Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xutnF2gKGTTy.exe

Overview

General Information

Sample name:xutnF2gKGTTy.exe
Analysis ID:1426953
MD5:aa603e3b55b1c895bd213d06fcbced27
SHA1:ae1a724079ffc4a470a1e41ac07770489c90261b
SHA256:14c66a0b3a199d38a236bed7780258d84c8a3cf335f9397769dc06a17d5707e0
Tags:AsyncRATexe
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AsyncRAT
.NET source code contains potential unpacker
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xutnF2gKGTTy.exe (PID: 2300 cmdline: "C:\Users\user\Desktop\xutnF2gKGTTy.exe" MD5: AA603E3B55B1C895BD213D06FCBCED27)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["8887"], "Server": ["bypass-asyn.4cloud.click"], "Mutex": "AsyncMutex_654I8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "Server Signature": "Bb1S+ur8QT7rjD7qN6qbN/59FeemD8NW4hX1PXf5hYVLmqMBxKoc27YQSKQKHXajRXamhdIWf72L6S++lWuv5iro9PEsAxWJZZrtXd4F1hMrSVmulB4kX1ChKiCn/xkSuN8gc44chdSCkR/comwoUh2sN6DNJ0Vqki0JV1eyHdpQVvbkHJDGsnSLEONxPVWBTXr/LS+zhYsV+nbrZ+Y6ZI3hq3gsEtHx6nUQatflhncaA6cGKUrasFPJWJHwoMcS/6VUKvmiZnoL91VhCNvPM0PuxAhXY8Ut3QAnATVDXhUE3KC5vmMrKI0fZS1gQ+jEsOfaYfKO3VMH464Dhlp81r5GrG48fvmogq6nd27qS9DOct147PRlPDWaevO7e0bYL0qJqILA43jiXrMhNfmioNtgG4xQ27mlHtFI6RBZAQSeV1Xtwo3v2SmCG4uk/qmi3DUIm7Ykxk07t+9ITasWphbha0HZfusX2Oan0B2rnN+6ckzsHI3H/4qLyV84XU5gTU2lMHxCrxGUxIjGDrZ8rBTISt8SZRugiXp79LZFAzvUAhYn4t9c+oWqo4+Nana1K5Q43t8S8pgE6990OeJlyPc8D3qLwJEp/nhIu4m/IjJFhzFPUMR3soq7rUd4HFtIj49KqajNsVZ5yi/+ZVeONGsXbsBH5Qe4Xa13gucVR1o="}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
xutnF2gKGTTy.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    xutnF2gKGTTy.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      xutnF2gKGTTy.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xd168:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x10038:$a2: Stub.exe
      • 0x100c8:$a2: Stub.exe
      • 0x995a:$a3: get_ActivatePong
      • 0xd380:$a4: vmware
      • 0xd1f8:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0xa95f:$a6: get_SslClient
      xutnF2gKGTTy.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xd1fa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

      PCAP (Network Traffic)

      SourceRuleDescriptionAuthorStrings
      dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x532:$x1: AsyncRAT
      • 0x570:$x1: AsyncRAT

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.4525849156.00000000007DC000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x154fb:$x1: AsyncRAT
      • 0x15539:$x1: AsyncRAT
      • 0x1620f:$x1: AsyncRAT
      • 0x1624d:$x1: AsyncRAT
      00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0xcf68:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0x10238:$a2: Stub.exe
        • 0x102c8:$a2: Stub.exe
        • 0x975a:$a3: get_ActivatePong
        • 0xd180:$a4: vmware
        • 0xcff8:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0xa75f:$a6: get_SslClient
        00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0xcffa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        00000000.00000002.4525849156.00000000007A1000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
        • 0x244b3:$x1: AsyncRAT
        • 0x244f1:$x1: AsyncRAT
        Click to see the 5 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.xutnF2gKGTTy.exe.350000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0.0.xutnF2gKGTTy.exe.350000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            0.0.xutnF2gKGTTy.exe.350000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
            • 0xd168:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
            • 0x10038:$a2: Stub.exe
            • 0x100c8:$a2: Stub.exe
            • 0x995a:$a3: get_ActivatePong
            • 0xd380:$a4: vmware
            • 0xd1f8:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            • 0xa95f:$a6: get_SslClient
            0.0.xutnF2gKGTTy.exe.350000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
            • 0xd1fa:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

