Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xwuh6EHyYm.exe

Overview

General Information

Sample name:xwuh6EHyYm.exe
renamed because original name is a hash value
Original sample name:3B5A9930C02E7E42AC52627179137656.exe
Analysis ID:1431456
MD5:3b5a9930c02e7e42ac52627179137656
SHA1:c7c8753c5ff727097fdf8b02b457d34e6f88ac18
SHA256:5d6a67ab649ed8610da623191e8925e4804c9d0eb424b8f50be64b20c098a890
Tags:AsyncRATexeRAT
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AsyncRAT
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • xwuh6EHyYm.exe (PID: 5064 cmdline: "C:\Users\user\Desktop\xwuh6EHyYm.exe" MD5: 3B5A9930C02E7E42AC52627179137656)
    • RegAsm.exe (PID: 7152 cmdline: #system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 5352 cmdline: #system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 6352 cmdline: #system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 6312 cmdline: #system32 MD5: 0D5DF43AF2916F47D00C1573797C1A13)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Ports": ["7654"], "Server": ["172.160.240.225"], "Mutex": "J9GKTh1eD4ee", "Certificate": "MIIE8jCCAtqgAwIBAgIQALFTXP9pxztw7ybT+benGTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwMzIyMTA0MDE0WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK9unb26jV+8WjRx2wi06Ti2h+PRxc4EDH40tvi/P/A40fcZTX8CgCQWyghbIxODmcB9mzQATFhkhWGnmnRV2wcSgP8EqfqpQTv94RGpGWyxR1WZtm328HVpNHsKUEczS9OE6EcSKmLjoV5u76DAUjkwGFcsjxpWMYWq1nqLJMQbP+CT8US29KRjlZWLNbMe2Zmf2HHLIT5VrFG3+o1IYgsJXghf+dM3oE+l2TYpPQiBYVr2HItV0aRAMW3XXS3tp8wtzHm6MBlrhJFvHfjZ7mfhqY+ZVBl4Cwv08z1fy8FaFgFvIHFmJLX+0W1Uz1fk9Mgyfnq35+HFEJglK6ldicExTQvndSQCl1OifbcFkRNupVfyIP605S0J16QJwxx1tzatZ/GOpOhWZvoIQHqaQAIFonTdoVgr5dZgesvB5pGlqJtWQ1r86wW3Due7exzb1+TvT47ywbVvuOFTXAXOb3OPIv9/7p0qXpzxeFnucLGz9dMWOIOGTJ/YSmPxhbM2Eb4MDg+LZot4oFV2R2ivHitNWZ1dkoxYPwfpHsjL8KJBUsxP7yi+0Yg3MK0ee52aRAq/w9vBadQrSvJGpY5deh5GBTsi9jhf86ZxMzFFBqzkjPWoFSeWgvmnbQb/bYcdPVXvKIU/KxLr7mopxxle3KiCKvFsuoP+lZIGQn9zNsoHAgMBAAGjMjAwMB0GA1UdDgQWBBQylJN6i02YXx9B2gX2CgYC6GWn7TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAY9B9YL8vKs6b9UqrSx2nPhbZCM4N8m0vByVqv+8W2RPtCimnMnWP56RmDSBMOG6Q+0+OPkAXL7kE7DLfEos8/6xb3WcEdSs7QjoVsH4bIWTtPdNOqexHvnrwJQdfo3KLLBcV54zZRijOpiEp5sG7Dmt6ELGe2Ki0lLMgweu/nyNA0RS1c4yMFKC1IC14FBXau5+JKfi+RzIazlJilwJ7CmMU6JAOI9i5XENELxFFPC2mi6LtsEKBSd4rmIXJRfoQDU+lC8UZ3eq4uZmOyKwZVf8lO0VmCuCH5ztN0VAV4qFe2KJEBl9HsDCk6gAgHq2lnZrCnbAjOu769DwQZsTBSVxRLF6J9nCyCYpQxdCpd2H3wPcx5S3vvgZP+NDuUdnlaOimS01DRQPA/Q6zNlsGctEAGLF8FQIasJ/73irn3LBrBFIVN+gONPWOlmiQR8xP7KTOZY6lJcOGNjLrBOeUzcsjZjBUX5EdZ9cDE/KmrsOfx3oW9q4PEkpVYpM4maEeyTeppn9nIKux7voOAGzcYZWWR6YbGwVgjOLZP+EGFR6gL5e2SoPS8yqvreFeYmgSkAxPNJPaYIVu8ZBx91h4xc88nB4yOuzucBrkJoPZw2TFfLXwAJYH/Z61LsEsk/40qcJ0p2HSbkB28vfUd/2vWfL9nnK9rjXSEuVLyDNFbHQ==", "Server Signature": "dln0d26m7j9pvozKWneKRbwcweOPZcXpuh13ma7W8EcxihvJqv6k7Ln/vJ5azG9Ie5ah1foF/2VBYekoCzer5TGAsFhnXX48BKlhRIkazq+I60CW7pn2JHlyXinbxW3cTt2BKICg8L56PCg7K2PHy+jnJ/HBgciompMHfBAmj1haIQG36d99GvgiZ+o8hW1bFAtXsZAJ1OhGRyaIWZT42+WOk9qJawTbJaaytPccgjbFyWdWJvxDDgq9C/n5xF6htbsWQulvbqeGcdY5KVOMzIhRJMuGOxMownjW7MK7gZNjsHbJHtGhrOJoIxDwvGYWXyqZ7wcwy34cHKA0S5O/JZ/Mcoot0F4vkQIwYzZYB/j42SGoPIAcr0Rdor82dp0ip3EG/Im+nq7XM/+H2AYjATNdaG7Lgq26kJW1eQsU+NQXzGx6ecsxc7dSBpqKz/TKbg/7x/gYEMHDF/bYTdDk7hogyTp/IfcySUAeRvuKRZSKe6EbX+sIVl4GV4NpBJYDnGXxHELD5qN2ENYI6hNdwVwUahbZO1j5h6BwVe5Rjo4hybcfO4Czovxj5DNxleffV8mbRapGsDaA5H+rqGhL7030Gc8XVtbRZ/wKnkLBcgnk/we7yUEOz49/64WAEzchCEzDXqHPd0g/wwaO2KygQG700MyNjY7XXOEYbipiD3U="}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0x32a:$x1: AsyncRAT
  • 0x368:$x1: AsyncRAT

