Edit tour

Windows Analysis Report
952cgs4G29.exe

Overview

General Information

Sample name:	952cgs4G29.exe renamed because original name is a hash value
Original sample name:	446035c77554b10722a6482a9a08d592.bin.exe
Analysis ID:	1427021
MD5:	446035c77554b10722a6482a9a08d592
SHA1:	0bded2287c79aa77bf4be8a59567e6aa2ec1b001
SHA256:	6c3e5106d3a3beebcae780dac855de2932c7df511ac3fb0fe0fe218f4fa7878a
Tags:	AsyncRATexeRAT
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AsyncRAT

.NET source code contains potential unpacker

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

952cgs4G29.exe (PID: 6552 cmdline: "C:\Users\user\Desktop\952cgs4G29.exe" MD5: 446035C77554B10722A6482A9A08D592)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/ https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["8808", "6666"], "Server": ["rootsaul.duckdns.org"], "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "Server Signature": "ax5uCDFXBgI1GRxkUBZwoYiV+43n5hscp6bALthvUvzuU3SCiCEjz6ZOlDNwHbvmiqz4ERy0DUMNMKUPvzt/ec0vqRym8oaMpHPPWxocEPfZ5ch7q44JhrLVbEIs6cxyiaqkew9P16UN658u1DRht99sS5Re1gMSfB3ZAe8EjXa+rRYKIfNDbqk0oAo5PuItFfEMYMm87vyG5c9hjylfGLwLB5OUw4Yl4/aLub1R57HDggp+QXwSonwK1cuo2cJ+MW5cYI4Ufz1ZNyAi+llCG3yCpmzGOFYaJTzhdHeVHN1g0o3slsCOX/lDiagcc3AKJfc58beD/9Ov6FcO3W47zt6ppiyCfO1MgiSTDMFMnI4Nu+clV6S8nCAaiK9eVzowue5kZWOeza+CNxGaifwNbz/6xP0ohcriXlY3TPHgcipGPNkkZWNOe24BNUT9ElJqXqYBQ655SpwsTnVZSe9xyyWcWlI8+6sRPIHQkeyujCUcVU/zg6pcHD581VfBQITf3ljzPi+dZVF/hO0yaRlbLmhe7bdXA6h60vYcMMWtTlq9pn5YFp1GDNm85+XYPOmSzXZWqouPL4AkTL8Mh2/FMSmQC0T3tICNXUaWxVXi2M7SeZiJ0gfhb5nMm2FxbRzc3tAy0lc+Yf9xUn7BYiF6iN9mX7R+PhwLvm0QtQRaznA="}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
952cgs4G29.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
952cgs4G29.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
952cgs4G29.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xc528:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xf438:$a2: Stub.exe 0xf4c8:$a2: Stub.exe 0x8fdc:$a3: get_ActivatePong 0xc740:$a4: vmware 0xc5b8:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9ed7:$a6: get_SslClient
952cgs4G29.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc5ba:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3fa:$x1: AsyncRAT 0x438:$x1: AsyncRAT

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.4070079001.00000000011CC000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x186f7:$x1: AsyncRAT 0x18735:$x1: AsyncRAT
00000000.00000000.1621554642.0000000000D42000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1621554642.0000000000D42000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc3ba:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.4070079001.0000000001187000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x38153:$x1: AsyncRAT 0x38191:$x1: AsyncRAT
00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2b84b:$x1: AsyncRAT 0x2b889:$x1: AsyncRAT
Process Memory Space: 952cgs4G29.exe PID: 6552	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 952cgs4G29.exe PID: 6552	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x12897:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: 952cgs4G29.exe PID: 6552	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x17e45:$x1: AsyncRAT 0x17e77:$x1: AsyncRAT 0x29c3c:$x1: AsyncRAT 0x29c6e:$x1: AsyncRAT 0x29c88:$x1: AsyncRAT 0x3374d:$x1: AsyncRAT 0x3377f:$x1: AsyncRAT 0x1295d:$s6: VirtualBox 0x12910:$s8: Win32_ComputerSystem
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.952cgs4G29.exe.d40000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.952cgs4G29.exe.d40000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.952cgs4G29.exe.d40000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xc528:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xf438:$a2: Stub.exe 0xf4c8:$a2: Stub.exe 0x8fdc:$a3: get_ActivatePong 0xc740:$a4: vmware 0xc5b8:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9ed7:$a6: get_SslClient
0.0.952cgs4G29.exe.d40000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc5ba:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Snort Signatures

ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) - Source IP: 45.128.96.204 - Destination IP: 192.168.2.4

Timestamp:	04/16/24-22:21:57.607501
SID:	2030673
Source Port:	6666
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic AsyncRAT Style SSL Cert - Source IP: 45.128.96.204 - Destination IP: 192.168.2.4

Timestamp:	04/16/24-22:21:57.607501
SID:	2035595
Source Port:	6666
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 952cgs4G29.exe

Avira: detected

Found malware configuration

Source: 952cgs4G29.exe

Malware Configuration Extractor: AsyncRAT {"Ports": ["8808", "6666"], "Server": ["rootsaul.duckdns.org"], "Mutex": "AsyncMutex_6SI8OkPnk", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "Server Signature": "ax5uCDFXBgI1GRxkUBZwoYiV+43n5hscp6bALthvUvzuU3SCiCEjz6ZOlDNwHbvmiqz4ERy0DUMNMKUPvzt/ec0vqRym8oaMpHPPWxocEPfZ5ch7q44JhrLVbEIs6cxyiaqkew9P16UN658u1DRht99sS5Re1gMSfB3ZAe8EjXa+rRYKIfNDbqk0oAo5PuItFfEMYMm87vyG5c9hjylfGLwLB5OUw4Yl4/aLub1R57HDggp+QXwSonwK1cuo2cJ+MW5cYI4Ufz1ZNyAi+llCG3yCpmzGOFYaJTzhdHeVHN1g0o3slsCOX/lDiagcc3AKJfc58beD/9Ov6FcO3W47zt6ppiyCfO1MgiSTDMFMnI4Nu+clV6S8nCAaiK9eVzowue5kZWOeza+CNxGaifwNbz/6xP0ohcriXlY3TPHgcipGPNkkZWNOe24BNUT9ElJqXqYBQ655SpwsTnVZSe9xyyWcWlI8+6sRPIHQkeyujCUcVU/zg6pcHD581VfBQITf3ljzPi+dZVF/hO0yaRlbLmhe7bdXA6h60vYcMMWtTlq9pn5YFp1GDNm85+XYPOmSzXZWqouPL4AkTL8Mh2/FMSmQC0T3tICNXUaWxVXi2M7SeZiJ0gfhb5nMm2FxbRzc3tAy0lc+Yf9xUn7BYiF6iN9mX7R+PhwLvm0QtQRaznA="}

Multi AV Scanner detection for submitted file

Source: 952cgs4G29.exe

ReversingLabs: Detection: 76%

Machine Learning detection for sample

Source: 952cgs4G29.exe

Joe Sandbox ML: detected

Source: 952cgs4G29.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 952cgs4G29.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 45.128.96.204:6666 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 45.128.96.204:6666 -> 192.168.2.4:49730

Uses dynamic DNS services

Source: unknown

DNS query: name: rootsaul.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 952cgs4G29.exe, type: SAMPLE
Source: Yara match	File source: 0.0.952cgs4G29.exe.d40000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 45.128.96.204:6666

Source: Joe Sandbox View

ASN Name: XXLNETNL XXLNETNL

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: rootsaul.duckdns.org

Source: 952cgs4G29.exe, 00000000.00000002.4071754410.0000000005629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: 952cgs4G29.exe, 00000000.00000002.4070079001.0000000001187000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 952cgs4G29.exe, 00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 952cgs4G29.exe, type: SAMPLE
Source: Yara match	File source: 0.0.952cgs4G29.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1621554642.0000000000D42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 952cgs4G29.exe PID: 6552, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 952cgs4G29.exe, LimeLogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 952cgs4G29.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 952cgs4G29.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.952cgs4G29.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.952cgs4G29.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.4070079001.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1621554642.0000000000D42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.4070079001.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: 952cgs4G29.exe PID: 6552, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: 952cgs4G29.exe PID: 6552, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\952cgs4G29.exe	Code function: 0_2_02EDD2D8	0_2_02EDD2D8
Source: C:\Users\user\Desktop\952cgs4G29.exe	Code function: 0_2_02ED7038	0_2_02ED7038
Source: C:\Users\user\Desktop\952cgs4G29.exe	Code function: 0_2_02ED7908	0_2_02ED7908
Source: C:\Users\user\Desktop\952cgs4G29.exe	Code function: 0_2_02ED6CF0	0_2_02ED6CF0

Source: 952cgs4G29.exe, 00000000.00000000.1621580801.0000000000D52000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs 952cgs4G29.exe
Source: 952cgs4G29.exe	Binary or memory string: OriginalFilenameStub.exe" vs 952cgs4G29.exe

Source: 952cgs4G29.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 952cgs4G29.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 952cgs4G29.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.952cgs4G29.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.952cgs4G29.exe.d40000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.4070079001.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1621554642.0000000000D42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.4070079001.0000000001187000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: 952cgs4G29.exe PID: 6552, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: 952cgs4G29.exe PID: 6552, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 952cgs4G29.exe, Settings.cs