            Sigma Signatures

            No Sigma rule has matched

            Snort Signatures

            Timestamp:04/16/24-19:50:55.737485
            SID:2030673
            Source Port:8887
            Destination Port:49699
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:04/16/24-19:50:55.737485
            SID:2035595
            Source Port:8887
            Destination Port:49699
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: xutnF2gKGTTy.exeAvira: detected
            Found malware configuration
            Source: xutnF2gKGTTy.exeMalware Configuration Extractor: AsyncRAT {"Ports": ["8887"], "Server": ["bypass-asyn.4cloud.click"], "Mutex": "AsyncMutex_654I8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "Server Signature": "Bb1S+ur8QT7rjD7qN6qbN/59FeemD8NW4hX1PXf5hYVLmqMBxKoc27YQSKQKHXajRXamhdIWf72L6S++lWuv5iro9PEsAxWJZZrtXd4F1hMrSVmulB4kX1ChKiCn/xkSuN8gc44chdSCkR/comwoUh2sN6DNJ0Vqki0JV1eyHdpQVvbkHJDGsnSLEONxPVWBTXr/LS+zhYsV+nbrZ+Y6ZI3hq3gsEtHx6nUQatflhncaA6cGKUrasFPJWJHwoMcS/6VUKvmiZnoL91VhCNvPM0PuxAhXY8Ut3QAnATVDXhUE3KC5vmMrKI0fZS1gQ+jEsOfaYfKO3VMH464Dhlp81r5GrG48fvmogq6nd27qS9DOct147PRlPDWaevO7e0bYL0qJqILA43jiXrMhNfmioNtgG4xQ27mlHtFI6RBZAQSeV1Xtwo3v2SmCG4uk/qmi3DUIm7Ykxk07t+9ITasWphbha0HZfusX2Oan0B2rnN+6ckzsHI3H/4qLyV84XU5gTU2lMHxCrxGUxIjGDrZ8rBTISt8SZRugiXp79LZFAzvUAhYn4t9c+oWqo4+Nana1K5Q43t8S8pgE6990OeJlyPc8D3qLwJEp/nhIu4m/IjJFhzFPUMR3soq7rUd4HFtIj49KqajNsVZ5yi/+ZVeONGsXbsBH5Qe4Xa13gucVR1o="}
            Multi AV Scanner detection for submitted file
            Source: xutnF2gKGTTy.exeReversingLabs: Detection: 76%
            Machine Learning detection for sample
            Source: xutnF2gKGTTy.exeJoe Sandbox ML: detected
            Source: xutnF2gKGTTy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: xutnF2gKGTTy.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 46.246.4.3:8887 -> 192.168.2.6:49699
            Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 46.246.4.3:8887 -> 192.168.2.6:49699
            Yara detected Generic Downloader
            Source: Yara matchFile source: xutnF2gKGTTy.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.xutnF2gKGTTy.exe.350000.0.unpack, type: UNPACKEDPE
            Source: global trafficTCP traffic: 192.168.2.6:49699 -> 46.246.4.3:8887
            Source: Joe Sandbox ViewASN Name: PORTLANEwwwportlanecomSE PORTLANEwwwportlanecomSE
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownDNS traffic detected: queries for: bypass-asyn.4cloud.click
            Source: xutnF2gKGTTy.exe, 00000000.00000002.4527348140.0000000004C49000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft.
            Source: xutnF2gKGTTy.exe, 00000000.00000002.4525849156.0000000000788000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: xutnF2gKGTTy.exe, 00000000.00000002.4525849156.0000000000825000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: xutnF2gKGTTy.exe, 00000000.00000002.4525849156.0000000000825000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab35
            Source: xutnF2gKGTTy.exe, 00000000.00000002.4526441289.0000000002631000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: xutnF2gKGTTy.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.xutnF2gKGTTy.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4526441289.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: xutnF2gKGTTy.exe PID: 2300, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: xutnF2gKGTTy.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: xutnF2gKGTTy.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 0.0.xutnF2gKGTTy.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 0.0.xutnF2gKGTTy.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 00000000.00000002.4525849156.00000000007DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
            Source: 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: 00000000.00000002.4525849156.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: 00000000.00000002.4526441289.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: Process Memory Space: xutnF2gKGTTy.exe PID: 2300, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
            Source: Process Memory Space: xutnF2gKGTTy.exe PID: 2300, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeCode function: 0_2_06D21B100_2_06D21B10
            Source: xutnF2gKGTTy.exe, 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs xutnF2gKGTTy.exe
            Source: xutnF2gKGTTy.exe, 00000000.00000002.4527655613.00000000050E9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs xutnF2gKGTTy.exe
            Source: xutnF2gKGTTy.exeBinary or memory string: OriginalFilenameStub.exe" vs xutnF2gKGTTy.exe
            Source: xutnF2gKGTTy.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: xutnF2gKGTTy.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: xutnF2gKGTTy.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 0.0.xutnF2gKGTTy.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 0.0.xutnF2gKGTTy.exe.350000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 00000000.00000002.4525849156.00000000007DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
            Source: 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: 00000000.00000002.4525849156.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: 00000000.00000002.4526441289.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: Process Memory Space: xutnF2gKGTTy.exe PID: 2300, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
            Source: Process Memory Space: xutnF2gKGTTy.exe PID: 2300, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
            Source: xutnF2gKGTTy.exe, ltlqhPxzNDpHqE.csBase64 encoded string: 'WUGd31iYPYSzMHRb6sFXKjsip3rQXhjihqtBN2JHWVYtfJWuBgaOPbr0qfnIDji/uw6a3ZrtO2g7R7IAzpPgig==', 'ZE8u6TKVdZZGAbOXvVwNpfD7SUcoRK1BT3FqrPvRSart1NYrlF4yHOiNVyyk0wSTcrSRjCc/43p9p6PZ9s5E1st6nPde78LhrgWGRZy7ABA=', 'PHHGYBW4y0hUMBrLt882X3J7FGc7ZCnGfwe7fbttE3Ev3CCyr9onIKlESVcVoe1L1ZPJmNsnR5HtIyw73NQBM7qT9/JWUhlaNPLoUr+ybMs=', 'GXrxH5673Ze4t1O3KMIPPT6zlsOk+mYxHV1AZGUAOA/FknfdcA9aim7GDWMAEbaEnp1QcFpJ+2DsgCpy4Jz0JQ==', 'RLLyitcI6SABgMzz0eAGUDWML2f8btX+k4YHoF1/qnDJruwgKSqa58MSoMuqN8w5WKt63FmsP/BNK3ISHWDfuBU8A/wrC93mnzoM4/JTZFA=', 'N9U+eWqXIGWa5/EBYhrOOxrZsp8izOdb9OVN5p1PRFgxNuo+Eq0GZtQtLDFi0GztbM7RBY2aBSS8+5JTprCDbT+ZHcxi3x8tdFeWYprKxDp19MJsoiZciBzmOwu4uqeQGNjkBUj5nvvpp+Wv4YDr1N2o7PyFb/fQxqAHGKftq93LTCh6H4A+tPQHtRJ92jtQ9WlmYQK5MqRIXu/Mu8cmodR36sWPHxdHdiyw+2b6XTD7LGglYTPu7sxnogcr8PXXqLVsFsro0u6S2bgnU9RSwApouqofpY1KGfXUeYbibcNIg1jtnCHm1Clwyt8CfN6SuPAmKrDQo6CkpD1XGSN9K8vvKBjArGPYkX5A9ipkOtk0gAWOP2G+x/VMTtXjlwtgqRc86Makoj5e+jp4NAlcfTfToBV5Cjl2s2BTuM0v//gCAkhA26fOtRLgatH9yBdIJA8SGEohsqckgDv40+EVwKMEnqs/dbRkCpxbz5qUzVEN5C+di5T/Mb1hSRM588Ec2a0cYEQW10JSqICn17DymXTwOqKid222ljgo9DO/DDdJgMkzgkNNXE+9/S0n1ubO/xGHSkDANVLhhj97pQ47QNFZMnbUufUYMNCh7rsA3QzxWo802omySBq4htETm8zlYAciYSViGkxhy3tUQFwovt/anK+zNfM4ijKwfwwN/ofryytMNTyImfzXMk1gAylzKN6NtZGtte1B03viMBDeBlftIJM3TLvAnfNm6x8j7lfggzHMNIv8WOJeRDbAIr+OvFYcLVg1yPacpXR3aoUMXUBFangusFmMNspZ1bhJuMnjBXoHHE5V05R5Dt1khVtfX2kpGK/L1eeC9hFTwIR8aNtJDnUqEFDdOAY1hhvquCEZxP0CUNVmtN7o8EHprLaHHLODzOAt7x5iGghWuXmd9fZUzeW1jJSSdxzlnAnYgei+V6jZW2LLKwgvw/Dm+nqH4gxHgmAieqhzCZGcdzb53g==', 'ZUWuKhj2uqhsGeeXGYsRyxRnc0DFKBTOOOznrN7bEmold3YChaaO5EsdYvK4t4x0OBuhJfj49M/1JpA3EqM9hQ==', 'oKpt0pJ6R0t2iMBeXFt/0cHIHYaa9Tb3MXk/Tb2drSzpWj68KSZ2Lntpig8e2/2yMGj1Ml4B5IjUso/iFm8mZg==', '+gdkCeDBnYMNzjPONgeyfXJOl+K/OsifBP7j4pD/U6gYHCNLU2uezPd5PSqY+fx0i+oKXeEQN5WibvRgkYMo6g==', 'M4GzAdQ2Hursd9oKCTOPmfoqohKpv7LTFKrIlt30dZ4ZmHgMjdwRQxixUaqJeUk1cwNhssEuZWAs+q6DLFl+rw=='
            Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@1/1
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeMutant created: NULL
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_654I8OkPnk
            Source: xutnF2gKGTTy.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: xutnF2gKGTTy.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: xutnF2gKGTTy.exeReversingLabs: Detection: 76%
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: mscoree.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: cryptsp.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: rsaenh.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: msasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: schannel.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: mskeyprotect.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: ncryptsslp.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: gpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: cryptnet.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: winnsi.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: webio.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: xutnF2gKGTTy.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: xutnF2gKGTTy.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: xutnF2gKGTTy.exe, EybCwjhMQKAON.cs.Net Code: rShOdjvSitwnmbEW System.AppDomain.Load(byte[])
            Source: xutnF2gKGTTy.exe, CjEvTYmCNpMO.csHigh entropy of concatenated method names: 'LUherXtfcfplmAS', 'CMGorpgAGGVeL', 'KkwuChRWKI', 'LeZDjxanSYhkC', 'uelguZDHwl', 'eJskNxGuXNJB', 'BWbAmOSZPz', 'rlqFAucPRevFA', 'yuTPdTFOXlH', 'GZltCIHtgTjdw'
            Source: xutnF2gKGTTy.exe, ITrjsxjbkldE.csHigh entropy of concatenated method names: 'OWljoHyTnIa', 'MiveUdfFRBOc', 'fifeXbHKfIaemzb', 'TqklDENIWrMZM', 'gldUBUrJTbFo', 'QIylBmSgLsKoO', 'SAjbtaIDqfkIpi', 'zCObrnJCBsVLwf', 'FmbNGlVDflm', 'BveAuhCpsnpDjhRp'