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.2876939091.0000000004F18000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
  • 0xe50b:$x1: AsyncRAT
  • 0xe549:$x1: AsyncRAT
00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xa0e3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
    00000004.00000002.2876856313.0000000004E5B000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x90b:$x1: AsyncRAT
    • 0x949:$x1: AsyncRAT
    • 0x1e27:$x1: AsyncRAT
    • 0x1e65:$x1: AsyncRAT
    00000004.00000002.2875187554.0000000002961000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      Click to see the 9 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.xwuh6EHyYm.exe.2ad0080.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0.2.xwuh6EHyYm.exe.2ad0080.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0x8451:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0x9838:$a2: Stub.exe
        • 0x98c8:$a2: Stub.exe
        • 0x5107:$a3: get_ActivatePong
        • 0x8669:$a4: vmware
        • 0x84e1:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0x5e8f:$a6: get_SslClient
        0.2.xwuh6EHyYm.exe.2ad0080.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0x84e3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        4.2.RegAsm.exe.400000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          4.2.RegAsm.exe.400000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
          • 0xa251:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
          • 0xb638:$a2: Stub.exe
          • 0xb6c8:$a2: Stub.exe
          • 0x6f07:$a3: get_ActivatePong
          • 0xa469:$a4: vmware
          • 0xa2e1:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
          • 0x7c8f:$a6: get_SslClient
          Click to see the 19 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:04/25/24-07:42:00.418689
          SID:2030673
          Source Port:7654
          Destination Port:49730
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:04/25/24-07:42:00.418689
          SID:2035595
          Source Port:7654
          Destination Port:49730
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: xwuh6EHyYm.exeAvira: detected
          Found malware configuration
          Source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Ports": ["7654"], "Server": ["172.160.240.225"], "Mutex": "J9GKTh1eD4ee", "Certificate": "MIIE8jCCAtqgAwIBAgIQALFTXP9pxztw7ybT+benGTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjQwMzIyMTA0MDE0WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK9unb26jV+8WjRx2wi06Ti2h+PRxc4EDH40tvi/P/A40fcZTX8CgCQWyghbIxODmcB9mzQATFhkhWGnmnRV2wcSgP8EqfqpQTv94RGpGWyxR1WZtm328HVpNHsKUEczS9OE6EcSKmLjoV5u76DAUjkwGFcsjxpWMYWq1nqLJMQbP+CT8US29KRjlZWLNbMe2Zmf2HHLIT5VrFG3+o1IYgsJXghf+dM3oE+l2TYpPQiBYVr2HItV0aRAMW3XXS3tp8wtzHm6MBlrhJFvHfjZ7mfhqY+ZVBl4Cwv08z1fy8FaFgFvIHFmJLX+0W1Uz1fk9Mgyfnq35+HFEJglK6ldicExTQvndSQCl1OifbcFkRNupVfyIP605S0J16QJwxx1tzatZ/GOpOhWZvoIQHqaQAIFonTdoVgr5dZgesvB5pGlqJtWQ1r86wW3Due7exzb1+TvT47ywbVvuOFTXAXOb3OPIv9/7p0qXpzxeFnucLGz9dMWOIOGTJ/YSmPxhbM2Eb4MDg+LZot4oFV2R2ivHitNWZ1dkoxYPwfpHsjL8KJBUsxP7yi+0Yg3MK0ee52aRAq/w9vBadQrSvJGpY5deh5GBTsi9jhf86ZxMzFFBqzkjPWoFSeWgvmnbQb/bYcdPVXvKIU/KxLr7mopxxle3KiCKvFsuoP+lZIGQn9zNsoHAgMBAAGjMjAwMB0GA1UdDgQWBBQylJN6i02YXx9B2gX2CgYC6GWn7TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQAY9B9YL8vKs6b9UqrSx2nPhbZCM4N8m0vByVqv+8W2RPtCimnMnWP56RmDSBMOG6Q+0+OPkAXL7kE7DLfEos8/6xb3WcEdSs7QjoVsH4bIWTtPdNOqexHvnrwJQdfo3KLLBcV54zZRijOpiEp5sG7Dmt6ELGe2Ki0lLMgweu/nyNA0RS1c4yMFKC1IC14FBXau5+JKfi+RzIazlJilwJ7CmMU6JAOI9i5XENELxFFPC2mi6LtsEKBSd4rmIXJRfoQDU+lC8UZ3eq4uZmOyKwZVf8lO0VmCuCH5ztN0VAV4qFe2KJEBl9HsDCk6gAgHq2lnZrCnbAjOu769DwQZsTBSVxRLF6J9nCyCYpQxdCpd2H3wPcx5S3vvgZP+NDuUdnlaOimS01DRQPA/Q6zNlsGctEAGLF8FQIasJ/73irn3LBrBFIVN+gONPWOlmiQR8xP7KTOZY6lJcOGNjLrBOeUzcsjZjBUX5EdZ9cDE/KmrsOfx3oW9q4PEkpVYpM4maEeyTeppn9nIKux7voOAGzcYZWWR6YbGwVgjOLZP+EGFR6gL5e2SoPS8yqvreFeYmgSkAxPNJPaYIVu8ZBx91h4xc88nB4yOuzucBrkJoPZw2TFfLXwAJYH/Z61LsEsk/40qcJ0p2HSbkB28vfUd/2vWfL9nnK9rjXSEuVLyDNFbHQ==", "Server Signature": "dln0d26m7j9pvozKWneKRbwcweOPZcXpuh13ma7W8EcxihvJqv6k7Ln/vJ5azG9Ie5ah1foF/2VBYekoCzer5TGAsFhnXX48BKlhRIkazq+I60CW7pn2JHlyXinbxW3cTt2BKICg8L56PCg7K2PHy+jnJ/HBgciompMHfBAmj1haIQG36d99GvgiZ+o8hW1bFAtXsZAJ1OhGRyaIWZT42+WOk9qJawTbJaaytPccgjbFyWdWJvxDDgq9C/n5xF6htbsWQulvbqeGcdY5KVOMzIhRJMuGOxMownjW7MK7gZNjsHbJHtGhrOJoIxDwvGYWXyqZ7wcwy34cHKA0S5O/JZ/Mcoot0F4vkQIwYzZYB/j42SGoPIAcr0Rdor82dp0ip3EG/Im+nq7XM/+H2AYjATNdaG7Lgq26kJW1eQsU+NQXzGx6ecsxc7dSBpqKz/TKbg/7x/gYEMHDF/bYTdDk7hogyTp/IfcySUAeRvuKRZSKe6EbX+sIVl4GV4NpBJYDnGXxHELD5qN2ENYI6hNdwVwUahbZO1j5h6BwVe5Rjo4hybcfO4Czovxj5DNxleffV8mbRapGsDaA5H+rqGhL7030Gc8XVtbRZ/wKnkLBcgnk/we7yUEOz49/64WAEzchCEzDXqHPd0g/wwaO2KygQG700MyNjY7XXOEYbipiD3U="}
          Multi AV Scanner detection for submitted file
          Source: xwuh6EHyYm.exeReversingLabs: Detection: 79%
          Source: xwuh6EHyYm.exeVirustotal: Detection: 56%Perma Link
          Machine Learning detection for sample
          Source: xwuh6EHyYm.exeJoe Sandbox ML: detected
          Source: xwuh6EHyYm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: xwuh6EHyYm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 172.160.240.225:7654 -> 192.168.2.4:49730
          Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 172.160.240.225:7654 -> 192.168.2.4:49730
          Yara detected Generic Downloader
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, type: UNPACKEDPE
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: unknownTCP traffic detected without corresponding DNS query: 172.160.240.225
          Source: RegAsm.exe, 00000004.00000002.2874269924.0000000000B21000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
          Source: 77EC63BDA74BD0D0E0426DC8F80085060.4.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
          Source: RegAsm.exe, 00000004.00000002.2876856313.0000000004E5B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabo
          Source: RegAsm.exe, 00000004.00000002.2875187554.0000000002961000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2875187554.00000000029CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

          Key, Mouse, Clipboard, Microphone and Screen Capturing

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ad0080.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ac4224.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2875187554.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xwuh6EHyYm.exe PID: 5064, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6312, type: MEMORYSTR