Base64 encoded string: 'lGYhfFYdkdePHHMoVV4ProAEt0UT7lwwx0shRm6IiW9GMJSoPqj1Qvf3szoBtST0rMRyqMkeylMdEZ/P4uCYLA==', 'j5X+XXnafJ+SGgqxWsmQmKPD4wa/OIvrc+7dsdO4aAyB32JsI3pS5vBViHVyWLqU5GUgkn3E6EpIU4wx8AlzN/lbu8ra7fVI+16yc/b/ik8=', 'z79rohTZuweAByIHBI5H5FQpDDRWn/f6uHfRxDc6DyMvlcS3mRcrC3M3d/a86F4TfmV7CFgadwJyMONPsPy+Ew==', '/1snJ1114o+Lfu5Xp3vg/sFILGCUfKcRtC7wcXXDhcSzmL4Wc1+DwuoJmHOk7rAXZ01ygTH/iE/BXvTZ7wz+1g==', 'O0qRM2hQnEdBrTh08TkcSuw12yup1Gj7G4wPx1yiqsueV5be4NNyuD/1MeEE3dWr274R8AZ/pQZlt+Ebwii5nPphCrX1FTktxwHU6XHIp/ddT7MAnfkSk9npvoablu42iAhfrt+pD9jtj7hXt96AI9A7ajhjVebRObyql5J49QBJFemlUfvv/dPSeFMjkVSi8G5DUnE0UuI01y62O3+nV6PUG5x597IHjBK2eOSqoMcm97dVq4ilX/fyCqWJrV5iES2UYM6AZo0bl8jfQ01jTi8add6534MO8s2Zg2opuAyLdMKb3IoKXF57m/kQjVgImHwGrALTC1mbyhHamrWnQwEbKtJk/r0H0mbi0hQhfMsT1vN7k8XI5bgqe/wsXQwHj9FRC5LEpVPduF1dsKdD3BEMrjqg5hlgFslUdXEUV7oqmw/Im37dDt+Cbm+g/wG4WZHmf3VQut1ThgSU6mujya2j5wx9rGwLZSNGlXPO9u3LzW5vyWKb4Bl5AXvUaPDMQEK3swrgYJUwQrsIlarGOI1Dnhky7M2VFwk64iSv3bx/3bhfPVn2QDzCxbB72u1ePPbiTOvVeZCie24IpL6iEBin4jajiPMMkCOrl304Wjy6qetsA0N0XDh4PF67AnCFkTazh9+pJqEvnoHvoliU/dEhmd+KZKdj4wwiTVqOwg09cpxz7ZqDl5jc7D9biyKOwcI0+Td5u+mx3iZC84zuvMe9RYqWDTdiz8t74XhxokYvnyObQ5uS6QyZZI2He9vFC2W64pjlASGUiIkGeBa7g5m8kvmEDA/CLF0G9d5jg2/NT8Zkp1PwW4xD2HjkWSnIjPWXJZ89Ay8dzHLv0FCtdEWIBupbje8ODIQoEIH5M5T3wdiLYO5/rVkZBoKIJsA0W7y6GD0W9RzMKuWx+yASoWksO1t9VnzyrxqxCKiulA27r+HJPGiAzKp5CFrHExkdY2oDMVfelRTneOsZ/0lU6MdfaPFQHGLT/zdoSCt7DK3uCV+YhGAGvZx6fYdYgxl3bTQ4BXBW35Gr4VaWpSYJtrQW368xbIpeUEAyYtAKu5r0de7iYWM5i/L45d+DKroAdQYDEKQAfVR/Q+5Y/VowdUtvJEryugLRYsSye2Vouf2fwjhO/pEK/amBb0BuaDdRQVLEUSG8Wqf4JVEt0bvAk0ZMf3yYSHXtznFY9eY0CYB4F7QgtEWYp6qyFKm8sHJj96NcCaGmD/bJrFFdowFAslXVWceCss6LtKuf5Khop86E124G482iYYb/vobHjLghhsMsbjjeYUxtw1dmg2GtWgaiqKbB2Y3SrxMgHAaAGj52aIFU0DVRS72GgoiuX9KpsPqGxbG8ZcSpmoqPHDjGn0ZjY4jDuAt3KOEdSYzfdjL9gZuPU2M6FsKNXU/sx7H3YSyB+np4g2m/ryotq9yFN0ThIoy+y0M/3e4NxAEWjAG1Mae1LEXWsS7SIN2T6JTfRXJizOOxPAuL/o6LiQ0rkYF+sd22SKd6u+10xhWzn8KyHzcEcaOA3uJRyyVZ2HMOVaCrv5ioGcdxQXPEBkZryLr2SsNNo9vBa5D4OmcIRiQUlQ9B40Ov8Tmaqln1pJTShODUqJeVRYDr71/Zn3dj5NPB/urU3JVJAtGtH878z6jpp/zaKvpUVRo/Vat5Do5aY45iDPTHMg/63RN5PD9nPHuFtMJWjxFl3cApFrpooc4UBW5HQuUrZbdKY8KQ+7SGFDpozCX6lAm03lweYJVKjM3iGl9qoBvWC3wQ/sgg37AbQnAumc2Nxbs+LrOIkOaZJ+kYJcFyyQVHcTfTRBLXYrXivi+eR4AalhaH2r2+D97IwGW6nDlgcKh0HX3KmMvdnk0mR+/7mDY776ZnVqiSWuaPeN6jzBJPgzB0Vide3DMAu3f67Wft2FW6ghiD7rrnahKYsMnP4sqgoxp+/FfsPlrbkFu/xxAkg0sLiA9LA2Qz3nCY4hW2dwPCOlNcNA3jDhvFhv4etj/GuKEJj2GOfcY0EmfbRn6J4jrxzFel8737iV1zqW/0GMMg8k4LrFxE8gKAyT93Bu62M6DO7v0g6zjDgIJzMwW5jN7b1ShS5fdXA48x9s4SZE8dKqfldW9ZDOFAYszPSr4WKApgQ/eww3xTyhShKrYO1atsnGNTskuwsmi04AvZZBTaNuDdqNsapLpg9qvegk/QlZ53/e7j3cvCIwolHsgqJECQTv1IlI6q6KvJjIOPCgcZvAQJ7UzpB5KHkQRQID04YRo6kSPJBwPaRvgSSldL3ldkJsF3xQH2AXAQKQDW8xsw8cCGT9efvLEDyMSAWQ4zWlnBwk3qqhsdCydrWlA2oYzFBS9uiZk=', 'Ptd6CO8VIYzJZh6sQAi3vxOSrXDD6o5oFKFyqvcKxBqNoi6n/7jCJODr77HFyKs7cQx51cufYVXUwR7HakP4L04XRdibJD3CIVTc8xH+SY3XE7/BFv1ta/KkyIW9FpEdgltNZtBkFCNYq5sJMNhUd4O4MkvnEiwyyzBoPfYLjYh3AAcKL+/7sYu2TbWKZ1/3SqMg3DVD2KsvTaB0mL/WepbZXzU/JsSKQKEjnAK1vJo65yNZTs+nfRdOJfcgNW+r7aV

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/2@1/1

Source: C:\Users\user\Desktop\952cgs4G29.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\952cgs4G29.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk

Source: 952cgs4G29.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 952cgs4G29.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\952cgs4G29.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 952cgs4G29.exe

ReversingLabs: Detection: 76%

Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\952cgs4G29.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 952cgs4G29.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 952cgs4G29.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 952cgs4G29.exe, Packet.cs

.Net Code: Plugins System.AppDomain.Load(byte[])

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 952cgs4G29.exe, type: SAMPLE
Source: Yara match	File source: 0.0.952cgs4G29.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1621554642.0000000000D42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 952cgs4G29.exe PID: 6552, type: MEMORYSTR

Source: C:\Users\user\Desktop\952cgs4G29.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT			Jump to behavior

Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 952cgs4G29.exe, type: SAMPLE
Source: Yara match	File source: 0.0.952cgs4G29.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1621554642.0000000000D42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 952cgs4G29.exe PID: 6552, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 952cgs4G29.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\952cgs4G29.exe	Memory allocated: 2E90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Memory allocated: 30F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Memory allocated: 2F00000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\952cgs4G29.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\952cgs4G29.exe	Window / User API: threadDelayed 2839			Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Window / User API: threadDelayed 7003			Jump to behavior

Source: C:\Users\user\Desktop\952cgs4G29.exe TID: 6776	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe TID: 6820	Thread sleep time: -20291418481080494s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe TID: 6852	Thread sleep count: 2839 > 30	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe TID: 6852	Thread sleep count: 7003 > 30	Jump to behavior

Source: C:\Users\user\Desktop\952cgs4G29.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\952cgs4G29.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 952cgs4G29.exe	Binary or memory string: vmware
Source: 952cgs4G29.exe, 00000000.00000002.4071808107.000000000563E000.00000004.00000020.00020000.00000000.sdmp, 952cgs4G29.exe, 00000000.00000002.4071808107.000000000564C000.00000004.00000020.00020000.00000000.sdmp, 952cgs4G29.exe, 00000000.00000002.4070079001.00000000011CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\952cgs4G29.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\952cgs4G29.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\952cgs4G29.exe	Queries volume information: C:\Users\user\Desktop\952cgs4G29.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\952cgs4G29.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\952cgs4G29.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 952cgs4G29.exe, type: SAMPLE
Source: Yara match	File source: 0.0.952cgs4G29.exe.d40000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1621554642.0000000000D42000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 952cgs4G29.exe PID: 6552, type: MEMORYSTR