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: xutnF2gKGTTy.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.xutnF2gKGTTy.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4526441289.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: xutnF2gKGTTy.exe PID: 2300, type: MEMORYSTR
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: xutnF2gKGTTy.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.xutnF2gKGTTy.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4526441289.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: xutnF2gKGTTy.exe PID: 2300, type: MEMORYSTR
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
            Source: xutnF2gKGTTy.exeBinary or memory string: SBIEDLL.DLL
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeMemory allocated: 2480000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeMemory allocated: 2630000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeMemory allocated: 4630000 memory reserve | memory write watchJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeWindow / User API: threadDelayed 1836Jump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeWindow / User API: threadDelayed 7997Jump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exe TID: 3960Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exe TID: 1472Thread sleep count: 39 > 30Jump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exe TID: 1472Thread sleep time: -35971150943733603s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exe TID: 972Thread sleep count: 1836 > 30Jump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exe TID: 972Thread sleep count: 7997 > 30Jump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: xutnF2gKGTTy.exeBinary or memory string: vmware
            Source: xutnF2gKGTTy.exe, 00000000.00000002.4525849156.00000000007DC000.00000004.00000020.00020000.00000000.sdmp, xutnF2gKGTTy.exe, 00000000.00000002.4527402250.0000000004C60000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: xutnF2gKGTTy.exe, 00000000.00000002.4527348140.0000000004C42000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWb
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeMemory allocated: page read and write | page guardJump to behavior
            Source: xutnF2gKGTTy.exe, 00000000.00000002.4527348140.0000000004BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeQueries volume information: C:\Users\user\Desktop\xutnF2gKGTTy.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: xutnF2gKGTTy.exe, type: SAMPLE
            Source: Yara matchFile source: 0.0.xutnF2gKGTTy.exe.350000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.4526441289.0000000002631000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: xutnF2gKGTTy.exe PID: 2300, type: MEMORYSTR
            Source: C:\Users\user\Desktop\xutnF2gKGTTy.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		1
            Process Injection            		1
            Disable or Modify Tools            		OS Credential Dumping1
            Query Registry            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            DLL Side-Loading            		1
            Scheduled Task/Job            		31
            Virtualization/Sandbox Evasion            		LSASS Memory111
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Process Injection            		Security Account Manager2
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive1
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
            Obfuscated Files or Information            		NTDS31
            Virtualization/Sandbox Evasion            		Distributed Component Object ModelInput Capture1
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
            Software Packing            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            DLL Side-Loading            		Cached Domain Credentials13
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            xutnF2gKGTTy.exe76%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
            xutnF2gKGTTy.exe100%AviraTR/Dropper.Gen
            xutnF2gKGTTy.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            No Antivirus matches