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000004.00000002.2876939091.0000000004F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: 00000004.00000002.2876856313.0000000004E5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000004.00000002.2875187554.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
          Source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: xwuh6EHyYm.exe PID: 5064, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: RegAsm.exe PID: 6312, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
          Source: Process Memory Space: RegAsm.exe PID: 6312, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00DB65C04_2_00DB65C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00DB5CF04_2_00DB5CF0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00DBA7A84_2_00DBA7A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4_2_00DB59A84_2_00DB59A8
          Source: xwuh6EHyYm.exe, 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs xwuh6EHyYm.exe
          Source: xwuh6EHyYm.exe, 00000000.00000002.1622526598.0000000000C8E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs xwuh6EHyYm.exe
          Source: xwuh6EHyYm.exe, 00000000.00000000.1620185116.0000000000702000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameaitstatic.exeL vs xwuh6EHyYm.exe
          Source: xwuh6EHyYm.exeBinary or memory string: OriginalFilenameaitstatic.exeL vs xwuh6EHyYm.exe
          Source: xwuh6EHyYm.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000004.00000002.2876939091.0000000004F18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: 00000004.00000002.2876856313.0000000004E5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000004.00000002.2875187554.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
          Source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: xwuh6EHyYm.exe PID: 5064, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: RegAsm.exe PID: 6312, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
          Source: Process Memory Space: RegAsm.exe PID: 6312, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: xwuh6EHyYm.exe, by-unknown-------------------------.csBase64 encoded string: 'QzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29ya1x2NC4wLjMwMzE5XFJlZ0FzbS5leGU='
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, fVEKWDwyIlvXu.csBase64 encoded string: 'Ma/HTJfcuEOMulbHuMGIi1ERMIuJi6UIAcB/NLgBgFGNzSjR+ovhKXPk2tTnaD5WpDBF90D+XuESeNDyD1AfbA==', 'SjTLrhmW4S8Bbi1m518AErS2y2qn8RL0+1/Rj5ACBOV1P1ISP6EajNFoWfsn0ZXqSkiRE5ovR3YLypHzmdkW9g==', '/r/OrEukxjD1fLjwEg2Q/gkhStgSPutr3n9oYhHNORliQioYAZbERtPt15R+Ltg167iIDkG8dpL4eWB/1rULqg==', 'NHK/4XwMNlre5+OLb0vgSN9FK/sgK/gIqAJ5SZcPIWJ+gbyWco3pariobp8hTMR+W9mbvVhNpXU/3FniQt2i25SrQpiathI7/GLN5kQq1gxB5YyqIXGpfStdf9Ee2UXHWJTCGANExu9GtTRRnyow1JbYI+spcRzXDlZ4rIIo6b37dHaFvDSrqOChNS2hjEOhAEcQ2AJREp7YmVOsrmluLsGoC0FzQ38+hYP9lQlyMGUrQC1FsfAjj+M7fl4Tq5DDLhQRYnlHCPoj2izZrNIQDIg6FVu+Xni6RDUEWtAC55TKroQwuVUVpUFtMknkfnYC+RCTDci54OWNwp9eStQF+l/bTZS6FgHk+P2+LELDcpZRbCNA5TND9dbyOoAz3pZ+2pwZY37pt1tV7Ip9D4nBnYt8+/MvBwB12UT+R6/EFXbuqbPSTu0epL4lFjGsJ06GkzTNnf3eVXjtKjFFaPDGIk9TvmaRRgI4+v1ab0BXc6mcyYGDPxh0ZmsJK68rhGdayp6sA0OvKFAVGbml6q718ymZe7RH6gTm+bJ9Io+xW3IWLHNVQOGG3ffhIrisbM3FBCRZmPD0aoXzbfJ2dqhYabWqWeOu3QrMiwQwwiEhL0p7LE+/j+Khc+VfHnIjgfXwAj6X3Ery8bEzoKQsIzykx7bH/DDdoQqasPeD5GAuGzy1ZxXTn8giasOyossE5v1J+REqAqUaJ2JOfVDmc+hXSOdFj7M621hQ+TZ+bJeSte1r97/Vv/C95st0G8g6sLibEgPZheJ8jnRYLjSucZ/XcH6lCK20lnxor6e/IQoWzsjj+CMzb+3nXg4c3eeEUz4CD188jx3J92AiFkfU4dor8kOpO9n1mNUEmMCyEknEpWJpRdKmTNvlOA4aOkoZrZvrsKQ3xg6NrS9XelQaxHcqvsfOIYNidP47i7E5Y6APjy9zKwio78UScmRBTKufnjFeIvZVXgPEqsaiQ7EMV+WZRNdLq5e4jf02L6Xe7Pu3n9NzBRcicB8MjLp3fs0CvmqBb7I/roU2zQfBa7pPcwSsFdIl9kyGLniAXiGQ5BOs0HhnnmIw9Kox4WlfD80iydC5vLRIztqfPBB2KKm7+4ycseFY59J/75SlAYeYDsdMjKObNou7m65hTn7OPrmRMut+astMyP/EFrnXAJppwCHy8KmoIxYVfj23g++k4U1aJ6OFd0cKgEWbmuqmlisUbq2xt0FJPAU/39g8TqfXQ+LM6A2cG8fZqnYr02qFixnypYiEOBMXfgnOWgq1HgTix5UV/B6M6cgbvHxP6szP5icOVUsITAPgmsI8F1xXYS68GWT40RpL/cX2WyMkRsZNyzWzgA+SAf8CI6mp0A/3gfuKTploab0n3hJEhp9YUAkIxge/kwGhpS9+s3LPuzdY3kE8AYoTxGK71c4zEGuy4DZESQdxNuL3duZbaFaLP8D8YKYghOuXmnpi12B3OzclMWzYO0DiulCkuKYd2sJC/4xGntsra7GqW0W2F3daZqFSgq8znjyQ9aptCLib8gDXXbPJmANuNjsxR0oYhUoffMaTgnxCR3ic5MLk6XZkULs696YCd60bS62HfCbaDtmwwA7iExNrw1MXUllQ1NyyYgGB5wrXQuPVzldzSqAWCNPSaxka5Abbb+jLD/L2r1fnMEt/tp3eKVFP9SvATz7lM2h6365+gqG/33S54F5w1FPxPl2RWzks3+xEVnSwJZhD9YSUJvmMLYaAsoQVYRhLQjZMEgfQZW9z5d9/H8eq5NONNWHjQBYCS+UC6ig3r6BhpQ6r0nhFLkYvudZ4PcWPL5e5+SksVV4djf1MtOBSFMKaz1nW3AOIv5Zgvo6sL1G+HRkcOY3GAUdjoJp/tYDxM1qXjuPYEDy1yLv2v+PcLN2MCGA2Ee0LE96dgUhXNd/l45xLKWElQe2PmZM4QXLNABpDFIM/wd7xoBPkla1qGFAxjFo4kbWr2HFoWr+WHUirS6UTTiSvMVe+OFUX4QLS7TNjW4hRLurIiCGs15MY7r/nuMrMPle+Re5vK/2lXF2vtE9Xt/yVgu/e7TI5Fz2uEaCM+VoHkT1wzbFD0KkjikXhYr8KdFFJUbfwhWu/4JNTSd/GTGvEWdCUwfCFSceK+fWy4S3rkf491k8hBkup7RPwt9IHdUPYrzFKdjaBqDOw4NN88Gd3InJLq4oakmz27O+L4IkTHZQIOwwmWZyGEhS5s36ZeuFxhy2YPm+T7kvmxqS5pLgFNIPQ1Xn9un0DQi1Pu85yrIM4tNiqYF7sxSYJ0Ac3FgeTh2kGgFTlIoZilZLbPfb9QwUESCvOMyIHVqOMBcJp7h9+GfznypEwsv58NX4=', '+j+Izp4/xoZKcHC4I7fKRIsa/eP7z7Wd4UG/R+USk6STGNoii/uBVj35roTrQSxFGYIqIk38GlHeopbhzZBCpDmGusjIlL5UK79DWQm0bHvey7lxTbC6tTN5ViDZ1tWXmRdcsaFpAEPMkNy4Fh4rKgGFjTfPYz6Zc42tCYi5QTLy0e+1gA+ipCje00MX07GChLjfF6ltylkS2YpV8JxMtcuTuikmfC4w8XQE4gGOaXFxCunPUWZuMzd5ZRGm2p+tHLHMS5KhAq5T6OrqcMrp7Ikx4YEntqyMyAVyRPQ3CdtaBfA2h905Bv0KDPmG1qWDPVEiCFYLVo7XJ7lGodYK66NRVmpDpbFY1akXWYmwfCikQev0oX6
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, fVEKWDwyIlvXu.csBase64 encoded string: 'Ma/HTJfcuEOMulbHuMGIi1ERMIuJi6UIAcB/NLgBgFGNzSjR+ovhKXPk2tTnaD5WpDBF90D+XuESeNDyD1AfbA==', 'SjTLrhmW4S8Bbi1m518AErS2y2qn8RL0+1/Rj5ACBOV1P1ISP6EajNFoWfsn0ZXqSkiRE5ovR3YLypHzmdkW9g==', '/r/OrEukxjD1fLjwEg2Q/gkhStgSPutr3n9oYhHNORliQioYAZbERtPt15R+Ltg167iIDkG8dpL4eWB/1rULqg==', 'NHK/4XwMNlre5+OLb0vgSN9FK/sgK/gIqAJ5SZcPIWJ+gbyWco3pariobp8hTMR+W9mbvVhNpXU/3FniQt2i25SrQpiathI7/GLN5kQq1gxB5YyqIXGpfStdf9Ee2UXHWJTCGANExu9GtTRRnyow1JbYI+spcRzXDlZ4rIIo6b37dHaFvDSrqOChNS2hjEOhAEcQ2AJREp7YmVOsrmluLsGoC0FzQ38+hYP9lQlyMGUrQC1FsfAjj+M7fl4Tq5DDLhQRYnlHCPoj2izZrNIQDIg6FVu+Xni6RDUEWtAC55TKroQwuVUVpUFtMknkfnYC+RCTDci54OWNwp9eStQF+l/bTZS6FgHk+P2+LELDcpZRbCNA5TND9dbyOoAz3pZ+2pwZY37pt1tV7Ip9D4nBnYt8+/MvBwB12UT+R6/EFXbuqbPSTu0epL4lFjGsJ06GkzTNnf3eVXjtKjFFaPDGIk9TvmaRRgI4+v1ab0BXc6mcyYGDPxh0ZmsJK68rhGdayp6sA0OvKFAVGbml6q718ymZe7RH6gTm+bJ9Io+xW3IWLHNVQOGG3ffhIrisbM3FBCRZmPD0aoXzbfJ2dqhYabWqWeOu3QrMiwQwwiEhL0p7LE+/j+Khc+VfHnIjgfXwAj6X3Ery8bEzoKQsIzykx7bH/DDdoQqasPeD5GAuGzy1ZxXTn8giasOyossE5v1J+REqAqUaJ2JOfVDmc+hXSOdFj7M621hQ+TZ+bJeSte1r97/Vv/C95st0G8g6sLibEgPZheJ8jnRYLjSucZ/XcH6lCK20lnxor6e/IQoWzsjj+CMzb+3nXg4c3eeEUz4CD188jx3J92AiFkfU4dor8kOpO9n1mNUEmMCyEknEpWJpRdKmTNvlOA4aOkoZrZvrsKQ3xg6NrS9XelQaxHcqvsfOIYNidP47i7E5Y6APjy9zKwio78UScmRBTKufnjFeIvZVXgPEqsaiQ7EMV+WZRNdLq5e4jf02L6Xe7Pu3n9NzBRcicB8MjLp3fs0CvmqBb7I/roU2zQfBa7pPcwSsFdIl9kyGLniAXiGQ5BOs0HhnnmIw9Kox4WlfD80iydC5vLRIztqfPBB2KKm7+4ycseFY59J/75SlAYeYDsdMjKObNou7m65hTn7OPrmRMut+astMyP/EFrnXAJppwCHy8KmoIxYVfj23g++k4U1aJ6OFd0cKgEWbmuqmlisUbq2xt0FJPAU/39g8TqfXQ+LM6A2cG8fZqnYr02qFixnypYiEOBMXfgnOWgq1HgTix5UV/B6M6cgbvHxP6szP5icOVUsITAPgmsI8F1xXYS68GWT40RpL/cX2WyMkRsZNyzWzgA+SAf8CI6mp0A/3gfuKTploab0n3hJEhp9YUAkIxge/kwGhpS9+s3LPuzdY3kE8AYoTxGK71c4zEGuy4DZESQdxNuL3duZbaFaLP8D8YKYghOuXmnpi12B3OzclMWzYO0DiulCkuKYd2sJC