Source: 952cgs4G29.exe, 00000000.00000002.4071808107.000000000563E000.00000004.00000020.00020000.00000000.sdmp, 952cgs4G29.exe, 00000000.00000002.4071704770.0000000005600000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\952cgs4G29.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Disable or Modify Tools	1 Input Capture	1 Query Registry	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
952cgs4G29.exe	76%	ReversingLabs	ByteCode-MSIL.Trojan.AsyncRATMarte
952cgs4G29.exe	100%	Avira	TR/Dropper.Gen
952cgs4G29.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://crl.micro	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rootsaul.duckdns.org	45.128.96.204	true	true		unknown
bg.microsoft.map.fastly.net	199.232.214.172	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.micro	952cgs4G29.exe, 00000000.00000002.4071754410.0000000005629000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	952cgs4G29.exe, 00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.128.96.204	rootsaul.duckdns.org	Germany		34373	XXLNETNL	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1427021
Start date and time:	2024-04-16 22:21:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	952cgs4G29.exe renamed because original name is a hash value
Original Sample Name:	446035c77554b10722a6482a9a08d592.bin.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/2@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 62 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 199.232.214.172, 23.40.205.66, 23.40.205.18, 23.40.205.57, 23.40.205.56, 23.40.205.34, 23.40.205.16, 23.40.205.11, 23.40.205.59, 23.40.205.74
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-bg-shim.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
Execution Graph export aborted for target 952cgs4G29.exe, PID 6552 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 952cgs4G29.exe

Simulations

Behavior and APIs

Time	Type	Description
22:21:57	API Interceptor	10587820x Sleep call for process: 952cgs4G29.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	https://samartrace.co.ke/resu/repnu03/pDm2uA4djQME/transportforum@stanstedairport.com	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://r20.rs6.net/tn.jsp?f=001hdorddfRVpfBhjmCzZP_M9e3n-9HvwH5WndewdVBwOCaKywXuTP72YftDf8G7EZegNKDuHDStGd0F_YqHq-dwkMezptPaVTW7z3GmrsquDjOTUdJWUiPwtfYdeAV_V719niRmATzLmr1i2Q4VD5Hjq7GD9AIQnalZTS2xJ4NBmEjoOsyfi4JfmCXpI8wp394l5knVxHSX1M-okruwnPJWWbuauOcxTMO&c=&ch=#YmdyYWltZUBuZXhwb2ludC5jb20=	Get hash	malicious	Unknown	Browse	199.232.210.172
	bUAB.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	199.232.210.172
	https://docs.google.com/forms/d/e/1FAIpQLScaqr8AS5UHJLhHgsk75Su6KzT5rrqw0atzmeeQYQGFlm3rfA/viewform?usp=sf_link	Get hash	malicious	HTMLPhisher	Browse	199.232.214.172
	xutnF2gKGTTy.exe	Get hash	malicious	AsyncRAT	Browse	199.232.210.172
	hta.hta	Get hash	malicious	Unknown	Browse	199.232.214.172
	2.hta	Get hash	malicious	Unknown	Browse	199.232.214.172
	http://cubes.concordia.ca/track?type=click&enid=bWFpbGluZ2lkPTM2MjMmbWVzc2FnZWlkPTQxMjEmZGF0YWJhc2VpZD05MDEmc2VyaWFsPTEyNzU1MDM1NzUmZW1haWxpZD13YXJpZXN0NTkzMzgud2Vla2x5bWFpbEBibG9nZ2VyLmNvbSZ1c2VyaWQ9NDcxJmZsPSZleHRyYT1NdWx0aXZhcmlhdGVJZD0mJiY=&&&2028&&&http://gbmaucstans.com/?No5zl=ZGFuQHZpcnR1YWxpbnRlbGxpZ2VuY2VicmllZmluZy5jb20=	Get hash	malicious	HTMLPhisher	Browse	199.232.210.172
	https://00f82de.blob.core.windows.net/00f82de/1.html?4SdhQu6964HfYs43wfnwuulljn913CWVGBFRQHRPAHNP32199OVKO12176b14#14/43-6964/913-32199-12176	Get hash	malicious	Phisher	Browse	199.232.210.172
	ujMoHKBIfN.exe	Get hash	malicious	DarkCloud	Browse	199.232.210.172

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
XXLNETNL	SecuriteInfo.com.IL.Trojan.MSILZilla.30455.29056.1307.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	45.128.96.253
	0qslxpFF5E.elf	Get hash	malicious	Unknown	Browse	45.128.96.191
	SHIPPING_INVOICE_DOCX_0000000000000000000.vbs	Get hash	malicious	GuLoader	Browse	45.128.96.128
	ef8eruBP3b.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	45.128.96.133
	vJ1BkIFajK.exe	Get hash	malicious	Chaos, PureLog Stealer, Wiper, XWorm	Browse	45.128.96.133
	WRbiXjr77v.exe	Get hash	malicious	PureLog Stealer, Xmrig, zgRAT	Browse	45.128.96.133
	SOgv6zN9CC.exe	Get hash	malicious	FormBook, PureLog Stealer, XWorm	Browse	45.128.96.133
	O7XmfO6ZHE.exe	Get hash	malicious	PureLog Stealer	Browse	45.128.96.133
	6Zps3s23ui.exe	Get hash	malicious	AsyncRAT, DcRat	Browse	45.128.96.133
	ecZlUzD3WK.exe	Get hash	malicious	PureLog Stealer	Browse	45.128.96.133