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.210.172
            		truefalse
              		unknown
              bypass-asyn.4cloud.click
              		46.246.4.3
              		truetrue
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namexutnF2gKGTTy.exe, 00000000.00000002.4526441289.0000000002631000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://crl.microsoft.xutnF2gKGTTy.exe, 00000000.00000002.4527348140.0000000004C49000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    46.246.4.3
                    		bypass-asyn.4cloud.clickSweden
                    		42708PORTLANEwwwportlanecomSEtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1426953
                    Start date and time:2024-04-16 19:50:04 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 26s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:4
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:xutnF2gKGTTy.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/2@1/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 15
                    • Number of non-executed functions: 1
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 199.232.210.172
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: xutnF2gKGTTy.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    19:50:56API Interceptor10156060x Sleep call for process: xutnF2gKGTTy.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    46.246.4.3bJk7.exeGet hashmaliciousNjratBrowse
                      lekojaxote.exeGet hashmaliciousRemcosBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        bg.microsoft.map.fastly.nethta.htaGet hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        2.htaGet hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        http://cubes.concordia.ca/track?type=click&enid=bWFpbGluZ2lkPTM2MjMmbWVzc2FnZWlkPTQxMjEmZGF0YWJhc2VpZD05MDEmc2VyaWFsPTEyNzU1MDM1NzUmZW1haWxpZD13YXJpZXN0NTkzMzgud2Vla2x5bWFpbEBibG9nZ2VyLmNvbSZ1c2VyaWQ9NDcxJmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&2028&&&http://gbmaucstans.com/?No5zl=ZGFuQHZpcnR1YWxpbnRlbGxpZ2VuY2VicmllZmluZy5jb20=Get hashmaliciousHTMLPhisherBrowse
                        • 199.232.210.172
                        https://00f82de.blob.core.windows.net/00f82de/1.html?4SdhQu6964HfYs43wfnwuulljn913CWVGBFRQHRPAHNP32199OVKO12176b14#14/43-6964/913-32199-12176Get hashmaliciousPhisherBrowse
                        • 199.232.210.172
                        ujMoHKBIfN.exeGet hashmaliciousDarkCloudBrowse
                        • 199.232.210.172
                        Shipping_Invoces_xls_0000000.vbsGet hashmaliciousGuLoaderBrowse
                        • 199.232.214.172
                        Swift_documents&Advice.vbsGet hashmaliciousGuLoaderBrowse
                        • 199.232.214.172
                        JUSTIFICANTE DE PAGO.vbsGet hashmaliciousUnknownBrowse
                        • 199.232.210.172
                        Shipping_Invoces_xls_00000000.vbsGet hashmaliciousGuLoaderBrowse
                        • 199.232.214.172
                        KqWnIt1164.exeGet hashmaliciousPureLog Stealer, Vidar, zgRATBrowse
                        • 199.232.214.172

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        PORTLANEwwwportlanecomSE8ubQTzsAqG.exeGet hashmaliciousUnknownBrowse
                        • 185.117.88.39
                        8ubQTzsAqG.exeGet hashmaliciousUnknownBrowse
                        • 185.117.88.39
                        ODOCVzwXq5.elfGet hashmaliciousMiraiBrowse
                        • 195.190.218.30
                        bSRh.exeGet hashmaliciousXWormBrowse
                        • 46.246.86.13
                        xjwP3UYA8ujq.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                        • 46.246.82.6
                        x6Xw7vcuD9zM.exeGet hashmaliciousNjratBrowse
                        • 46.246.14.23
                        xw8oKxLrOnt6.exeGet hashmaliciousRemcosBrowse
                        • 46.246.14.10
                        xde47dUIgZDh.exeGet hashmaliciousAsyncRATBrowse
                        • 46.246.6.20
                        x7CwEiB9bHEP.exeGet hashmaliciousNjratBrowse
                        • 46.246.6.20
                        x5gJuYmvL7m2.exeGet hashmaliciousNjratBrowse
                        • 46.246.82.18

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Users\user\Desktop\xutnF2gKGTTy.exe
                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                        Category:dropped
                        Size (bytes):69993
                        Entropy (8bit):7.99584879649948
                        Encrypted:true
                        SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
                        MD5:29F65BA8E88C063813CC50A4EA544E93
                        SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
                        SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
                        SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
                        Malicious:false
                        Reputation:moderate, very likely benign file
                        Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Users\user\Desktop\xutnF2gKGTTy.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):330
                        Entropy (8bit):3.2361171502523645
                        Encrypted:false
                        SSDEEP:6:kKFq1/SlEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:tDlbkPlE99SNxAhUeVLVt
                        MD5:CA87D8B6A1FC6DA1CB9FC3462AA59572
                        SHA1:F0CB76EFF3C551058D65AB8A128C840926714DBE
                        SHA-256:613075438230619DC509530FAC3FE29FE839482C9DC84E7AF63A0715636806F0
                        SHA-512:2C55ED8C3BF6AD664D7C6A99BF81F68EAB254E7D6515238368FE102958147D7E83C30BE773B8E66AF9817864127E3093CDBF292D51A73ADAD2A8115C1D16AF54
                        Malicious:false
                        Reputation:low
                        Preview:p...... ...........&...(....................................................... ........M.........(.....wl....i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):5.51045137452515
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:xutnF2gKGTTy.exe
                        File size:67'584 bytes
                        MD5:aa603e3b55b1c895bd213d06fcbced27
                        SHA1:ae1a724079ffc4a470a1e41ac07770489c90261b
                        SHA256:14c66a0b3a199d38a236bed7780258d84c8a3cf335f9397769dc06a17d5707e0
                        SHA512:4599b186be519485188ca3a7b9b1a6f4eb750f14327d37cc4de72284e117f2f42dbde9aeae737b522d4431f27fe1aa7336bc02ae03e6e378bb30d24f727296fa
                        SSDEEP:1536:e2wukvF1ak9gcKu5UYFy64UmzbLbjVMonXdgqHirPlTGRx:e2dkvF1ak9Ku5UYFy64UcbLbjDCdix
                        TLSH:CE6307053BE98019F3BE8F7469F6658506F9F56F2D02C91D1D8950CE0632BC29A81BFB
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vjzd................................. ... ....@.. .......................`............`................................

