308048 CET5673853192.168.2.51.1.1.1
                              Jan 2, 2025 20:14:01.373661041 CET53567381.1.1.1192.168.2.5
                              Jan 2, 2025 20:14:01.373677969 CET53567381.1.1.1192.168.2.5
                              Jan 2, 2025 20:14:01.373686075 CET53567381.1.1.1192.168.2.5
                              Jan 2, 2025 20:14:01.373693943 CET53567381.1.1.1192.168.2.5

                              ICMP Packets

                              TimestampSource IPDest IPChecksumCodeType
                              Jan 2, 2025 20:13:55.197978020 CET192.168.2.58.8.8.84d5aEcho
                              Jan 2, 2025 20:13:55.204114914 CET8.8.8.8192.168.2.5555aEcho Reply

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Jan 2, 2025 20:13:57.254897118 CET192.168.2.51.1.1.10xb1a5Standard query (0)winner2025me.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 2, 2025 20:13:58.247528076 CET192.168.2.51.1.1.10xb1a5Standard query (0)winner2025me.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 2, 2025 20:13:59.263191938 CET192.168.2.51.1.1.10xb1a5Standard query (0)winner2025me.duckdns.orgA (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:01.263308048 CET192.168.2.51.1.1.10xb1a5Standard query (0)winner2025me.duckdns.orgA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Jan 2, 2025 20:14:01.373661041 CET1.1.1.1192.168.2.50xb1a5No error (0)winner2025me.duckdns.org87.120.113.91A (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:01.373677969 CET1.1.1.1192.168.2.50xb1a5No error (0)winner2025me.duckdns.org87.120.113.91A (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:01.373686075 CET1.1.1.1192.168.2.50xb1a5No error (0)winner2025me.duckdns.org87.120.113.91A (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:01.373693943 CET1.1.1.1192.168.2.50xb1a5No error (0)winner2025me.duckdns.org87.120.113.91A (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:02.459532022 CET1.1.1.1192.168.2.50x9af0No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                              Jan 2, 2025 20:14:02.459532022 CET1.1.1.1192.168.2.50x9af0No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:14:13:51
                              Start date:02/01/2025
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0x6a0000
                              File size:286'720 bytes
                              MD5 hash:76969ACC42256771162BE6F285DE947C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: 00000000.00000002.2046836359.0000000003995000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:1
                              Start time:14:13:51
                              Start date:02/01/2025
                              Path:C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe"
                              Imagebase:0xa10000
                              File size:190'464 bytes
                              MD5 hash:412A8BBC3366FEC40120821A598EA26F
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: 00000001.00000000.2043885584.0000000000A12000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: 00000001.00000002.3288838962.00000000012B0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: 00000001.00000002.3290754458.0000000013D71000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_JasonRAT, Description: Yara detected JasonRAT, Source: C:\Users\user\AppData\Local\Temp\Mxscspd_BelphegorShell.exe, Author: Joe Security
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 53%, ReversingLabs
                              Reputation:low
                              Has exited:false

                              Disassembly

                              Reset < >