/4xGntsra7GqW0W2F3daZqFSgq8znjyQ9aptCLib8gDXXbPJmANuNjsxR0oYhUoffMaTgnxCR3ic5MLk6XZkULs696YCd60bS62HfCbaDtmwwA7iExNrw1MXUllQ1NyyYgGB5wrXQuPVzldzSqAWCNPSaxka5Abbb+jLD/L2r1fnMEt/tp3eKVFP9SvATz7lM2h6365+gqG/33S54F5w1FPxPl2RWzks3+xEVnSwJZhD9YSUJvmMLYaAsoQVYRhLQjZMEgfQZW9z5d9/H8eq5NONNWHjQBYCS+UC6ig3r6BhpQ6r0nhFLkYvudZ4PcWPL5e5+SksVV4djf1MtOBSFMKaz1nW3AOIv5Zgvo6sL1G+HRkcOY3GAUdjoJp/tYDxM1qXjuPYEDy1yLv2v+PcLN2MCGA2Ee0LE96dgUhXNd/l45xLKWElQe2PmZM4QXLNABpDFIM/wd7xoBPkla1qGFAxjFo4kbWr2HFoWr+WHUirS6UTTiSvMVe+OFUX4QLS7TNjW4hRLurIiCGs15MY7r/nuMrMPle+Re5vK/2lXF2vtE9Xt/yVgu/e7TI5Fz2uEaCM+VoHkT1wzbFD0KkjikXhYr8KdFFJUbfwhWu/4JNTSd/GTGvEWdCUwfCFSceK+fWy4S3rkf491k8hBkup7RPwt9IHdUPYrzFKdjaBqDOw4NN88Gd3InJLq4oakmz27O+L4IkTHZQIOwwmWZyGEhS5s36ZeuFxhy2YPm+T7kvmxqS5pLgFNIPQ1Xn9un0DQi1Pu85yrIM4tNiqYF7sxSYJ0Ac3FgeTh2kGgFTlIoZilZLbPfb9QwUESCvOMyIHVqOMBcJp7h9+GfznypEwsv58NX4=', '+j+Izp4/xoZKcHC4I7fKRIsa/eP7z7Wd4UG/R+USk6STGNoii/uBVj35roTrQSxFGYIqIk38GlHeopbhzZBCpDmGusjIlL5UK79DWQm0bHvey7lxTbC6tTN5ViDZ1tWXmRdcsaFpAEPMkNy4Fh4rKgGFjTfPYz6Zc42tCYi5QTLy0e+1gA+ipCje00MX07GChLjfF6ltylkS2YpV8JxMtcuTuikmfC4w8XQE4gGOaXFxCunPUWZuMzd5ZRGm2p+tHLHMS5KhAq5T6OrqcMrp7Ikx4YEntqyMyAVyRPQ3CdtaBfA2h905Bv0KDPmG1qWDPVEiCFYLVo7XJ7lGodYK66NRVmpDpbFY1akXWYmwfCikQev0oX6
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, fVEKWDwyIlvXu.csBase64 encoded string: 'Ma/HTJfcuEOMulbHuMGIi1ERMIuJi6UIAcB/NLgBgFGNzSjR+ovhKXPk2tTnaD5WpDBF90D+XuESeNDyD1AfbA==', 'SjTLrhmW4S8Bbi1m518AErS2y2qn8RL0+1/Rj5ACBOV1P1ISP6EajNFoWfsn0ZXqSkiRE5ovR3YLypHzmdkW9g==', '/r/OrEukxjD1fLjwEg2Q/gkhStgSPutr3n9oYhHNORliQioYAZbERtPt15R+Ltg167iIDkG8dpL4eWB/1rULqg==', 'NHK/4XwMNlre5+OLb0vgSN9FK/sgK/gIqAJ5SZcPIWJ+gbyWco3pariobp8hTMR+W9mbvVhNpXU/3FniQt2i25SrQpiathI7/GLN5kQq1gxB5YyqIXGpfStdf9Ee2UXHWJTCGANExu9GtTRRnyow1JbYI+spcRzXDlZ4rIIo6b37dHaFvDSrqOChNS2hjEOhAEcQ2AJREp7YmVOsrmluLsGoC0FzQ38+hYP9lQlyMGUrQC1FsfAjj+M7fl4Tq5DDLhQRYnlHCPoj2izZrNIQDIg6FVu+Xni6RDUEWtAC55TKroQwuVUVpUFtMknkfnYC+RCTDci54OWNwp9eStQF+l/bTZS6FgHk+P2+LELDcpZRbCNA5TND9dbyOoAz3pZ+2pwZY37pt1tV7Ip9D4nBnYt8+/MvBwB12UT+R6/EFXbuqbPSTu0epL4lFjGsJ06GkzTNnf3eVXjtKjFFaPDGIk9TvmaRRgI4+v1ab0BXc6mcyYGDPxh0ZmsJK68rhGdayp6sA0OvKFAVGbml6q718ymZe7RH6gTm+bJ9Io+xW3IWLHNVQOGG3ffhIrisbM3FBCRZmPD0aoXzbfJ2dqhYabWqWeOu3QrMiwQwwiEhL0p7LE+/j+Khc+VfHnIjgfXwAj6X3Ery8bEzoKQsIzykx7bH/DDdoQqasPeD5GAuGzy1ZxXTn8giasOyossE5v1J+REqAqUaJ2JOfVDmc+hXSOdFj7M621hQ+TZ+bJeSte1r97/Vv/C95st0G8g6sLibEgPZheJ8jnRYLjSucZ/XcH6lCK20lnxor6e/IQoWzsjj+CMzb+3nXg4c3eeEUz4CD188jx3J92AiFkfU4dor8kOpO9n1mNUEmMCyEknEpWJpRdKmTNvlOA4aOkoZrZvrsKQ3xg6NrS9XelQaxHcqvsfOIYNidP47i7E5Y6APjy9zKwio78UScmRBTKufnjFeIvZVXgPEqsaiQ7EMV+WZRNdLq5e4jf02L6Xe7Pu3n9NzBRcicB8MjLp3fs0CvmqBb7I/roU2zQfBa7pPcwSsFdIl9kyGLniAXiGQ5BOs0HhnnmIw9Kox4WlfD80iydC5vLRIztqfPBB2KKm7+4ycseFY59J/75SlAYeYDsdMjKObNou7m65hTn7OPrmRMut+astMyP/EFrnXAJppwCHy8KmoIxYVfj23g++k4U1aJ6OFd0cKgEWbmuqmlisUbq2xt0FJPAU/39g8TqfXQ+LM6A2cG8fZqnYr02qFixnypYiEOBMXfgnOWgq1HgTix5UV/B6M6cgbvHxP6szP5icOVUsITAPgmsI8F1xXYS68GWT40RpL/cX2WyMkRsZNyzWzgA+SAf8CI6mp0A/3gfuKTploab0n3hJEhp9YUAkIxge/kwGhpS9+s3LPuzdY3kE8AYoTxGK71c4zEGuy4DZESQdxNuL3duZbaFaLP8D8YKYghOuXmnpi12B3OzclMWzYO0DiulCkuKYd2sJC/4xGntsra7GqW0W2F3daZqFSgq8znjyQ9aptCLib8gDXXbPJmANuNjsxR0oYhUoffMaTgnxCR3ic5MLk6XZkULs696YCd60bS62HfCbaDtmwwA7iExNrw1MXUllQ1NyyYgGB5wrXQuPVzldzSqAWCNPSaxka5Abbb+jLD/L2r1fnMEt/tp3eKVFP9SvATz7lM2h6365+gqG/33S54F5w1FPxPl2RWzks3+xEVnSwJZhD9YSUJvmMLYaAsoQVYRhLQjZMEgfQZW9z5d9/H8eq5NONNWHjQBYCS+UC6ig3r6BhpQ6r0nhFLkYvudZ4PcWPL5e5+SksVV4djf1MtOBSFMKaz1nW3AOIv5Zgvo6sL1G+HRkcOY3GAUdjoJp/tYDxM1qXjuPYEDy1yLv2v+PcLN2MCGA2Ee0LE96dgUhXNd/l45xLKWElQe2PmZM4QXLNABpDFIM/wd7xoBPkla1qGFAxjFo4kbWr2HFoWr+WHUirS6UTTiSvMVe+OFUX4QLS7TNjW4hRLurIiCGs15MY7r/nuMrMPle+Re5vK/2lXF2vtE9Xt/yVgu/e7TI5Fz2uEaCM+VoHkT1wzbFD0KkjikXhYr8KdFFJUbfwhWu/4JNTSd/GTGvEWdCUwfCFSceK+fWy4S3rkf491k8hBkup7RPwt9IHdUPYrzFKdjaBqDOw4NN88Gd3InJLq4oakmz27O+L4IkTHZQIOwwmWZyGEhS5s36ZeuFxhy2YPm+T7kvmxqS5pLgFNIPQ1Xn9un0DQi1Pu85yrIM4tNiqYF7sxSYJ0Ac3FgeTh2kGgFTlIoZilZLbPfb9QwUESCvOMyIHVqOMBcJp7h9+GfznypEwsv58NX4=', '+j+Izp4/xoZKcHC4I7fKRIsa/eP7z7Wd4UG/R+USk6STGNoii/uBVj35roTrQSxFGYIqIk38GlHeopbhzZBCpDmGusjIlL5UK79DWQm0bHvey7lxTbC6tTN5ViDZ1tWXmRdcsaFpAEPMkNy4Fh4rKgGFjTfPYz6Zc42tCYi5QTLy0e+1gA+ipCje00MX07GChLjfF6ltylkS2YpV8JxMtcuTuikmfC4w8XQE4gGOaXFxCunPUWZuMzd5ZRGm2p+tHLHMS5KhAq5T6OrqcMrp7Ikx4YEntqyMyAVyRPQ3CdtaBfA2h905Bv0KDPmG1qWDPVEiCFYLVo7XJ7lGodYK66NRVmpDpbFY1akXWYmwfCikQev0oX6
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, bxSTaWOWczO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, bxSTaWOWczO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, bxSTaWOWczO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, bxSTaWOWczO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, bxSTaWOWczO.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, bxSTaWOWczO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/3@0/1
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xwuh6EHyYm.exe.logJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\J9GKTh1eD4ee
          Source: xwuh6EHyYm.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: xwuh6EHyYm.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: xwuh6EHyYm.exeReversingLabs: Detection: 79%
          Source: xwuh6EHyYm.exeVirustotal: Detection: 56%
          Source: unknownProcess created: C:\Users\user\Desktop\xwuh6EHyYm.exe "C:\Users\user\Desktop\xwuh6EHyYm.exe"
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: secur32.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: schannel.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mskeyprotect.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntasn1.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncrypt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ncryptsslp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptnet.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winnsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winhttp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc6.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dhcpcsvc.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: webio.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cabinet.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
          Source: xwuh6EHyYm.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: xwuh6EHyYm.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
          Source: xwuh6EHyYm.exeStatic PE information: section name: .text entropy: 7.326919094785039
          Source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, tlNvpXkjsT.csHigh entropy of concatenated method names: 'ruGdfWEHww', 'RUsqqnEIkht', 'qBrhYIuNKAkQH', 'jGogMwNMHoMmG', 'iurNAevPxOI', 'OYRvaukxwvYh', 'vOIVGMnuKwA', 'HDnbBKeuPpfCR', 'GfafKEYyxU', 'TiWBBZCPmSgOl'
          Source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, tlNvpXkjsT.csHigh entropy of concatenated method names: 'ruGdfWEHww', 'RUsqqnEIkht', 'qBrhYIuNKAkQH', 'jGogMwNMHoMmG', 'iurNAevPxOI', 'OYRvaukxwvYh', 'vOIVGMnuKwA', 'HDnbBKeuPpfCR', 'GfafKEYyxU', 'TiWBBZCPmSgOl'
          Source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, tlNvpXkjsT.csHigh entropy of concatenated method names: 'ruGdfWEHww', 'RUsqqnEIkht', 'qBrhYIuNKAkQH', 'jGogMwNMHoMmG', 'iurNAevPxOI', 'OYRvaukxwvYh', 'vOIVGMnuKwA', 'HDnbBKeuPpfCR', 'GfafKEYyxU', 'TiWBBZCPmSgOl'