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x411a9e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x647A6A76 [Fri Jun 2 22:17:26 2023 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x11a440x57.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x7ff.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xfaa40xfc006c2a31d1a6016e072cb899adc7e11054False0.49744233630952384data5.549549488549433IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x120000x7ff0x80033cdbc5c50f34a35b4f0e61582ac7f11False0.41650390625data4.884866150337139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x140000xc0x2004e3b5fe3b74d69569d57353c0a581ccdFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0x120a00x2ccdata0.43575418994413406
                        RT_MANIFEST0x1236c0x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Snort IDS Alerts

                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                        04/16/24-19:50:55.737485TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)88874969946.246.4.3192.168.2.6
                        04/16/24-19:50:55.737485TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert88874969946.246.4.3192.168.2.6

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 16, 2024 19:50:54.876862049 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:50:55.298612118 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:50:55.298744917 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:50:55.312438965 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:50:55.737484932 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:50:55.737512112 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:50:55.737628937 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:50:55.744810104 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:50:56.168423891 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:50:56.218652964 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:50:56.939420938 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:50:57.412214041 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:50:57.412283897 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:50:57.886792898 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:06.477736950 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:06.951988935 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:06.952214956 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:07.395960093 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:07.437442064 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:07.858202934 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:07.867693901 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:08.339504957 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:08.339586020 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:08.801069975 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:12.182109118 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:12.234277964 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:12.654583931 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:12.703150034 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:15.187896967 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:15.652904034 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:15.653043032 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:16.073404074 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:16.124912024 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:16.551773071 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:16.553885937 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:17.033001900 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:17.033221960 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:17.507765055 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:23.908149958 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:24.381738901 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:24.381824017 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:24.802002907 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:24.843686104 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:25.262481928 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:25.264874935 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:25.730535984 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:25.730601072 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:26.219067097 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:32.626302958 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:33.094609976 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:33.094685078 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:33.514899015 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:33.562433004 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:33.981278896 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:33.983155966 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:34.449904919 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:34.450040102 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:34.922858000 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:41.344136953 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:41.812215090 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:41.812377930 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:42.192523003 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:42.234329939 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:42.234747887 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:42.281266928 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:42.653098106 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:42.655344963 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:43.127552032 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:43.127634048 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:43.599524021 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:50.062897921 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:50.527903080 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:50.527967930 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:50.947880030 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:50.999948978 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:51.419147968 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:51.421381950 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:51.894733906 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:51.894794941 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:52.369091988 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:58.781847000 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:59.246376991 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:59.246505976 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:51:59.669200897 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:51:59.718703032 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:00.136168957 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:00.140243053 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:00.602514982 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:00.602724075 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:01.077090979 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:07.500473022 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:07.972691059 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:07.972770929 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:08.392117977 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:08.437437057 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:08.857985973 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:08.859963894 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:09.340344906 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:09.343751907 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:09.814584017 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:12.184092045 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:12.234344959 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:12.654905081 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:12.703073025 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:16.220237970 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:16.691085100 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:16.691214085 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:17.110486984 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:17.296824932 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:17.675784111 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:17.675862074 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:17.677562952 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:17.719095945 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:17.719188929 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:18.137392044 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:18.139638901 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:18.608593941 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:24.937834024 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:25.406692982 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:25.406771898 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:25.827661037 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:25.874974966 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:26.294610023 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:26.296370029 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:26.761295080 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:26.761811972 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:27.232647896 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:29.113945961 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:29.587898970 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:29.587964058 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:30.007324934 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:30.062465906 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:30.156629086 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:30.481832027 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:30.481970072 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:30.624609947 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:30.624790907 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:30.901989937 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:30.902101040 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:31.043303967 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:31.048929930 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:31.507709026 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:31.507769108 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:31.969213963 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:34.562896967 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:35.035170078 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:35.035254002 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:35.455096006 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:35.499958038 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:35.920270920 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:35.922426939 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:36.390585899 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:36.392146111 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:36.860260963 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:42.180731058 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:42.234357119 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:42.328562021 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:42.652837992 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:42.653105974 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:42.797812939 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:43.087848902 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:43.141824007 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:43.559366941 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:43.561316967 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:44.021981955 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:44.022087097 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:44.481508017 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:51.047307968 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:51.522547960 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:51.522604942 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:51.943061113 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:51.984400988 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:52.403722048 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:52.412138939 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:52.879652977 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:52.879842997 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:52:53.353343010 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:52:59.765944958 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:00.232831001 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:00.232892990 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:00.653179884 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:00.703128099 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:01.121939898 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:01.123681068 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:01.593825102 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:01.593888998 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:02.054132938 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:08.484867096 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:08.949426889 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:08.949556112 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:09.370503902 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:09.422332048 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:09.850497007 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:09.852869987 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:10.325335026 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:10.325407982 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:10.785336018 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:12.174163103 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:12.218820095 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:12.636426926 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:12.687493086 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:17.203684092 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:17.671525002 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:17.671587944 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:18.090049982 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:18.140683889 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:18.583637953 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:18.586157084 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:19.059483051 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:19.059699059 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:19.532056093 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:19.938069105 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:20.398298979 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:20.398473024 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:20.821163893 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:20.875608921 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:21.295226097 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:21.304833889 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:21.774669886 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:21.774734020 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:22.244750023 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:28.547751904 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:29.012180090 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:29.012577057 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:29.440157890 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:29.484401941 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:29.904313087 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:29.906183958 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:30.372721910 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:30.372805119 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:30.833848000 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:37.266897917 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:37.730417013 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:37.730480909 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:38.151226997 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:38.203421116 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:38.621715069 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:38.628861904 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:39.102828979 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:39.104188919 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:39.574600935 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:39.953843117 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:40.426851034 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:40.426948071 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:40.846905947 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:40.890938997 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:41.310755968 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:41.312365055 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:41.784509897 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:41.784575939 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:42.179894924 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:42.204118967 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:42.204235077 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:42.627624989 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:43.095647097 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:43.095813990 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:43.515748024 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:43.562556028 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:43.981645107 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:43.984150887 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:44.454974890 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:44.455044985 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:44.927421093 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:46.547636032 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:47.011778116 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:47.011991978 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:47.431663990 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:47.431823969 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:47.851922989 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:47.853996038 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:48.274194002 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:48.274281025 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:48.759282112 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:48.759763956 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:49.231838942 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:56.047275066 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:56.512856960 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:56.513124943 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:56.932712078 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:56.984411001 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:57.404192924 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:57.406383038 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:57.880848885 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:53:57.880940914 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:53:58.351871967 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:04.766217947 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:05.239438057 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:05.239578962 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:05.659476042 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:05.703300953 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:06.123970985 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:06.138840914 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:06.611120939 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:06.611248016 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:07.084150076 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:12.181308031 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:12.265789986 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:12.686547995 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:12.734405041 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:13.245971918 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:13.246181965 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:13.484980106 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:13.948844910 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:13.949050903 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:14.371997118 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:14.421941042 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:14.841598988 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:14.843712091 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:15.315356970 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:15.315447092 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:15.736413002 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:15.783776999 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:16.202768087 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:16.208950043 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:16.679699898 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:16.679786921 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:17.141674042 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:17.484745026 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:17.946785927 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:17.946939945 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:18.381320953 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:18.439681053 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:18.859738111 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:18.861550093 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:19.334425926 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:19.334686995 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:19.808695078 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:25.672415972 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:26.144226074 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:26.144551992 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:26.564739943 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:26.609421968 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:27.029059887 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:27.030644894 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:27.500258923 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:27.500340939 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:27.972848892 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:31.360138893 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:31.824913025 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:31.827860117 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:32.247711897 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:32.247849941 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:32.693614960 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:32.695645094 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:33.115113020 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:33.115248919 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:33.535571098 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:33.535799026 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:33.955149889 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:33.957318068 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:34.421252012 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:34.421385050 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:34.894196033 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:41.675684929 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:42.136687994 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:42.136859894 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:42.184593916 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:42.235682011 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:42.557807922 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:42.609452009 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:42.655219078 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:42.657233000 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:43.121555090 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:43.121625900 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:43.588877916 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:50.391694069 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:50.856929064 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:50.857017040 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:51.276485920 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:51.328221083 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:51.746712923 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:51.755512953 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:52.230508089 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:52.230613947 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:52.694210052 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:56.047522068 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:56.523479939 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:56.523571014 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:56.944200993 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:56.946731091 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:57.366079092 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:57.366908073 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:57.786772966 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:57.787018061 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:58.256066084 CEST88874969946.246.4.3192.168.2.6
                        Apr 16, 2024 19:54:58.256171942 CEST496998887192.168.2.646.246.4.3
                        Apr 16, 2024 19:54:58.716238976 CEST88874969946.246.4.3192.168.2.6