Process:	C:\Users\user\Desktop\952cgs4G29.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\952cgs4G29.exe
File Type:	data
Category:	dropped
Size (bytes):	330
Entropy (8bit):	3.227769006306415
Encrypted:	false
SSDEEP:	6:kKuvXlEN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:uXlbkPlE99SNxAhUeVLVt
MD5:	36A5E753A816DCFA22A863CCD18BA31E
SHA1:	917E814CCFABE9F14CC6223B4C88197CD708BB79
SHA-256:	9959FA92FF1D7C3D6FDB4C0BB0A814571EE66AF206C6BAD4E4E175C8DA5E1E5D
SHA-512:	FBA94C79DCCB753F2ECC2422236F9BFB0E088F7B1B4C86AAA13882EAC9B2AA95818631901C7E65C7B287ADB28755271186FB94D793A3FB06B075131A4C768493
Malicious:	false
Reputation:	low
Preview:	p...... ...........;...(....................................................... ........M.........(.....wl....i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.3887604891879395
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	952cgs4G29.exe
File size:	64'512 bytes
MD5:	446035c77554b10722a6482a9a08d592
SHA1:	0bded2287c79aa77bf4be8a59567e6aa2ec1b001
SHA256:	6c3e5106d3a3beebcae780dac855de2932c7df511ac3fb0fe0fe218f4fa7878a
SHA512:	f56ce2880ea024d3b507f9968f3e6570fbe6031885a181fb0c2f60596733e9e06f3ad2fe7506a97bdd4687541b24dfc8c570a742c0155ac72e8fe57301330b2b
SSDEEP:	1536:qmfW6qHdykrVMKuJUYFVBE2UbtAPCZQHL4B2arPlTGdx:qme6qHdykGKuJUYFTUbt5Qssadux
TLSH:	495309013BE9812AF3BE8F7459F3658546F9F4AB2D12D95D1CC901CE0532B829D42BBB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vjzd............................^.... ... ....@.. .......................`............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x410e5e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x647A6A76 [Fri Jun 2 22:17:26 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x10e04	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x7ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xee64	0xf000	c1bbd72d5524f07584774ff31c1b67ec	False	0.45509440104166665	data	5.425469382094308	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x7ff	0x800	33cdbc5c50f34a35b4f0e61582ac7f11	False	0.41650390625	data	4.884866150337139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	873b96edd7bdd1f264f95bd5bca6abbd	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x120a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0x1236c	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/16/24-22:21:57.607501	TCP	2030673	ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)	6666	49730	45.128.96.204	192.168.2.4
04/16/24-22:21:57.607501	TCP	2035595	ET TROJAN Generic AsyncRAT Style SSL Cert	6666	49730	45.128.96.204	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 22:21:57.171453953 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:21:57.381181002 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:21:57.381429911 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:21:57.394944906 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:21:57.607501030 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:21:57.607563972 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:21:57.607671976 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:21:57.613178015 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:21:57.824348927 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:21:57.865813017 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:21:58.554898024 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:21:58.816823006 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:21:58.816951990 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:21:59.070842981 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:04.601501942 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:04.860384941 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:04.860580921 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:05.071165085 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:05.115793943 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:05.324279070 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:05.333992004 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:05.586275101 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:05.586350918 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:05.837008953 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:10.648313999 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:10.898787975 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:10.899014950 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:11.112932920 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:11.162796974 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:11.372690916 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:11.406405926 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:11.664407015 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:11.664520979 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:11.914628029 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:16.694457054 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:16.944057941 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:16.944150925 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:17.156749964 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:17.209472895 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:17.417943001 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:17.420016050 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:17.670402050 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:17.670517921 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:17.923938990 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:19.215301991 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:19.256344080 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:19.464783907 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:19.506314039 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:22.741261959 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:23.007668018 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:23.007798910 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:23.217365026 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:23.272005081 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:23.480635881 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:23.482266903 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:23.742259026 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:23.742338896 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:23.992542028 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:28.789684057 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:29.047281027 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:29.047383070 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:29.259555101 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:29.303153038 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:29.511632919 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:29.513927937 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:29.773649931 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:29.773710012 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:30.027033091 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:34.834855080 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:35.095663071 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:35.095761061 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:35.314904928 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:35.365578890 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:35.574688911 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:35.577147961 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:35.839286089 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:35.839426041 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:36.093341112 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:40.881591082 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:41.136415958 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:41.136529922 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:41.358177900 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:41.412439108 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:41.620815992 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:41.622437954 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:41.882951975 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:41.883136988 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:42.138937950 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:46.941104889 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:47.197108030 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:47.197344065 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:47.407104015 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:47.459240913 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:47.668402910 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:47.670510054 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:47.932955027 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:47.933228970 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:48.192480087 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:49.204746008 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:49.256112099 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:49.464689016 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:49.506150961 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:52.975292921 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:53.226133108 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:53.226316929 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:53.436161995 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:53.490571976 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:53.699217081 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:53.701108932 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:53.962683916 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:53.962778091 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:54.216566086 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:59.022085905 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:59.280508041 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:59.280622005 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:59.492610931 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:59.537415028 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:59.746066093 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:59.747680902 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:22:59.999288082 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:22:59.999386072 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:00.249133110 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:03.944020033 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:04.202564955 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:04.206801891 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:04.420427084 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:04.474793911 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:04.491055965 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:04.683330059 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:04.683423042 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:04.749469995 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:04.749531984 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:04.893040895 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:04.943510056 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:04.957884073 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:04.959724903 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:05.208543062 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:05.208619118 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:05.467623949 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:06.834631920 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:07.098598003 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:07.098656893 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:07.320179939 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:07.365389109 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:07.574937105 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:07.577620029 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:07.834070921 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:07.834121943 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:08.089889050 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:12.881509066 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:13.139332056 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:13.139389038 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:13.370383024 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:13.412276030 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:13.621113062 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:13.622873068 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:13.879070997 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:13.879352093 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:14.132903099 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:19.045212984 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:19.198394060 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:19.198477983 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:19.253937006 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:19.302896976 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:19.450083017 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:19.511231899 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:19.513575077 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:19.771140099 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:19.771536112 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:20.024487972 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:21.695635080 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:21.956453085 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:21.956517935 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:22.166016102 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:22.225009918 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:22.433909893 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:22.436086893 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:22.688412905 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:22.688688040 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:22.937295914 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:27.740859985 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:27.995913982 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:27.996364117 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:28.208322048 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:28.255969048 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:28.464864016 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:28.470443010 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:28.732017040 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:28.732367992 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:28.985326052 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:33.787590027 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:34.043482065 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:34.048809052 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:34.262371063 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:34.318591118 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:34.527471066 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:34.531276941 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:34.794606924 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:34.794748068 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:35.044492006 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:39.834331989 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:40.086565971 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:40.087933064 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:40.297977924 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:40.412070990 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:40.620497942 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:40.622006893 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:40.874732018 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:40.875103951 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:41.137475014 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:45.881376028 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:46.134299994 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:46.134612083 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:46.348337889 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:46.412190914 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:46.623801947 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:46.626849890 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:46.876152992 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:46.878602028 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:47.133800983 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:49.216905117 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:49.271435022 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:49.479995966 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:49.521404982 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:51.927927971 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:52.178036928 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:52.182677031 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:52.392575979 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:52.443722963 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:52.652662039 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:52.655577898 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:52.905806065 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:52.905922890 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:53.164462090 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:54.459544897 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:54.716248989 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:54.716326952 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:54.926565886 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:55.083966017 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:55.277321100 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:55.278613091 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:55.283430099 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:55.292414904 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:55.294461966 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:55.537790060 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:23:55.537847996 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:23:55.795917034 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:00.506011009 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:00.777331114 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:00.778310061 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:01.010045052 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:01.083818913 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:01.292510986 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:01.294060946 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:01.558108091 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:01.558254957 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:01.807694912 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:06.554394960 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:06.816565037 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:06.816783905 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:07.037317991 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:07.083874941 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:07.293481112 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:07.295469999 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:07.553666115 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:07.553816080 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:07.820883989 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:08.194459915 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:08.452383041 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:08.452616930 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:08.684127092 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:08.740083933 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:08.950633049 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:08.959736109 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:09.210570097 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:09.210792065 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:09.469163895 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:10.288527966 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:10.548156023 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:10.548223972 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:10.776388884 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:10.818526030 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:11.028042078 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:11.083863974 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:11.161442041 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:11.419173002 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:11.419296026 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:11.668160915 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:16.334121943 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:16.592492104 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:16.592772961 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:16.818839073 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:16.865010023 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:17.073488951 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:17.075493097 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:17.338433027 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:17.338500977 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:17.600594997 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:19.212635040 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:19.255702972 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:19.464355946 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:19.552480936 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:19.959224939 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:20.217081070 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:20.218384027 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:20.430056095 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:20.568267107 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:20.797720909 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:20.797820091 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:20.797854900 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:20.797961950 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:20.803132057 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:21.056360960 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:21.056679964 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:21.318236113 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:22.412386894 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:22.670989990 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:22.671092033 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:22.881310940 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:23.068451881 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:23.236033916 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:23.236161947 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:23.239551067 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:23.277121067 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:23.277189970 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:23.494899988 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:23.495079994 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:23.751601934 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:28.459156036 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:28.724359035 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:28.724565029 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:28.937666893 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:29.052527905 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:29.261321068 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:29.263046026 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:29.522387028 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:29.522530079 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:29.778335094 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:30.974760056 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:31.231538057 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:31.231699944 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:31.442004919 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:31.489990950 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:31.698885918 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:31.700902939 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:31.965703011 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:31.965774059 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:32.222824097 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:37.022207022 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:37.280155897 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:37.280275106 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:37.497536898 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:37.552385092 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:37.761310101 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:37.762778997 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:38.015860081 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:38.015940905 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:38.280229092 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:43.070302010 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:43.326334953 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:43.326534033 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:43.536051035 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:43.585052013 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:43.793626070 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:43.795687914 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:44.045341969 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:44.045552969 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:44.295229912 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:49.224857092 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:49.232507944 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:49.232707977 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:49.436994076 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:49.485019922 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:49.489937067 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:49.698602915 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:49.700531006 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:49.960994959 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:49.961178064 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:50.211289883 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:50.214479923 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:50.440824032 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:50.490257025 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:50.698894024 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:50.700445890 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:50.960992098 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:50.961190939 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:51.213082075 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:55.459187031 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:55.721141100 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:55.721327066 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:55.948376894 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:55.989950895 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:56.198751926 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:56.200628042 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:56.458156109 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:24:56.458461046 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:24:56.712021112 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:01.505938053 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:01.754040003 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:01.754118919 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:01.963579893 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:02.005605936 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:02.214195967 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:02.215846062 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:02.478576899 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:02.478682995 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:02.732086897 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:06.005841970 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:06.272228003 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:06.276441097 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:06.490262985 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:06.540200949 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:06.749118090 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:06.751708984 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:07.013417959 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:07.014760017 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:07.268599987 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:12.052671909 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:12.310240030 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:12.316203117 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:12.527215004 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:12.584233999 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:12.792990923 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:12.801417112 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:13.054115057 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:13.058099031 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:13.318630934 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:18.099672079 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:18.353475094 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:18.354145050 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:18.565280914 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:18.692856073 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:18.892312050 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:18.892405033 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:18.895009041 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:18.901439905 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:18.901494026 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:19.145770073 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:19.145847082 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:19.232517958 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:19.354507923 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:19.354592085 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:19.560798883 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:19.560873032 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:24.146266937 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:24.407778978 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:24.408993006 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:24.656085968 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:24.896111965 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:24.990135908 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:24.990871906 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:25.000204086 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:25.104865074 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:25.108395100 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:25.256072044 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:25.256169081 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:25.505899906 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:30.193123102 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:30.458359957 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:30.462057114 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:30.674870014 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:30.725941896 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:30.934650898 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:30.943766117 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:31.197204113 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:31.198251963 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:31.456289053 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:36.240215063 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:36.493495941 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:36.493592978 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:36.753252983 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:36.802133083 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:37.010895967 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:37.017493010 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:37.278326035 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:37.278412104 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:37.539151907 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:42.287023067 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:42.548027992 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:42.556139946 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:42.805531025 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:42.852164984 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:43.061536074 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:43.065506935 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:43.317310095 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:43.317461967 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:43.577233076 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:48.334007025 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:48.597743034 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:48.597835064 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:48.810507059 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:48.864670992 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:49.075202942 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:49.082933903 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:49.291842937 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:49.291924000 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:49.550492048 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:50.286933899 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:50.550159931 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:50.551980019 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:50.762834072 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:50.817809105 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:51.029361963 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:51.033350945 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:51.293807983 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:51.293988943 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:51.548563004 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:52.709826946 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:52.959548950 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:52.959642887 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:53.169672966 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:53.224147081 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:53.432841063 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:53.434546947 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:53.688019991 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:53.688148022 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:53.943207026 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:57.943075895 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:58.198333025 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:58.198399067 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:58.415162086 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:58.473901033 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:58.685688972 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:58.688409090 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:58.942873955 CEST	6666	49730	45.128.96.204	192.168.2.4
Apr 16, 2024 22:25:58.943104029 CEST	49730	6666	192.168.2.4	45.128.96.204
Apr 16, 2024 22:25:59.196547031 CEST	6666	49730	45.128.96.204	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 16, 2024 22:21:57.029042959 CEST	51942	53	192.168.2.4	1.1.1.1
Apr 16, 2024 22:21:57.168334961 CEST	53	51942	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 16, 2024 22:21:57.029042959 CEST	192.168.2.4	1.1.1.1	0x62b2	Standard query (0)	rootsaul.duckdns.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 16, 2024 22:21:57.168334961 CEST	1.1.1.1	192.168.2.4	0x62b2	No error (0)	rootsaul.duckdns.org	45.128.96.204	A (IP address)	IN (0x0001)	false
Apr 16, 2024 22:21:58.007342100 CEST	1.1.1.1	192.168.2.4	0x2437	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false
Apr 16, 2024 22:21:58.007342100 CEST	1.1.1.1	192.168.2.4	0x2437	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	22:21:51
Start date:	16/04/2024
Path:	C:\Users\user\Desktop\952cgs4G29.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\952cgs4G29.exe"
Imagebase:	0xd40000
File size:	64'512 bytes
MD5 hash:	446035C77554B10722A6482A9A08D592
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4070079001.00000000011CC000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1621554642.0000000000D42000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1621554642.0000000000D42000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4070079001.0000000001187000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4070824389.00000000030F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 02EDD2D8 Relevance: 1.0, Instructions: 1022COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f395407c9ebb7bb7c51f7fe0fc4491801950d76ea74b9bffca2c70749f4a9df5
Instruction ID: a1efdc54310ba282cb7ee6f1942e4d8036280cdf05074d57bb36ef2c4778f53a
Opcode Fuzzy Hash: f395407c9ebb7bb7c51f7fe0fc4491801950d76ea74b9bffca2c70749f4a9df5
Instruction Fuzzy Hash: CD829E70B402048FDB54EF69C984B2EBAE3EF84304F65D479D5068B3A9CB75EC468B91