          Boot Survival

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ad0080.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ac4224.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2875187554.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xwuh6EHyYm.exe PID: 5064, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6312, type: MEMORYSTR
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ad0080.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ac4224.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2875187554.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xwuh6EHyYm.exe PID: 5064, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6312, type: MEMORYSTR
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
          Source: xwuh6EHyYm.exe, 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: SBIEDLL.DLL
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeMemory allocated: 2850000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeMemory allocated: 4A30000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: DB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2960000 memory reserve | memory write watchJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 4960000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2880Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 6966Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exe TID: 7156Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 4416Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5432Thread sleep time: -24903104499507879s >= -30000sJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6188Thread sleep count: 2880 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6188Thread sleep count: 6966 > 30Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: RegAsm.exe, 00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: vmware
          Source: RegAsm.exe, 00000004.00000002.2876803447.0000000004E49000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2876939091.0000000004F18000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
          Source: RegAsm.exe, 00000004.00000002.2874450047.0000000000B98000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBnS
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion

          barindex
          .NET source code references suspicious native API functions
          Source: xwuh6EHyYm.exe, by-unknown-------------------------.csReference to suspicious API methods: ReadProcessMemory(by_002Dunknown_FFFD_FFFD_FE0F_FE0F_FFFD_FFFD_FFFD_D83D_DFF3_D83D_DD14_D83C_DFF3_D83D_DEC1_200D_FFFD_D83D_DD35_FFFD_FFFD_FE0F_FFFD_D83D_DE35.ProcessHandle, num3 + 4 + 4, ref by_002Dunknown_FE0F_FFFD_FFFD_FFFD_200D_FFFD_D83E_DC98_FFFD_FFFD_FFFD_FFFD_FFFD_FFFD_200D_FFFD_FFFD_FFFD_D83D_DE1C_FFFD_FFFD_D83D_DF2B_26A7, 4, ref by_002Dunknown_FFFD_FFFD_FFFD_FE0F_D83D_DE3F_200D_FFFD_FFFD_FFFD_D83D_DEA0_FFFD_FE0F_FFFD_FFFD_FFFD_200D_FE0F_FFFD_200D_FFFD_FFFD_FFFD_200D)
          Source: xwuh6EHyYm.exe, by-unknown-------------------------.csReference to suspicious API methods: VirtualAllocEx(by_002Dunknown_FFFD_FFFD_FE0F_FE0F_FFFD_FFFD_FFFD_D83D_DFF3_D83D_DD14_D83C_DFF3_D83D_DEC1_200D_FFFD_D83D_DD35_FFFD_FFFD_FE0F_FFFD_D83D_DE35.ProcessHandle, num2, num4, 12288, 64)
          Source: xwuh6EHyYm.exe, by-unknown-------------------------.csReference to suspicious API methods: WriteProcessMemory(by_002Dunknown_FFFD_FFFD_FE0F_FE0F_FFFD_FFFD_FFFD_D83D_DFF3_D83D_DD14_D83C_DFF3_D83D_DEC1_200D_FFFD_D83D_DD35_FFFD_FFFD_FE0F_FFFD_D83D_DE35.ProcessHandle, num6, by_002Dunknown_FFFD_FFFD_FE0F_FE0F_FFFD_FFFD_FFFD_FFFD_FFFD_FE0F_FFFD_FE0F_FFFD_200D_200D_FFFD_FFFD_FFFD_FE0F_FFFD_FFFD_FFFD_FFFD_200D_FFFD, num5, ref by_002Dunknown_FFFD_FFFD_FFFD_FE0F_D83D_DE3F_200D_FFFD_FFFD_FFFD_D83D_DEA0_FFFD_FE0F_FFFD_FFFD_FFFD_200D_FE0F_FFFD_200D_FFFD_FFFD_FFFD_200D)
          Allocates memory in foreign processes
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
          Injects a PE file into a foreign processes
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40E000Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 410000Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 972008Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe #system32Jump to behavior
          Source: RegAsm.exe, 00000004.00000002.2875187554.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2875187554.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2875187554.00000000029B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\^q
          Source: RegAsm.exe, 00000004.00000002.2875187554.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2875187554.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2875187554.00000000029B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
          Source: RegAsm.exe, 00000004.00000002.2875187554.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2875187554.00000000029BE000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2875187554.00000000029B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\^q%
          Source: RegAsm.exe, 00000004.00000002.2875187554.00000000029B3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q(D
          Source: RegAsm.exe, 00000004.00000002.2875187554.00000000029BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^ql
          Source: RegAsm.exe, 00000004.00000002.2875187554.00000000029BE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^qL
          Source: RegAsm.exe, 00000004.00000002.2875187554.00000000029C5000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2875187554.00000000029B3000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2875187554.00000000029F4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q
          Source: RegAsm.exe, 00000004.00000002.2875187554.00000000029CB000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,^q
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeQueries volume information: C:\Users\user\Desktop\xwuh6EHyYm.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\xwuh6EHyYm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Lowering of HIPS / PFW / Operating System Security Settings