                        UDP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Apr 16, 2024 19:50:54.623481989 CEST6107753192.168.2.61.1.1.1
                        Apr 16, 2024 19:50:54.873590946 CEST53610771.1.1.1192.168.2.6

                        DNS Queries

                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                        Apr 16, 2024 19:50:54.623481989 CEST192.168.2.61.1.1.10x2950Standard query (0)bypass-asyn.4cloud.clickA (IP address)IN (0x0001)false

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Apr 16, 2024 19:50:54.873590946 CEST1.1.1.1192.168.2.60x2950No error (0)bypass-asyn.4cloud.click46.246.4.3A (IP address)IN (0x0001)false
                        Apr 16, 2024 19:50:56.384392977 CEST1.1.1.1192.168.2.60x1d56No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                        Apr 16, 2024 19:50:56.384392977 CEST1.1.1.1192.168.2.60x1d56No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:19:50:49
                        Start date:16/04/2024
                        Path:C:\Users\user\Desktop\xutnF2gKGTTy.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\xutnF2gKGTTy.exe"
                        Imagebase:0x350000
                        File size:67'584 bytes
                        MD5 hash:AA603E3B55B1C895BD213D06FCBCED27
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4525849156.00000000007DC000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.2064150046.0000000000352000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4525849156.00000000007A1000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.4526441289.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4526441289.0000000002631000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                        Reputation:low
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:6.7%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:48
                          Total number of Limit Nodes:5
                          execution_graph 16395 24829c8 16396 2482a0c SetWindowsHookExW 16395->16396 16398 2482a52 16396->16398 16399 2487ec8 DuplicateHandle 16400 2487f5e 16399->16400 16401 24884e0 16402 248850e 16401->16402 16405 2487adc 16402->16405 16404 248852e 16404->16404 16407 2487ae7 16405->16407 16406 2489054 16406->16404 16407->16406 16410 248a8dd 16407->16410 16414 248a8e0 16407->16414 16411 248a901 16410->16411 16412 248a925 16411->16412 16418 248aa90 16411->16418 16412->16406 16415 248a901 16414->16415 16416 248a925 16415->16416 16417 248aa90 KiUserCallbackDispatcher 16415->16417 16416->16406 16417->16416 16420 248aa9d 16418->16420 16419 248aad6 16419->16412 16420->16419 16422 2488cfc 16420->16422 16423 2488d07 16422->16423 16425 248ab48 16423->16425 16426 2488d30 16423->16426 16425->16425 16427 2488d3b 16426->16427 16430 2488d40 16427->16430 16429 248abb7 16429->16425 16431 2488d4b 16430->16431 16436 248bb6c 16431->16436 16433 248c138 16433->16429 16434 248a8e0 KiUserCallbackDispatcher 16434->16433 16435 248bf10 16435->16433 16435->16434 16437 248bb77 16436->16437 16438 248d31a 16437->16438 16440 248d368 16437->16440 16438->16435 16441 248d3bb 16440->16441 16442 248d3c6 KiUserCallbackDispatcher 16441->16442 16443 248d3f0 16441->16443 16442->16443 16443->16438 16444 2487c80 16445 2487cc6 GetCurrentProcess 16444->16445 16447 2487d18 GetCurrentThread 16445->16447 16448 2487d11 16445->16448 16449 2487d4e 16447->16449 16450 2487d55 GetCurrentProcess 16447->16450 16448->16447 16449->16450 16453 2487d8b 16450->16453 16451 2487db3 GetCurrentThreadId 16452 2487de4 16451->16452 16453->16451