Uniqueness

Uniqueness Score: -1.00%

Function 02ED7038 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5a48a2172796d9c73e47c478d2c23bcff30cf4ead5354862f3bc0f27e8c1318
Instruction ID: 424ca4e15fb2b2bed0681603f09e39203467ae35fb9b6d8757e24ce6bfd39b0b
Opcode Fuzzy Hash: d5a48a2172796d9c73e47c478d2c23bcff30cf4ead5354862f3bc0f27e8c1318
Instruction Fuzzy Hash: 7EB15070E40219CFDB14CFA9C98579DFBF2AF88318F14D129E819A7258EB749846CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02ED7908 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 228006456765289255f5e5c9d4665a1bab63b4c0e740ef19406ac757dd57e278
Instruction ID: 9822741276bad012b0233a0bbb6225f79d846e70734d36b8b43565fd9d9df580
Opcode Fuzzy Hash: 228006456765289255f5e5c9d4665a1bab63b4c0e740ef19406ac757dd57e278
Instruction Fuzzy Hash: 38B14D70E402198FDF10CFA9D9817DDFBF2AF48318F14E529D815AB254EB749946CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02ED20E8 Relevance: 5.4, Strings: 4, Instructions: 449COMMON

Download Yara Rule

Strings

akq, xrefs: 02ED26FC
akq, xrefs: 02ED269F
,, xrefs: 02ED2230
xoq, xrefs: 02ED2736

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: akq$ akq$,$xoq
API String ID: 0-3861859347
Opcode ID: 5d50ad25f3a936dd2c1bddf4b0797f4ce7239e3d116ebd63e3b588e9d8b719d5
Instruction ID: 45cc258aa35615c7b2639dbbd356e60a5862a6e0311759b2d6f65986cada1563
Opcode Fuzzy Hash: 5d50ad25f3a936dd2c1bddf4b0797f4ce7239e3d116ebd63e3b588e9d8b719d5
Instruction Fuzzy Hash: 10029D707402008FC714EF28D594B6EB7A2FF84314F249569D915AF3A9DB75EC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2322 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

akq, xrefs: 02ED26FC
akq, xrefs: 02ED269F
xoq, xrefs: 02ED2736

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: akq$ akq$xoq
API String ID: 0-2188637935
Opcode ID: fe45cc9e0bfdf4edcc4a771889bf1dc57e927698136fa9ed8030286096bf0cb3
Instruction ID: 432f5ee349c85a1543e2ef2147d226a002aee9d2076f805658df1967666d44d2
Opcode Fuzzy Hash: fe45cc9e0bfdf4edcc4a771889bf1dc57e927698136fa9ed8030286096bf0cb3
Instruction Fuzzy Hash: 0F618C70B803008FC710AF29D584B5E7BA2FB84314F258968D605AF3A9DB75EC86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0F80 Relevance: 2.7, Strings: 2, Instructions: 168COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02ED0FB5
(oq, xrefs: 02ED125A

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: (oq$Tekq
API String ID: 0-1772506348
Opcode ID: 710e3eaccfde078b92c2c769630e8f2d798570c37739d81720a6a039571ed90f
Instruction ID: bba16c507d83ca12cb164bd05c1104778a3ad8188d80f40a18222e2ae553494b
Opcode Fuzzy Hash: 710e3eaccfde078b92c2c769630e8f2d798570c37739d81720a6a039571ed90f
Instruction Fuzzy Hash: 71518D75B501148FCB44DF69C454B5EBBF6EF88700F25C1AAE50AEB3A1CA75DC028B94

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0DE8 Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

Hoq, xrefs: 02ED0F08
dLqq, xrefs: 02ED0E23

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: Hoq$dLqq
API String ID: 0-1323869633
Opcode ID: 1f2afc8eefc509e9b5883aef7f89fdf8126fa94b45282b7802be566cf7173153
Instruction ID: b064081f1240466ae3830dbf2624e6d422b67fc11ffddbc595a72db59e6ad30d
Opcode Fuzzy Hash: 1f2afc8eefc509e9b5883aef7f89fdf8126fa94b45282b7802be566cf7173153
Instruction Fuzzy Hash: 4841C531B402048FCB149F79C454B9EBBF6EF89304F2985AAD505EB3A1CB749C46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA6B0 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

$kq, xrefs: 02EDA6EF
$kq, xrefs: 02EDA6E5

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: $kq$$kq
API String ID: 0-3550614674
Opcode ID: 8df6b2dc38c0e5d65149fa49b77ace3436683f2b0d6c1795af72e613d588ae7c
Instruction ID: 3648680d21701e58b46560fd9a382dc0ea1b708b17359cddd744ecc6ae2fbf24
Opcode Fuzzy Hash: 8df6b2dc38c0e5d65149fa49b77ace3436683f2b0d6c1795af72e613d588ae7c
Instruction Fuzzy Hash: 36413978680501DFC3189F5AA11852ABB73FB84709338D969E4468B394DB369E53CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED9DB0 Relevance: 1.6, Strings: 1, Instructions: 348COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02EDA035

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 9193c61378350d860315d87b0560e4b8b920bff072298e14c9b000bc71200a3f
Instruction ID: a3f977ea8fa23bea9664b4d7ab5959a84aa4189f4c07cafd8cabb8a0be16682d
Opcode Fuzzy Hash: 9193c61378350d860315d87b0560e4b8b920bff072298e14c9b000bc71200a3f
Instruction Fuzzy Hash: B101F270B412019FCB55EB7889017AE3BB5AF4D700F5180BAE245EB391EBA48E038BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB808 Relevance: 1.6, Instructions: 1574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4df3d059743454ac0ab111da233915bb9044ccf08bcce3ca6c115c60f057bdb
Instruction ID: b482f71ead0174eef84521c07129e62bcff388ed154aac83160040454738e17b
Opcode Fuzzy Hash: c4df3d059743454ac0ab111da233915bb9044ccf08bcce3ca6c115c60f057bdb
Instruction Fuzzy Hash: F4D2DA747402048FCB59AF7494A466E77A3EBC9304B60997DD40A9B798EF3A9C83CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02ED9D95 Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02EDA035

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 7936ba5f23750a363781f33fc01cec47f4b791fcb4d91e9f90afb03f66c94773
Instruction ID: 27d586636f1ce6835a008ddd8889df4150938e3490037f82d26cc0f60cb07999
Opcode Fuzzy Hash: 7936ba5f23750a363781f33fc01cec47f4b791fcb4d91e9f90afb03f66c94773
Instruction Fuzzy Hash: A5010470B412019EC715AB3C8C047AE3BA1AF8E704F4191BAD105EB395EB708E068795

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB3B0 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

xoq, xrefs: 02EDB6F6

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: xoq
API String ID: 0-2982640460
Opcode ID: 34c0879f5f9cc4ec892baa1b1d8d40d3cfbb2142fa134cb3e7c77189316ccd28
Instruction ID: 7679e302b8dbcbdbc382119fe8074c6b6c05508d7f2eec6845b4961cf5ae6241
Opcode Fuzzy Hash: 34c0879f5f9cc4ec892baa1b1d8d40d3cfbb2142fa134cb3e7c77189316ccd28
Instruction Fuzzy Hash: 059159749C02088FD724DF2AE68471937A2F7C471CF969A2DC6108B2D8EB7698D7CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02EDAC60 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02EDACFE

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: fa92d0178c9a768f7d54d6a8d4f33b509a35dce8ab3b460c4073d96a7a0a7e21
Instruction ID: 6448fc0690292a9489cbac11d0eb1fb72c43e8555f61c91e061f91c25b57411d
Opcode Fuzzy Hash: fa92d0178c9a768f7d54d6a8d4f33b509a35dce8ab3b460c4073d96a7a0a7e21
Instruction Fuzzy Hash: 75519F306802019FE714DF25C844B69BBB1FF89724F249169E911AB3E0CBB5ED42CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA699 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