          barindex
          Yara detected AsyncRAT
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ad0080.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ac4224.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ad0080.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ab83e0.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.xwuh6EHyYm.exe.2ac4224.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.2875187554.0000000002961000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: xwuh6EHyYm.exe PID: 5064, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 6312, type: MEMORYSTR
          Source: RegAsm.exe, 00000004.00000002.2876856313.0000000004E77000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r\MsMpeng.exe
          Source: RegAsm.exe, 00000004.00000002.2876939091.0000000004E8D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2877330774.00000000054FB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Windows Management Instrumentation          		1
          Scheduled Task/Job          		312
          Process Injection          		1
          Masquerading          		OS Credential Dumping121
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Encrypted Channel          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault Accounts1
          Scheduled Task/Job          		1
          DLL Side-Loading          		1
          Scheduled Task/Job          		1
          Disable or Modify Tools          		LSASS Memory2
          Process Discovery          		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain Accounts1
          Native API          		Logon Script (Windows)1
          DLL Side-Loading          		31
          Virtualization/Sandbox Evasion          		Security Account Manager31
          Virtualization/Sandbox Evasion          		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook312
          Process Injection          		NTDS1
          Application Window Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script111
          Obfuscated Files or Information          		LSA Secrets13
          System Information Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Software Packing          		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          xwuh6EHyYm.exe79%ReversingLabsWin32.Trojan.Generic
          xwuh6EHyYm.exe56%VirustotalBrowse
          xwuh6EHyYm.exe100%AviraTR/Dropper.Gen
          xwuh6EHyYm.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameRegAsm.exe, 00000004.00000002.2875187554.0000000002961000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2875187554.00000000029CB000.00000004.00000800.00020000.00000000.sdmpfalse
            		high

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious

            Private

            IP
            172.160.240.225

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1431456
            Start date and time:2024-04-25 07:41:08 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 4m 52s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:9
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:xwuh6EHyYm.exe
            renamed because original name is a hash value
            Original Sample Name:3B5A9930C02E7E42AC52627179137656.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@9/3@0/1
            EGA Information:
            • Successful, ratio: 50%
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 65
            • Number of non-executed functions: 2
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded IPs from analysis (whitelisted): 72.21.81.240
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target RegAsm.exe, PID 6312 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • Report size getting too big, too many NtReadVirtualMemory calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            07:42:00API Interceptor1x Sleep call for process: RegAsm.exe modified

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            No context

            ASNs

            No context

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
            Category:dropped
            Size (bytes):69993
            Entropy (8bit):7.99584879649948
            Encrypted:true
            SSDEEP:1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
            MD5:29F65BA8E88C063813CC50A4EA544E93
            SHA1:05A7040D5C127E68C25D81CC51271FFB8BEF3568
            SHA-256:1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
            SHA-512:E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
            Malicious:false
            Reputation:moderate, very likely benign file
            Preview:MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[*I.hOB."..rK.RQ*..}f..f...}....9.|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

            Download File
            Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            File Type:data
            Category:dropped
            Size (bytes):330
            Entropy (8bit):3.141494007698779
            Encrypted:false
            SSDEEP:6:kK8ulDN+SkQlPlEGYRMY9z+4KlDA3RUeVlWI/Vt:UulMkPlE99SNxAhUeVLVt
            MD5:721A629016DBD1CE99A66684AE486489
            SHA1:43A5D73E28CBF6DAD58D618BE0A4EBAA2727EFB5
            SHA-256:181A187E6B0A19CB542AB703057C5C82F12F071C796569561855A933CD55BEDF
            SHA-512:2F8A1260D1666274F27025EEF3986E39C2195B02BDC137915777EAABD0A73E367462A05315580C4B626418C492D3E14F2BD0B2B4C12BB1F290D66F6385FED4A2
            Malicious:false
            Reputation:low
            Preview:p...... .........S^K...(....................................................... ........M.........(...........i...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".b.3.6.8.5.3.8.5.a.4.7.f.d.a.1.:.0."...

            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\xwuh6EHyYm.exe.log

            Download File
            Process:C:\Users\user\Desktop\xwuh6EHyYm.exe
            File Type:CSV text
            Category:dropped
            Size (bytes):226
            Entropy (8bit):5.360398796477698
            Encrypted:false
            SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2ql2ABgTv:Q3La/KDLI4MWuPTAv
            MD5:3A8957C6382192B71471BD14359D0B12
            SHA1:71B96C965B65A051E7E7D10F61BEBD8CCBB88587
            SHA-256:282FBEFDDCFAA0A9DBDEE6E123791FC4B8CB870AE9D450E6394D2ACDA3D8F56D
            SHA-512:76C108641F682F785A97017728ED51565C4F74B61B24E190468E3A2843FCC43615C6C8ABE298750AF238D7A44E97C001E3BE427B49900432F905A7CE114AA9AD
            Malicious:false
            Reputation:high, very likely benign file
            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):7.2645066527358075
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
            • Win32 Executable (generic) a (10002005/4) 49.97%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
            File name:xwuh6EHyYm.exe
            File size:93'184 bytes
            MD5:3b5a9930c02e7e42ac52627179137656
            SHA1:c7c8753c5ff727097fdf8b02b457d34e6f88ac18
            SHA256:5d6a67ab649ed8610da623191e8925e4804c9d0eb424b8f50be64b20c098a890
            SHA512:191409bb3d9abf2165a04602de5ab01e305266e0f9dc035e66878d874f8906aadcad2d4a05bb388131ac2edfce7c330fea6f9b2472ce7d80fde0226c9abf8a22
            SSDEEP:1536:PM+VQ0zOFEsyFAgROmO8+hRDxP+E0hia3EGliNvnp554EO:PMyQ0z7syRqh95KiyEGliNvn35u
            TLSH:1293A34B41C0762ECA272A3B84535F809BB3BA93290DDB3460724B4D65792CFE64BD97
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....%$f.................`...........~... ........@.. ....................................@................................

            File Icon

            Icon Hash:90cececece8e8eb0

            Static PE Info

            General

            Entrypoint:0x417eee
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0x662425E7 [Sat Apr 20 20:30:31 2024 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x17e980x53.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x180000x66e.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x15ef40x1600046b5751598c1aed709ef07e8495728fdFalse0.6999844637784091data7.326919094785039IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0x180000x66e0x8006ef7372de6c4c16bc25c9bd13a9e209fFalse0.345703125data3.578062429779308IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x1a0000xc0x200e14bd16a2d6a2bdfc936a0504ff0a99aFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0x180a00x3e4data0.40562248995983935
            RT_MANIFEST0x184840x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Snort IDS Alerts

            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
            04/25/24-07:42:00.418689TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)765449730172.160.240.225192.168.2.4
            04/25/24-07:42:00.418689TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert765449730172.160.240.225192.168.2.4

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Apr 25, 2024 07:41:59.955079079 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:00.176335096 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:00.176464081 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:00.190846920 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:00.418689013 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:00.418719053 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:00.418826103 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:00.424113989 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:00.646640062 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:00.691102982 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:01.459801912 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:01.729609013 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:01.729661942 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:01.996037006 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:08.374454021 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:08.425494909 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:08.646352053 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:08.691123009 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:12.725208998 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:12.996885061 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:12.996994019 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:13.219702959 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:13.269243956 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:13.490566969 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:13.492902994 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:13.755547047 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:13.755620956 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:14.024487019 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:23.988455057 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:24.258816957 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:24.258999109 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:24.480909109 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:24.534955978 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:24.755860090 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:24.761872053 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:25.034832001 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:25.035002947 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:25.303616047 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:35.254153013 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:35.515497923 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:35.515588999 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:35.737031937 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:35.784867048 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:36.007783890 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:36.009676933 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:36.274636984 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:36.274765968 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:36.541974068 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:38.362193108 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:38.409836054 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:38.631098986 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:38.675465107 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:46.533684969 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:46.807940006 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:46.808129072 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:47.081896067 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:47.920340061 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:47.972460985 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:48.193487883 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:48.195086002 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:48.468786001 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:48.468930960 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:48.734833002 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:57.785159111 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:58.047907114 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:58.047981977 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:58.269898891 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:58.316106081 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:58.537131071 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:58.538552999 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:58.806401014 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:42:58.806456089 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:42:59.074600935 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:08.364821911 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:08.409862995 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:08.630619049 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:08.675493956 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:09.050811052 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:09.314745903 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:09.314940929 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:09.541968107 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:09.597368956 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:09.818039894 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:09.820333004 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:10.088217020 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:10.088263035 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:10.356724024 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:20.316478968 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:20.587325096 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:20.587388039 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:20.808397055 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:20.862951040 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:21.083760977 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:21.132278919 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:21.913122892 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:22.182426929 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:22.182575941 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:22.451350927 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:31.582133055 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:31.847615957 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:31.847723007 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:32.069292068 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:32.113070011 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:32.334101915 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:32.335901976 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:32.606705904 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:32.606781960 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:32.876395941 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:36.349211931 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:36.394345999 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:36.616873980 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:36.659924030 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:42.847855091 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:43.111814022 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:43.111900091 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:43.333573103 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:43.378585100 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:43.599332094 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:43.601064920 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:43.870754957 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:43.870830059 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:44.139175892 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:54.114120960 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:54.376662970 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:54.376734972 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:54.598201036 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:54.644265890 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:54.865202904 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:54.869380951 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:55.138142109 CEST765449730172.160.240.225192.168.2.4
            Apr 25, 2024 07:43:55.138267040 CEST497307654192.168.2.4172.160.240.225
            Apr 25, 2024 07:43:55.406902075 CEST765449730172.160.240.225192.168.2.4