                          Executed Functions

                          Function 02487C72 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 02487CFE
                          • GetCurrentThread.KERNEL32 ref: 02487D3B
                          • GetCurrentProcess.KERNEL32 ref: 02487D78
                          • GetCurrentThreadId.KERNEL32 ref: 02487DD1
                          Memory Dump Source
                          • Source File: 00000000.00000002.4526360227.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2480000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 38c612b94d599f0af003b5954c8da9e4bc90f932b0176157913f021497ea76f1
                          • Instruction ID: 570ce5c33fe4840c4bbb5e7548d3e5d9474208ad37d2b80179df67e36d983034
                          • Opcode Fuzzy Hash: 38c612b94d599f0af003b5954c8da9e4bc90f932b0176157913f021497ea76f1
                          • Instruction Fuzzy Hash: 9C5155B09007498FEB14DFA9D588BEEFBF1EF48314F20849AD509A73A0D774A944CB65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02487C80 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 02487CFE
                          • GetCurrentThread.KERNEL32 ref: 02487D3B
                          • GetCurrentProcess.KERNEL32 ref: 02487D78
                          • GetCurrentThreadId.KERNEL32 ref: 02487DD1
                          Memory Dump Source
                          • Source File: 00000000.00000002.4526360227.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2480000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: ce7149c714a27f9de3403ca31c6c0396fd6c1fbeba67b651d4a987a6551bbfad
                          • Instruction ID: efedcadd1f9a025dcbe8341fff01b8f740edbf49982b7b1a07d6b43e99caecfa
                          • Opcode Fuzzy Hash: ce7149c714a27f9de3403ca31c6c0396fd6c1fbeba67b651d4a987a6551bbfad
                          • Instruction Fuzzy Hash: 7F5155B09007498FEB14DFA9D548BEEFBF1EB48314F20845AD509A73A0D774A844CB65
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06D20040 Relevance: 1.6, Instructions: 1574COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4529857240.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6d20000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4547d734cd4ef42a0c8a2b78db949d00a306eb5e7ce8dbf40fec28ac490392f0
                          • Instruction ID: 778e4b8ef85a1528fd3e7182d9e3d7498c43228cddd7d0822f56c0170f8e64ce
                          • Opcode Fuzzy Hash: 4547d734cd4ef42a0c8a2b78db949d00a306eb5e7ce8dbf40fec28ac490392f0
                          • Instruction Fuzzy Hash: 0ED22530B112118FDB69FB74A4A863D77A3AF89204B6049ADD50B8B398DF35DC46CB81
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02487EC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 728 2487ec0-2487f5c DuplicateHandle 729 2487f5e-2487f64 728->729 730 2487f65-2487f82 728->730 729->730
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02487F4F
                          Memory Dump Source
                          • Source File: 00000000.00000002.4526360227.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2480000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 053fbba4d41e2b289a67b954ceeaa9bc57b7b7a52c583d10167e0361b757223a
                          • Instruction ID: 37379a2f38617cf06a7d6379e55367937c24dec288e97de88a64be086293fdd4
                          • Opcode Fuzzy Hash: 053fbba4d41e2b289a67b954ceeaa9bc57b7b7a52c583d10167e0361b757223a
                          • Instruction Fuzzy Hash: DC21E3B5900249DFDB10CFAAD584ADEBBF4EB48310F24845AE919A7310D378A950CFA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 02487EC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 733 2487ec8-2487f5c DuplicateHandle 734 2487f5e-2487f64 733->734 735 2487f65-2487f82 733->735 734->735
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02487F4F
                          Memory Dump Source
                          • Source File: 00000000.00000002.4526360227.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2480000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 017975acf53cf8af7f0f86dac67e015eb697cdf00b0f2f8971a1cab93b51387d
                          • Instruction ID: 944c56986f29b81a36afb2fceaef9ec8a37604491db492d3b3afdd0288f4a0f5
                          • Opcode Fuzzy Hash: 017975acf53cf8af7f0f86dac67e015eb697cdf00b0f2f8971a1cab93b51387d
                          • Instruction Fuzzy Hash: 4121E6B59002099FDB10CF9AD584ADEFFF4EB48310F24841AE918A3310D374A950CF64
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 024829C0 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 738 24829c0-2482a12 740 2482a1e-2482a50 SetWindowsHookExW 738->740 741 2482a14 738->741 742 2482a59-2482a7e 740->742 743 2482a52-2482a58 740->743 744 2482a1c 741->744 743->742 744->740
                          APIs
                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02482A43
                          Memory Dump Source
                          • Source File: 00000000.00000002.4526360227.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2480000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID: HookWindows
                          • String ID:
                          • API String ID: 2559412058-0
                          • Opcode ID: ba767f9ae0390d50796017ca3461c47053b47c5015cf5363d2a073f00912bb11
                          • Instruction ID: bafe61148bf81da90d925c95be20be88a672af809f70c4010a654839579d2957
                          • Opcode Fuzzy Hash: ba767f9ae0390d50796017ca3461c47053b47c5015cf5363d2a073f00912bb11
                          • Instruction Fuzzy Hash: 532123759002498FDB14DFA9C944BEFFBF1AF88724F24882AD819A7250C774A944CFA1
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 024829C8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 748 24829c8-2482a12 750 2482a1e-2482a50 SetWindowsHookExW 748->750 751 2482a14 748->751 752 2482a59-2482a7e 750->752 753 2482a52-2482a58 750->753 754 2482a1c 751->754 753->752 754->750
                          APIs
                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02482A43
                          Memory Dump Source
                          • Source File: 00000000.00000002.4526360227.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2480000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID: HookWindows
                          • String ID:
                          • API String ID: 2559412058-0
                          • Opcode ID: 9474bbbb525c8079aeb0c34541968dbc4e909380ccda8a71bc24f8133e32dd61
                          • Instruction ID: a671cde6abf66964493341bc8e48d1b03d940a1b1d9543e7994b80b11fb66e5d
                          • Opcode Fuzzy Hash: 9474bbbb525c8079aeb0c34541968dbc4e909380ccda8a71bc24f8133e32dd61
                          • Instruction Fuzzy Hash: F0211571D002498FDB14DF9AC944BEFFBF5AF88720F14841AD415A7250C775A940CFA4