$kq, xrefs: 02EDA6E5

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: $kq
API String ID: 0-3037731980
Opcode ID: 47ecb141615897efbd7d0149562d0b048bd6c10666bef560eb731bfda7cfaec4
Instruction ID: f5923e264b5083b23ea8cd3848acce8ba37a44ad84d8f7d8957694159c8c60a2
Opcode Fuzzy Hash: 47ecb141615897efbd7d0149562d0b048bd6c10666bef560eb731bfda7cfaec4
Instruction Fuzzy Hash: 1F418B78684500DFC3196F5AA118139BB73FB84319338D969E4428B390DB359E53CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1401 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02ED1453

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 9018c9b52ff79aae059a88f220ed3880e70e41878713426350d6f8c535ae1b0a
Instruction ID: 8579e2b7f894f68275420521cfec39c98142fb106baad5229282e6b3a194a3d0
Opcode Fuzzy Hash: 9018c9b52ff79aae059a88f220ed3880e70e41878713426350d6f8c535ae1b0a
Instruction Fuzzy Hash: 70319370F002168FCB55EB7D8950ABE7BF6AFC9200B1880A9E549DB3A5DE349C02C790

Uniqueness

Uniqueness Score: -1.00%

Function 02ED4730 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

|, xrefs: 02ED46C8

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: c99a0fd03615228c0cd44cf2e04dd60c9fa305b3e6b9f2261deb0196ec07ebdf
Instruction ID: 35a5ce5414b000bb071ce6e966251fae0cc9fc09586684a3c3f5220afdf424e9
Opcode Fuzzy Hash: c99a0fd03615228c0cd44cf2e04dd60c9fa305b3e6b9f2261deb0196ec07ebdf
Instruction Fuzzy Hash: 8C21F035B402108BCB25AB38995476E76F39F89745F04987DE50ACB7D4DF39DC068B90

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0DD9 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

dLqq, xrefs: 02ED0E23

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: dLqq
API String ID: 0-4255564529
Opcode ID: 67cbfdbfdba36f1c6ea4f7b76b4c4c66a060d7ad85a76639e33ab4b2c6f04e63
Instruction ID: 8c0c32ec5377aa6c5d7ab41e164a38cda383b3972d7f5dbe3098d6ae69fb70bc
Opcode Fuzzy Hash: 67cbfdbfdba36f1c6ea4f7b76b4c4c66a060d7ad85a76639e33ab4b2c6f04e63
Instruction Fuzzy Hash: 0931A170A502058FCB14DF69C458B9DBBF6FF88304F188569E402AB3A1CB74EC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02ED466A Relevance: 1.3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

Strings

|, xrefs: 02ED46C8

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 222d73821d453436cf095b945716e28a2ec4b1138d03301618a3ab62cc498491
Instruction ID: 79c16ad4e65be88724b80441a1245b2724b2207a6d77f55e2577e37bd24ba5c7
Opcode Fuzzy Hash: 222d73821d453436cf095b945716e28a2ec4b1138d03301618a3ab62cc498491
Instruction Fuzzy Hash: 2F21BD74B402118FCB449F78D904BAEB7F1EF48740F108469E50AEB3A4DB359901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA5B8 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02EDA5E2

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 09ef493119f63ce7162e2802e237f6faf7772c506eebd80869cdf4061981538a
Instruction ID: c47c33f015a727a6147dc1031da86befbd04b20a4480140740cd872c28e7674f
Opcode Fuzzy Hash: 09ef493119f63ce7162e2802e237f6faf7772c506eebd80869cdf4061981538a
Instruction Fuzzy Hash: 2F21D035B501148FDB449F28C458BAD7BF2AF8C714F2580AAE402DB3A1CB759D02CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA5C8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02EDA5E2

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: baba869463af4becc417023b7ff8ef8933a10849ac72ca1622cbda9419079b91
Instruction ID: 922d574d06ad6db06a766a14fa444d152127b746160bc5a28b45f428e1c46e7b
Opcode Fuzzy Hash: baba869463af4becc417023b7ff8ef8933a10849ac72ca1622cbda9419079b91
Instruction Fuzzy Hash: CF216A35790110CFDB449F29D918BAE7BF6AF88714F21806AE512DB3E0CF759D018B91

Uniqueness

Uniqueness Score: -1.00%

Function 02EDAB48 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02EDAB73

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: 9733bd9171d3ee37499309ec78544c581bed4200d5aa7b9ce4103262adbb4ee1
Instruction ID: d8b18f478914716e5341279e7cc568918ccc65d71ba50bc4e019664022319035
Opcode Fuzzy Hash: 9733bd9171d3ee37499309ec78544c581bed4200d5aa7b9ce4103262adbb4ee1
Instruction Fuzzy Hash: CA116634B40104DFDB149F69C895BADBBB6EF88714F149469E902EB3A1CA759C42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EDAB58 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02EDAB73

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: d111149b98a1cbb8f23d337cf1143a67505b6351dc1a8b24a211aed68fd0c423
Instruction ID: 6fd2819b1d49715d98a079ae99e9991c13b8aaa31b83b7b503959c256d464d58
Opcode Fuzzy Hash: d111149b98a1cbb8f23d337cf1143a67505b6351dc1a8b24a211aed68fd0c423
Instruction Fuzzy Hash: D2118230B80104CFDB149F29C498BADBBE6AF88714F149469E902AB3E1CA75AC41CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EDD100 Relevance: 1.3, Strings: 1, Instructions: 54COMMON

Download Yara Rule

Strings

Tekq, xrefs: 02EDD12D

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: Tekq
API String ID: 0-2319236580
Opcode ID: ae514cf05e5b82970e68787704db2b0216af94f33001f8f116286a1de1e96927
Instruction ID: 771563850e6ef4f965c1d06142272f869c591fa282a002994d13319988f5d12e
Opcode Fuzzy Hash: ae514cf05e5b82970e68787704db2b0216af94f33001f8f116286a1de1e96927
Instruction Fuzzy Hash: F511C671B401009FDB149B29C868BADBBF2AF8C700F114059E402EB391CFB55D06CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0F07 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Hoq, xrefs: 02ED0F08

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: Hoq
API String ID: 0-3049094369
Opcode ID: 69835d8749e51ef2277388b58278a2767cbc09e5221dcb26ca4910126ee7238b
Instruction ID: 04614cc19f5910ebe53ce2100d473f3ec2fcb0291a880941770423831266fe40
Opcode Fuzzy Hash: 69835d8749e51ef2277388b58278a2767cbc09e5221dcb26ca4910126ee7238b
Instruction Fuzzy Hash: BCF028247492804FC7996B3A945051E3FE7EFCA26036944EBD249CB397DE288C0787E6

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA020 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

LRkq, xrefs: 02EDA035

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: 02fac119182362f5a8c8a946f352f964922c73ecdb5e6cfaa3e7e9b2b7381359
Instruction ID: fd29843f050eff2fd581539d1bd263c124722d8365b56a8b0d416b4735f825e6
Opcode Fuzzy Hash: 02fac119182362f5a8c8a946f352f964922c73ecdb5e6cfaa3e7e9b2b7381359
Instruction Fuzzy Hash: C7014B71B401159FCB44EBB89901AAE77B5EF48600F1081B9E609EB390EB759E028BD1