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:07:41:55
            Start date:25/04/2024
            Path:C:\Users\user\Desktop\xwuh6EHyYm.exe
            Wow64 process (32bit):true
            Commandline:"C:\Users\user\Desktop\xwuh6EHyYm.exe"
            Imagebase:0x700000
            File size:93'184 bytes
            MD5 hash:3B5A9930C02E7E42AC52627179137656
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1623037702.0000000002A31000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            Reputation:low
            Has exited:true

            General

            Target ID:1
            Start time:07:41:55
            Start date:25/04/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):false
            Commandline:#system32
            Imagebase:0x3f0000
            File size:65'440 bytes
            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:2
            Start time:07:41:55
            Start date:25/04/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):false
            Commandline:#system32
            Imagebase:0xb0000
            File size:65'440 bytes
            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:07:41:55
            Start date:25/04/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):false
            Commandline:#system32
            Imagebase:0x350000
            File size:65'440 bytes
            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:07:41:55
            Start date:25/04/2024
            Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            Wow64 process (32bit):true
            Commandline:#system32
            Imagebase:0x630000
            File size:65'440 bytes
            MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2876939091.0000000004F18000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
            • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000004.00000002.2873963186.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2876856313.0000000004E5B000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
            • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000004.00000002.2875187554.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
            • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000004.00000002.2875187554.0000000002961000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
            Reputation:high
            Has exited:false

            Disassembly

            Reset < >

              Execution Graph

              Execution Coverage:35.7%
              Dynamic/Decrypted Code Coverage:100%
              Signature Coverage:0%
              Total number of Nodes:65
              Total number of Limit Nodes:4
              execution_graph 848 28a15bb 849 28a1608 848->849 850 28a1610 WriteProcessMemory 848->850 849->850 851 28a164b 850->851 780 28a0848 781 28a0852 780->781 784 28a0c17 781->784 786 28a0c28 784->786 785 28a08c9 786->785 789 28a0c88 786->789 809 28a0c78 786->809 790 28a0cf3 789->790 829 28a0548 790->829 792 28a0d74 793 28a0554 Wow64SetThreadContext 792->793 803 28a0ffa 792->803 794 28a0dcc 793->794 795 28a0560 ReadProcessMemory 794->795 794->803 796 28a0e0a 795->796 797 28a0e9e VirtualAllocEx 796->797 796->803 799 28a0ee5 797->799 798 28a056c WriteProcessMemory 798->803 800 28a056c WriteProcessMemory 799->800 799->803 801 28a0f1c 800->801 802 28a056c WriteProcessMemory 801->802 801->803 804 28a0f6e 802->804 803->798 808 28a1018 803->808 804->803 805 28a0578 Wow64SetThreadContext 804->805 806 28a0fb8 805->806 806->803 807 28a0fc0 ResumeThread 806->807 807->803 808->786 810 28a0c80 809->810 811 28a0548 CreateProcessW 810->811 812 28a0d74 811->812 822 28a0ffa 812->822 833 28a0554 812->833 817 28a0e9e VirtualAllocEx 819 28a0ee5 817->819 818 28a056c WriteProcessMemory 818->822 819->822 840 28a056c 819->840 822->818 828 28a1018 822->828 823 28a056c WriteProcessMemory 824 28a0f6e 823->824 824->822 844 28a0578 824->844 827 28a0fc0 ResumeThread 827->822 828->786 830 28a1218 CreateProcessW 829->830 832 28a1369 830->832 834 28a1448 Wow64SetThreadContext 833->834 836 28a0dcc 834->836 836->822 837 28a0560 836->837 838 28a1500 ReadProcessMemory 837->838 839 28a0e0a 838->839 839->817 839->822 841 28a15c0 WriteProcessMemory 840->841 843 28a0f1c 841->843 843->822 843->823 845 28a1448 Wow64SetThreadContext 844->845 847 28a0fb8 845->847 847->822 847->827 852 28a14f8 853 28a1500 ReadProcessMemory 852->853 854 28a1580 853->854 855 28a120c 856 28a1210 CreateProcessW 855->856 858 28a1369 856->858 859 28a1443 860 28a148a 859->860 861 28a1494 Wow64SetThreadContext 859->861 860->861 862 28a14c2 861->862