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 0248D368 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 758 248d368-248d3c4 760 248d412-248d42b 758->760 761 248d3c6-248d3ee KiUserCallbackDispatcher 758->761 762 248d3f0-248d3f6 761->762 763 248d3f7-248d40b 761->763 762->763 763->760
                          APIs
                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0248D3DD
                          Memory Dump Source
                          • Source File: 00000000.00000002.4526360227.0000000002480000.00000040.00000800.00020000.00000000.sdmp, Offset: 02480000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2480000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID: CallbackDispatcherUser
                          • String ID:
                          • API String ID: 2492992576-0
                          • Opcode ID: 87b483b07f3d0b6ee77f0f0bf7690c384cde4fe4774ce0ca585b6e32ef363701
                          • Instruction ID: 9811707da05412b800d853229985b198d4290aca255622f55a020fd5d6f7fced
                          • Opcode Fuzzy Hash: 87b483b07f3d0b6ee77f0f0bf7690c384cde4fe4774ce0ca585b6e32ef363701
                          • Instruction Fuzzy Hash: 5A11A971804259CEDB10DF9AD8447EEBFF4EB08314F14409AD484A3681C378AA04CBA5
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06D20007 Relevance: .1, Instructions: 85COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4529857240.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6d20000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e858177db5b77f2a45778583de056fccaadd0d4d1fef6f3a4109a967a693c3e0
                          • Instruction ID: 1b9403750107472dd4c0f823c129c30828336994a95d2189171165496697e363
                          • Opcode Fuzzy Hash: e858177db5b77f2a45778583de056fccaadd0d4d1fef6f3a4109a967a693c3e0
                          • Instruction Fuzzy Hash: AC314D30A093928FC7269B34D4541ADBFF2DF46260F1508EFC586C7392DA758C49CB52
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 023ED4A0 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4526230155.00000000023ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 023ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_23ed000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: ad62877357efca2f734fb9db53aba8c1c705e11d7849ad27c03c17ca1feee4dd
                          • Instruction ID: 92781171db10e19979c3e5134819090727d63d9c2e3212cc036c4dfb328f3752
                          • Opcode Fuzzy Hash: ad62877357efca2f734fb9db53aba8c1c705e11d7849ad27c03c17ca1feee4dd
                          • Instruction Fuzzy Hash: 7E21D371604248DFDF05DF54D9C0B26BF69FB98318F24C56DE90A0A2D6C336D45ACBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 023FD0FC Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4526251492.00000000023FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 023FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_23fd000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: b3ef8ea2adf4a2adc69de504c3701b752b0350d1cac26db264fc96a6086f239e
                          • Instruction ID: ab7256305cd36a8cf8719f3fa655be18b15838b89b0b7cecac368710c4e67e4a
                          • Opcode Fuzzy Hash: b3ef8ea2adf4a2adc69de504c3701b752b0350d1cac26db264fc96a6086f239e
                          • Instruction Fuzzy Hash: 58210471504208EFDB85DF14E9C8B26BBA5FB88314F20C66DDA0A4B296C33AD447CA61
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 023ED49B Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4526230155.00000000023ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 023ED000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_23ed000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                          • Instruction ID: 5e5a5c88bd2faeedeb1ee733974fde341d6c7535e85014d29a395b2c4b3e2765
                          • Opcode Fuzzy Hash: 347ceff61f71c01d8d79cfdbd8358f6f0be4c31f492294fd5b1d002aa0560fbf
                          • Instruction Fuzzy Hash: 4011B176504244CFCF16CF14D5C4B16BF71FB84328F24C5A9D90A0B296C33AD45ACBA2
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 023FD0F7 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4526251492.00000000023FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 023FD000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_23fd000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                          • Instruction ID: daf3a96e50b2d850c9ce7e31d3fc760d68977cf00dac776779f0df8f4182b676
                          • Opcode Fuzzy Hash: f5dd070f47a673dda7babee824c8441981cc2d376d27ad6ac8e2bf7ef2f1688d
                          • Instruction Fuzzy Hash: 1511DD75504288CFDB46CF10E9C8B15BBB1FB88318F24C6A9DD094B256C33AD44ACB62
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06D21937 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4529857240.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6d20000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 2cfff33573a8ddd2cf0fd8eba741de8693b969ff5d755f0b966a6c2c21a04223
                          • Instruction ID: 8bce9a984aa241a7851ebd39e25f0d073bfc31122639173ae1d50677b634c8d1
                          • Opcode Fuzzy Hash: 2cfff33573a8ddd2cf0fd8eba741de8693b969ff5d755f0b966a6c2c21a04223
                          • Instruction Fuzzy Hash: 08118E357102159FDB04AB68D959BAEBBF2AF88700F244069E502E73E1CF759D05CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Function 06D21948 Relevance: .0, Instructions: 49COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4529857240.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6d20000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 7e601a1043cf7a53687a1e98b62cb476bd56b75810a06f1c8de681b77776f76f
                          • Instruction ID: 80df7855f26ae02bb59d958490f59ad78147db26e893c8909294c7eb68a69f11
                          • Opcode Fuzzy Hash: 7e601a1043cf7a53687a1e98b62cb476bd56b75810a06f1c8de681b77776f76f
                          • Instruction Fuzzy Hash: 6D0180317102159FDB049B69C959B6EBBF6AF8C700F204069E502EB3E0CFB19D05CB91
                          Uniqueness

                          Uniqueness Score: -1.00%

                          Non-executed Functions

                          Function 06D21B10 Relevance: 1.0, Instructions: 1020COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.4529857240.0000000006D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D20000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_6d20000_xutnF2gKGTTy.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 0e3bcaaa8bc5464022f95b6bd4b84a48186040fd0f2fdba881b8d6a0f3192855
                          • Instruction ID: 322586b849b68f2a74d8ad9d66baae0f50f7bd16937a783e3e595737e9560a5c
                          • Opcode Fuzzy Hash: 0e3bcaaa8bc5464022f95b6bd4b84a48186040fd0f2fdba881b8d6a0f3192855
                          • Instruction Fuzzy Hash: 97825D30B002168FDB54EF65C884B3EBAE3EF84304F60856DE5469B3A5DE75DD4A8B90
                          Uniqueness

                          Uniqueness Score: -1.00%