Uniqueness

Uniqueness Score: -1.00%

Function 02ED3320 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7faf12a973263a864490ab984126e0b88f1cea98100fd30636a5d1a781973f6
Instruction ID: 9b464dc4001502a5e311e40ba3e9647f163367ef96f6f5e82dd087b86ea6cf0d
Opcode Fuzzy Hash: d7faf12a973263a864490ab984126e0b88f1cea98100fd30636a5d1a781973f6
Instruction Fuzzy Hash: 7F927B70781241CFCB05DF35E5946197BA2EB84304B6089BDC8029B799DB7EAC97CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02ED3310 Relevance: .7, Instructions: 708COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f3fb01c0bc838db7844f1b2068ded15ae15087ae9d2bc3e39acef66fcc17bd9
Instruction ID: 40371713d1d68fe3806686d830df5b88d3a317b577041553614846ee6e6c8226
Opcode Fuzzy Hash: 1f3fb01c0bc838db7844f1b2068ded15ae15087ae9d2bc3e39acef66fcc17bd9
Instruction Fuzzy Hash: B9629D707802418FCB04DF35E5946597BA2EB84344B6089B9C8029B799DB7EECD7CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02ED702C Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92795c387ad1c0dfc826cc4ba848fcf19c6a6ed886ce6c91adc2fa13215c0d3a
Instruction ID: bb6c20c4a022b67c54e43cdfcef57c52b064e4da21727fc5694ad2de2f855969
Opcode Fuzzy Hash: 92795c387ad1c0dfc826cc4ba848fcf19c6a6ed886ce6c91adc2fa13215c0d3a
Instruction Fuzzy Hash: 4DB13C70E40259CFDB10CFA9C9857DDFBF1AF48318F14D129E818A7298EB749846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02ED78FF Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 547cbadd81f22699a484399310ca647d402a7dc9c6956cc49ea68df74b06779f
Instruction ID: 909620ffc9f4723a2d0f261109ad654711c2a9ad95bc34689724a94c44bea270
Opcode Fuzzy Hash: 547cbadd81f22699a484399310ca647d402a7dc9c6956cc49ea68df74b06779f
Instruction Fuzzy Hash: ECA13A70E402198FDF10CFA8D9857DDFBF2AF48318F14E529E815AB254EB749986CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02ED4250 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ffa845fae9821bb2104c5ee27b719ca8872a692526a1493829d209b826d3a6f
Instruction ID: 322088b087c68429c4b9f36bd0d6bf1be253ab8077831432a66d0b0a6f016162
Opcode Fuzzy Hash: 0ffa845fae9821bb2104c5ee27b719ca8872a692526a1493829d209b826d3a6f
Instruction Fuzzy Hash: 3391CE31A002468FCB15DF68C5806AEFBF2FF85310F1585A9D419AB3A5DB31ED86CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA869 Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ab17ccae09c6c5631f7f3802315ad5fe5304a02e993d4912f0a1999b7e86b23
Instruction ID: d39ed20fc76633cbef16ad56717282fd150ad5131e7538e17999167d7659218e
Opcode Fuzzy Hash: 5ab17ccae09c6c5631f7f3802315ad5fe5304a02e993d4912f0a1999b7e86b23
Instruction Fuzzy Hash: 5F519174A00215CFCB04DFA8D984A6EFBB2FF44314F1690A5E855AB362D730ED42CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0B49 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c28527e33469ef6e0711fba19360a86200a08c18666d6329e3d7accbcc29ea5
Instruction ID: fdcae212d622ceadcafeb1cae75ccd31e3cd0bd929cf1847caaa10743a5a8829
Opcode Fuzzy Hash: 0c28527e33469ef6e0711fba19360a86200a08c18666d6329e3d7accbcc29ea5
Instruction Fuzzy Hash: 8051EB70981201DFCB15EF34E584959B762FBC47257904A78D801ABB69EB3DBC8ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2D01 Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f36c7ca707e0c179e6f2f48879fbcec8008bce4e235f038c4fe2de22f3f5514
Instruction ID: d7bdade9e594c2686e7d9f70276fc7b4b708c4295a382db82bbcc9fce7b1672b
Opcode Fuzzy Hash: 5f36c7ca707e0c179e6f2f48879fbcec8008bce4e235f038c4fe2de22f3f5514
Instruction Fuzzy Hash: 66419F75B202289FCF059BB9DA1479D7BBBAFCC310F148029EC05B3758CA35AC418B94

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1298 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b0df8083acc66e4a0c798a31ec36f1075f0ab2f445668daff8612a4a8ef7e99
Instruction ID: 9fa9ebe3b9b971cf1cfb5bedcb39c45f2ef86ba02dcca281f743a5cce08b7cc2
Opcode Fuzzy Hash: 5b0df8083acc66e4a0c798a31ec36f1075f0ab2f445668daff8612a4a8ef7e99
Instruction Fuzzy Hash: D841D470E40248AFCB44DBBD85547AEBBFAEF89300F21C56AD40DD7745DA359D428B90

Uniqueness

Uniqueness Score: -1.00%

Function 02ED09A8 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64df3fa8eb4434c2179ae194ba2b69668c4463a77ff82c3c6dd2c87321c244ca
Instruction ID: 0bc9853aa4cbd3ad3576de2aeabc6f0a6f381c4d32e725e9f76093aceedbaf8e
Opcode Fuzzy Hash: 64df3fa8eb4434c2179ae194ba2b69668c4463a77ff82c3c6dd2c87321c244ca
Instruction Fuzzy Hash: 2941BF306C02018FDB24AF7AD55467E36A6BB80748B58E83DC817C6694EF34DC838FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02ED09B8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a25301cc35769d794c160f957be711d8a23fd6e1cf26bf6ec77942cff12210c
Instruction ID: 9ea892f10f1d84b297818cb1e84345822b00ec29beb2c9d0ea510eb825982459
Opcode Fuzzy Hash: 9a25301cc35769d794c160f957be711d8a23fd6e1cf26bf6ec77942cff12210c
Instruction Fuzzy Hash: 28319F307802028FDF54AF7AD56467E76A5BF84748B58A83DC806D6298EF34D883CF61

Uniqueness

Uniqueness Score: -1.00%

Function 02ED554C Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 182e20b80ee4876464317d82413d6f55f1b7ea49fb999a864199fd028124861f
Instruction ID: 78c8e38d03e249c418931500a7399039b2c547a4de6b317b4b8e3c0a57b49ad1
Opcode Fuzzy Hash: 182e20b80ee4876464317d82413d6f55f1b7ea49fb999a864199fd028124861f
Instruction Fuzzy Hash: 2D4101B5D00349DFDB10DF99C580ADEBBB5FF48314F60842AE419AB254DB35A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02ED4740 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d2c389da38f92c98eb9fd01d5f3579d917df026279b6a4aba6d712d0b9629a1
Instruction ID: 18c2328548bf12484c8eb13670f63125e7721fd9e236d388f8d5ce4c52ef17e5
Opcode Fuzzy Hash: 3d2c389da38f92c98eb9fd01d5f3579d917df026279b6a4aba6d712d0b9629a1
Instruction Fuzzy Hash: 7531B2217493904FC7466B3C587029E3FA29F93250B1A40ABC195CB7E2DE249C4A8796

Uniqueness

Uniqueness Score: -1.00%

Function 02ED5558 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddaee6dd6efd79d3bcd0db7c62221b5fd4a419a25a2a81f7347f1510a125d4a
Instruction ID: ddef70f9044b94dbb3cfe06d2db980eedab78d35ca5a1abaaa6835d7084d12a1
Opcode Fuzzy Hash: 4ddaee6dd6efd79d3bcd0db7c62221b5fd4a419a25a2a81f7347f1510a125d4a
Instruction Fuzzy Hash: 7C41FEB0D00349DFDB10CFA9C584ADEBFB5BF48314F508029E819AB254DB74A946CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02DFD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070504287.0000000002DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dfd000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64abb1912890c8abf79eb255c7ce42f020de17cb8b11ec60f5415527a80a8c8d
Instruction ID: 80fd6a55148ead48f2d672a79f4bcc909ce8f321dbe5beb66b179c25eddca8ca
Opcode Fuzzy Hash: 64abb1912890c8abf79eb255c7ce42f020de17cb8b11ec60f5415527a80a8c8d
Instruction Fuzzy Hash: 162137B1504244DFDB45DF14D9C0B2BBF66FB88318F20C569EA0A0B356C336D856CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA339 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd654a8f319096e00f69b2832368def77c3b1278bb43e55d1df8e8f792e13a9
Instruction ID: 0d3e4791ef3f9dde4b0144a2732693f848059d928732e1cded3ec06e4dffe5de
Opcode Fuzzy Hash: 7dd654a8f319096e00f69b2832368def77c3b1278bb43e55d1df8e8f792e13a9
Instruction Fuzzy Hash: A621A434A402148FCB14EF74C9546AE77B7EF89704F159438D806AB7A1DF39AC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA4C8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d25b2231320209025e2058b0fd4f4dd57eb79fd53df54e4376c71eb379a91e
Instruction ID: 336679624f4f2f3a60bc1d222ce78559fe357198faa68330da9a5a0cf506fa76
Opcode Fuzzy Hash: 95d25b2231320209025e2058b0fd4f4dd57eb79fd53df54e4376c71eb379a91e
Instruction Fuzzy Hash: E5213B70E4060A8FDB50DFA9D5406EEBBF5EB88740F14807AC905E7354EB399E428FA1

Uniqueness

Uniqueness Score: -1.00%

Function 02EDAEA9 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61ad171ebb7090e6050ead3181233f6afa9918af743aed582c9738575dd045a
Instruction ID: f8b7bd23afde09ec3541712d2d1cdc00c1bf8defaa3c69948f7618222b5ce882
Opcode Fuzzy Hash: e61ad171ebb7090e6050ead3181233f6afa9918af743aed582c9738575dd045a
Instruction Fuzzy Hash: 3F218070A402049FCB41EF78E85069EBBA2EF85350B20C679C1159B395EB35AE4BCFD5

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB7FB Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bfe9b8e2f3a1fe2161d5ce5bbb91466b83a0dae20c32376df7a3a55ff9217d5
Instruction ID: 1d1750fb84cc392d7fc4beaeab3e1febf9fc248a9846a2bd041bdc6140914d73
Opcode Fuzzy Hash: 9bfe9b8e2f3a1fe2161d5ce5bbb91466b83a0dae20c32376df7a3a55ff9217d5
Instruction Fuzzy Hash: 6A11B731B802058FCB249E68D59436EB3A3EB88318F5548BED55AD3784EF319C92CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02EDAEB8 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fba5236959b15da228ae2efd5e0944646bb7d351d6f37f1c584f81b408473ea1
Instruction ID: 1d413a1fb27da4f392f9a141fea8d9c558c88eaad0e6270c96bb929318166875
Opcode Fuzzy Hash: fba5236959b15da228ae2efd5e0944646bb7d351d6f37f1c584f81b408473ea1
Instruction Fuzzy Hash: 5E21AEB0A402049FCB41EF78E440A5EBBA2EF81310B10C679C1159B395EB39AE4BCFC1

Uniqueness

Uniqueness Score: -1.00%

Function 02ED14F9 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7f7f0fdf1405a1b40b838d681753b4e9ff201b0dd629e3e61c237f1dc1ea745
Instruction ID: a145d35dfeb16d88de6062b6e2af15e60532fa5d2478b35bbb9ad6137ee93186
Opcode Fuzzy Hash: a7f7f0fdf1405a1b40b838d681753b4e9ff201b0dd629e3e61c237f1dc1ea745
Instruction Fuzzy Hash: 1011CEB0B40201CFCB54EF79D844ABA7BF6EF8861571444B9D80ADB325DA39DD42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02DFD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070504287.0000000002DFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DFD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2dfd000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 2da09deb0747ef5e643d1b137c316e57cd848a0f2767876f7799228fb2c6c490
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 0111D376504244CFDB16CF14D9C4B16BF72FB85328F24C5A9D9090B356C33AD85ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2BB1 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883c678fd60abc2176b30b2ad6703d5784f1a68c6e19bfd7ed57c4af8e4d5aa9
Instruction ID: 6a92d908b5766429cfd478885f17eafddc4881741bdb6a7ab3aeefe1f4062b36
Opcode Fuzzy Hash: 883c678fd60abc2176b30b2ad6703d5784f1a68c6e19bfd7ed57c4af8e4d5aa9
Instruction Fuzzy Hash: 1011E0B1B442424FC308DF7AE58055AFBA2FFC4224308C5BAC508DB65AD635AC43CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1508 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 594d96d5878fcd8443aac41c7d197a5cc21343ded99c27c22c7f0b160ce60647
Instruction ID: 98555241ca15c0b6e4fc326f4a784f697bec75c2fd75602684ec6d1481b0883c
Opcode Fuzzy Hash: 594d96d5878fcd8443aac41c7d197a5cc21343ded99c27c22c7f0b160ce60647
Instruction Fuzzy Hash: E1118070B40205DFCB54EFBDD904A6A7BFAEF886147104879D40ADB358EA39DC42CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA0A8 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807b1ebf83b65280e41683905ba9cd3682549c84de262d7372f6e72f22579e92
Instruction ID: 82c7914fca62b595e7770870f61aee8d8b58638bc4baa2ebba0a21d368fb12c3
Opcode Fuzzy Hash: 807b1ebf83b65280e41683905ba9cd3682549c84de262d7372f6e72f22579e92
Instruction Fuzzy Hash: BE1112B5800648CFDB20DF9AC549BDEBBF4EB48324F208469D459A7350C375AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2E83 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5861d5f75cc4c659b588e00007fe9735c9d46b93cb164c7521cdd969bb7673c9
Instruction ID: 4d2f0d753defab950ab018bd574db41df496fe7bc4abe66c4f91cb61232c6d2e
Opcode Fuzzy Hash: 5861d5f75cc4c659b588e00007fe9735c9d46b93cb164c7521cdd969bb7673c9
Instruction Fuzzy Hash: 0D01782018D3C44FC7039B7498246503F349F53600B0A41E7C585CB6B3D669AC4A8372

Uniqueness

Uniqueness Score: -1.00%

Function 02EDA0B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39fdcf3a6b274bee47632e5dd270f1ee23088ce8302ee0d4619f01ccec867923
Instruction ID: e4248293bc77a979416109e479497c53f554405e14cee0c40c6c035e2425073f
Opcode Fuzzy Hash: 39fdcf3a6b274bee47632e5dd270f1ee23088ce8302ee0d4619f01ccec867923
Instruction Fuzzy Hash: BB111EB58002488FCB20DF9AC589BDEBBF4EB48324F208469D458A7350C378A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1C60 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401625476e2047728166d74d86be829549aa12d55572c81f897ea6701b790b5f
Instruction ID: 273729d8d1885df6cbcd77efd8e75cd4d01f453bea1541a848d7c0ea9347cf7b
Opcode Fuzzy Hash: 401625476e2047728166d74d86be829549aa12d55572c81f897ea6701b790b5f
Instruction Fuzzy Hash: 93018130D8060ACFC704FFB9EA8959C7775FF81304B808A35C9466B358EB356995CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02ED1C4F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eded320fa6bf1bdf150b088c16fc29c4fbbe9b040bcc94fbddf5e63e19da8638
Instruction ID: 4135c6b1c89ecf592dd1ce351571f377c5554877a8a39d9e71996dd4e7a50b1a
Opcode Fuzzy Hash: eded320fa6bf1bdf150b088c16fc29c4fbbe9b040bcc94fbddf5e63e19da8638
Instruction Fuzzy Hash: 3CF02830C84346CFC301EB78D9855EC7B31EF82344F004A39C4956B399EB345956CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02ED9BC8 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9003fc63315c00f0694f5fc203ead37a0631e36ec5b74471678f6e25cd2ef487
Instruction ID: 7fd7fb04b93a59f5db1347774f20f709b77b5433232919a1c6211a0f6338c8c1
Opcode Fuzzy Hash: 9003fc63315c00f0694f5fc203ead37a0631e36ec5b74471678f6e25cd2ef487
Instruction Fuzzy Hash: A2E0DF617092901FCB4152B958148A93FA99FC720032610EBD105DB7A3CD208C0143A4

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB758 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 355646b42e82ca8229c72a92c8ede58a8d1a5d4303091304ab99d808a2ea4605
Instruction ID: 829a3ea85187aec8986b67b712dba2d456d854d42473faf3ec6dedf6632dac7f
Opcode Fuzzy Hash: 355646b42e82ca8229c72a92c8ede58a8d1a5d4303091304ab99d808a2ea4605
Instruction Fuzzy Hash: ECE0D8B09092489FCB40DFA4E84259C7FB5DB49200B1155EAD845E7355DA305F089B55

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2EBF Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2be9f8105072b543fec2defbc2e1252f9659d25e56372231b437d1a5e25b37b4
Instruction ID: 95c15163f64018e3ab5230d0040764519a8a55ea6e702134976eba938307a33d
Opcode Fuzzy Hash: 2be9f8105072b543fec2defbc2e1252f9659d25e56372231b437d1a5e25b37b4
Instruction Fuzzy Hash: 01E0CD700883840EDB02AF54D5207543F249751B00F4106718145561E69A5EAD894375

Uniqueness

Uniqueness Score: -1.00%

Function 02EDB768 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89c0b7b021835faeb19e7164cfa9d807a69d32de4898f02908da59fb66846f6f
Instruction ID: 058ee3907b46d5d250e4a0e19167a8d9183228c6007bb100c14c7ba51b7aec14
Opcode Fuzzy Hash: 89c0b7b021835faeb19e7164cfa9d807a69d32de4898f02908da59fb66846f6f
Instruction Fuzzy Hash: 79D01270901148EF8B40DFA8E94195DBBB9EB48304B1085A9D809D7344DB319E049F54

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2ED0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df646a7bdf20327db5a7b761cf34c72fc05cd55bbe2b69fd3bbdf147d17132d9
Instruction ID: 996e29f55438709f3299c9c069921ef30243a181a001834481d333921cf145e0
Opcode Fuzzy Hash: df646a7bdf20327db5a7b761cf34c72fc05cd55bbe2b69fd3bbdf147d17132d9
Instruction Fuzzy Hash: 12D012301942494EDE01FF69FA547A97759E7C0F10F800A3485064B6ADAF7DBDC942B6

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0B35 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67a78ac24a6bfacdecdeebc7a0ecdb1c6e55ad0e8663986aaca65b05f7dedd60
Instruction ID: 0e9207efbf9edd685693745f283e7acec50c13df18ed5917bc261423342b07b2
Opcode Fuzzy Hash: 67a78ac24a6bfacdecdeebc7a0ecdb1c6e55ad0e8663986aaca65b05f7dedd60
Instruction Fuzzy Hash: 66C080209CC244CED30037B5D6683EC3A10A74130DFF46810D143010985E7508D7C612

Uniqueness

Uniqueness Score: -1.00%

Function 02ED0B19 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 364b8cb56df69f95e604c42c0398f39a7a317fe60fb26fd952a26dd311ead56f
Instruction ID: 44f4e4b9a83aa089abd95f8d7bb9b5ba5e5f94e14216b5fa2459b2934326ae9e
Opcode Fuzzy Hash: 364b8cb56df69f95e604c42c0398f39a7a317fe60fb26fd952a26dd311ead56f
Instruction Fuzzy Hash: 50C08C209CC248CED30137B5E6B83EC3A20E74130EFF8A825E103000989E7608EBCA22

Uniqueness

Uniqueness Score: -1.00%

Function 02ED2EA8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44572e4077e067924278484d049e5b1a60219d4be4f61093baf1674f64c78563
Instruction ID: ecb9ebc12fc5f772501a43b3b42cc19191e7d1ee4602472d7588d6df7fc5677f
Opcode Fuzzy Hash: 44572e4077e067924278484d049e5b1a60219d4be4f61093baf1674f64c78563
Instruction Fuzzy Hash: 6EC048352602088F8244EE99E588C12B7A8FF98A1034100A9E9018BB22CB29FC10DA61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02ED6CF0 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4070694633.0000000002ED0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02ED0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ed0000_952cgs4G29.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f07c1834d9ec36a5700e1413fc458fe647293ceead200d87e0ed06ff150586b
Instruction ID: bf028b5c1003c11049ccacb17835f6e1ea979192c90a44f08065757b6f33061c
Opcode Fuzzy Hash: 0f07c1834d9ec36a5700e1413fc458fe647293ceead200d87e0ed06ff150586b
Instruction Fuzzy Hash: 6D915DB0E40609CFDF10CFA9D98579DBBF6AF88318F14D129E805AB254EB749946CF81

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 952cgs4G29.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

Windows Analysis Report
952cgs4G29.exe