              Executed Functions

              Function 028A0C88 Relevance: 3.4, APIs: 2, Instructions: 378memorythreadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 47 28a0c88-28a0d76 call 28a0548 56 28a0d7c-28a0db5 47->56 57 28a1124-28a1137 47->57 63 28a113e 56->63 64 28a0dbb-28a0dce call 28a0554 56->64 57->63 66 28a1143-28a1176 63->66 68 28a110a-28a111d 64->68 69 28a0dd4-28a0dde 64->69 82 28a1178-28a11a8 call 28a056c 66->82 83 28a11b5-28a11b8 66->83 68->57 69->63 71 28a0de4-28a0e0c call 28a0560 69->71 76 28a0e12-28a0e20 71->76 77 28a10f0-28a1103 71->77 80 28a0e22-28a0e5d 76->80 81 28a0e80-28a0ee3 VirtualAllocEx 76->81 77->68 89 28a0e5f-28a0e65 80->89 90 28a0e66-28a0e7a 80->90 98 28a0eec-28a0f03 81->98 99 28a0ee5-28a0eeb 81->99 100 28a11ad-28a11af 82->100 87 28a11e0-28a11ff 83->87 89->90 90->81 94 28a10d6-28a10e9 90->94 94->77 101 28a0f09-28a0f1e call 28a056c 98->101 102 28a10bc-28a10cf 98->102 99->98 100->83 104 28a103a-28a104d 100->104 110 28a10a2-28a10b5 101->110 111 28a0f24-28a0f4b 101->111 102->94 119 28a1054-28a1067 104->119 110->102 111->66 117 28a0f51-28a0f70 call 28a056c 111->117 117->119 125 28a0f76-28a0f8d 117->125 126 28a106e-28a1081 119->126 128 28a0f8f-28a0f92 125->128 129 28a0f95-28a0fa4 125->129 138 28a1088-28a109b 126->138 128->129 129->63 131 28a0faa-28a0fba call 28a0578 129->131 131->126 135 28a0fc0-28a0ff8 ResumeThread 131->135 136 28a0ffa-28a1000 135->136 137 28a1001-28a1016 135->137 136->137 137->138 139 28a1018-28a1026 137->139 138->110 139->87 141 28a102c-28a1035 139->141 141->87
              APIs
                • Part of subcall function 028A0548: CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 028A1354
                • Part of subcall function 028A0554: Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,028A0DCC), ref: 028A14B3
                • Part of subcall function 028A0560: ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,028A0E0A,?,00000004,?), ref: 028A1571
              • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 028A0ECF
              • ResumeThread.KERNELBASE(?), ref: 028A0FE4
              Memory Dump Source
              • Source File: 00000000.00000002.1622972634.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_28a0000_xwuh6EHyYm.jbxd
              Similarity
              • API ID: ProcessThread$AllocContextCreateMemoryReadResumeVirtualWow64
              • String ID:
              • API String ID: 2498194165-0
              • Opcode ID: 4a20c6fe150a86298f5c4f3c89753b8aa063292245a414ce784493a0048d847a
              • Instruction ID: f8ecb8ec74cd974d6d1fd8cc144516ce9f3ccb5e09c9c73ed9f22234feae8b90
              • Opcode Fuzzy Hash: 4a20c6fe150a86298f5c4f3c89753b8aa063292245a414ce784493a0048d847a
              • Instruction Fuzzy Hash: EFE1AE74E002198BDB15DFA9C854BAEBBF6AF84304F248169D409FB295DF30AD85CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028A0C78 Relevance: 3.3, APIs: 2, Instructions: 275memorythreadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 145 28a0c78-28a0c7e 146 28a0c82 145->146 147 28a0c80 145->147 148 28a0c86-28a0d76 call 28a0548 146->148 149 28a0c84 146->149 147->146 159 28a0d7c-28a0db5 148->159 160 28a1124-28a1137 148->160 149->148 166 28a113e 159->166 167 28a0dbb-28a0dce call 28a0554 159->167 160->166 169 28a1143-28a1176 166->169 171 28a110a-28a111d 167->171 172 28a0dd4-28a0dde 167->172 185 28a1178-28a11a8 call 28a056c 169->185 186 28a11b5-28a11b8 169->186 171->160 172->166 174 28a0de4-28a0e0c call 28a0560 172->174 179 28a0e12-28a0e20 174->179 180 28a10f0-28a1103 174->180 183 28a0e22-28a0e5d 179->183 184 28a0e80-28a0ee3 VirtualAllocEx 179->184 180->171 192 28a0e5f-28a0e65 183->192 193 28a0e66-28a0e7a 183->193 201 28a0eec-28a0f03 184->201 202 28a0ee5-28a0eeb 184->202 203 28a11ad-28a11af 185->203 190 28a11e0-28a11ff 186->190 192->193 193->184 197 28a10d6-28a10e9 193->197 197->180 204 28a0f09-28a0f1e call 28a056c 201->204 205 28a10bc-28a10cf 201->205 202->201 203->186 207 28a103a-28a104d 203->207 213 28a10a2-28a10b5 204->213 214 28a0f24-28a0f4b 204->214 205->197 222 28a1054-28a1067 207->222 213->205 214->169 220 28a0f51-28a0f70 call 28a056c 214->220 220->222 228 28a0f76-28a0f8d 220->228 229 28a106e-28a1081 222->229 231 28a0f8f-28a0f92 228->231 232 28a0f95-28a0fa4 228->232 241 28a1088-28a109b 229->241 231->232 232->166 234 28a0faa-28a0fba call 28a0578 232->234 234->229 238 28a0fc0-28a0ff8 ResumeThread 234->238 239 28a0ffa-28a1000 238->239 240 28a1001-28a1016 238->240 239->240 240->241 242 28a1018-28a1026 240->242 241->213 242->190 244 28a102c-28a1035 242->244 244->190
              APIs
                • Part of subcall function 028A0560: ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,028A0E0A,?,00000004,?), ref: 028A1571
              • VirtualAllocEx.KERNELBASE(?,?,00000000,00003000,00000040), ref: 028A0ECF
              • ResumeThread.KERNELBASE(?), ref: 028A0FE4
              Memory Dump Source
              • Source File: 00000000.00000002.1622972634.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_28a0000_xwuh6EHyYm.jbxd
              Similarity
              • API ID: AllocMemoryProcessReadResumeThreadVirtual
              • String ID:
              • API String ID: 137364078-0
              • Opcode ID: 2f0b4e554efb08d3f7e81fbce61fcd6e2f878bdf9a50045ad990824470ef94b1
              • Instruction ID: 660cf584d27a370c6d4825112261d7c9bea8544ad862825bf8f653cb02c26205
              • Opcode Fuzzy Hash: 2f0b4e554efb08d3f7e81fbce61fcd6e2f878bdf9a50045ad990824470ef94b1
              • Instruction Fuzzy Hash: DFB16C78E002198FEB24CFA9C854BDEBBB6AF48304F248169D418FB295DB749985CF51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028A120C Relevance: 1.6, APIs: 1, Instructions: 144processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 248 28a120c-28a120e 249 28a1212 248->249 250 28a1210 248->250 251 28a1216 249->251 252 28a1214 249->252 250->249 253 28a121a-28a1291 251->253 254 28a1218-28a1219 251->254 252->251 255 28a1299-28a12a0 253->255 256 28a1293-28a1296 253->256 254->253 257 28a12ab-28a12c1 255->257 258 28a12a2-28a12a8 255->258 256->255 259 28a12cc-28a1367 CreateProcessW 257->259 260 28a12c3-28a12c9 257->260 258->257 262 28a1369-28a136f 259->262 263 28a1370-28a13e4 259->263 260->259 262->263 271 28a13f6-28a13fd 263->271 272 28a13e6-28a13ec 263->272 273 28a13ff-28a140e 271->273 274 28a1414 271->274 272->271 273->274 276 28a1415 274->276 276->276
              APIs
              • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 028A1354
              Memory Dump Source
              • Source File: 00000000.00000002.1622972634.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_28a0000_xwuh6EHyYm.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: 5acf9f4a4dbdf72798f9791c70a12ef25d499c07aba00b303be5cd2f867f9c84
              • Instruction ID: 9fe45db085e85979a2316f84956114f58cb6ed273ce97e5902925a14b94b3a86
              • Opcode Fuzzy Hash: 5acf9f4a4dbdf72798f9791c70a12ef25d499c07aba00b303be5cd2f867f9c84
              • Instruction Fuzzy Hash: AA512579900219DFEB10CFA9C954BDEBBB6BF49304F1480AAE50CA7250DB759A84CF51
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028A0548 Relevance: 1.6, APIs: 1, Instructions: 140processCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 277 28a0548-28a1291 280 28a1299-28a12a0 277->280 281 28a1293-28a1296 277->281 282 28a12ab-28a12c1 280->282 283 28a12a2-28a12a8 280->283 281->280 284 28a12cc-28a1367 CreateProcessW 282->284 285 28a12c3-28a12c9 282->285 283->282 287 28a1369-28a136f 284->287 288 28a1370-28a13e4 284->288 285->284 287->288 296 28a13f6-28a13fd 288->296 297 28a13e6-28a13ec 288->297 298 28a13ff-28a140e 296->298 299 28a1414 296->299 297->296 298->299 301 28a1415 299->301 301->301
              APIs
              • CreateProcessW.KERNELBASE(00000000,?,00000009,?,?,?,?,?,?,?), ref: 028A1354
              Memory Dump Source
              • Source File: 00000000.00000002.1622972634.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_28a0000_xwuh6EHyYm.jbxd
              Similarity
              • API ID: CreateProcess
              • String ID:
              • API String ID: 963392458-0
              • Opcode ID: d54316b914b78906786d3f5e834a0a8f79dcfe38db7a409749a0dafed9f09c68
              • Instruction ID: 54162448e3153fb5b450af9abcf9e6a189b8fbf66f83dbded9047c1ee4db009b
              • Opcode Fuzzy Hash: d54316b914b78906786d3f5e834a0a8f79dcfe38db7a409749a0dafed9f09c68
              • Instruction Fuzzy Hash: 92510575901219DFEF20CFA9C944BDEBBB6BF48304F1480AAE508B7250DB759A84CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028A056C Relevance: 1.6, APIs: 1, Instructions: 63injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 302 28a056c-28a1606 304 28a1608-28a160e 302->304 305 28a1610-28a1649 WriteProcessMemory 302->305 304->305 306 28a164b-28a1651 305->306 307 28a1652-28a1673 305->307 306->307
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?,?,?,?,00000000,00000000,?,028A11AD,?,?,00000000), ref: 028A163C
              Memory Dump Source
              • Source File: 00000000.00000002.1622972634.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_28a0000_xwuh6EHyYm.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: 59276620261c49b5b0b7bb0b9cbda091a3a63069f9a7f4ffe155468521fa71f5
              • Instruction ID: e3656cfdfbe18d626425507c4825f1f8c4790f75d8d825bcb67b8010444e4b13
              • Opcode Fuzzy Hash: 59276620261c49b5b0b7bb0b9cbda091a3a63069f9a7f4ffe155468521fa71f5
              • Instruction Fuzzy Hash: CB21F5B9900309DFDB10CF99C884BDEBBF8FB08314F54842AE558E7241D378AA44CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028A15BB Relevance: 1.6, APIs: 1, Instructions: 60injectionCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 309 28a15bb-28a1606 310 28a1608-28a160e 309->310 311 28a1610-28a1649 WriteProcessMemory 309->311 310->311 312 28a164b-28a1651 311->312 313 28a1652-28a1673 311->313 312->313
              APIs
              • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?,?,?,?,00000000,00000000,?,028A11AD,?,?,00000000), ref: 028A163C
              Memory Dump Source
              • Source File: 00000000.00000002.1622972634.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_28a0000_xwuh6EHyYm.jbxd
              Similarity
              • API ID: MemoryProcessWrite
              • String ID:
              • API String ID: 3559483778-0
              • Opcode ID: fe3f1bcdbc16002265bed7ee51631a5b67f239c6d5bc60606313ed7050c0e3da
              • Instruction ID: a944ae1b62c53f13d9ae989a64201ec6889d44a77f80aeb45c53376f35f47eb4
              • Opcode Fuzzy Hash: fe3f1bcdbc16002265bed7ee51631a5b67f239c6d5bc60606313ed7050c0e3da
              • Instruction Fuzzy Hash: 7A21F3B59002599FDB10CFA9D884BDEBBF4BB48324F14842AE558E7240C3789944CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028A14F8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 320 28a14f8-28a157e ReadProcessMemory 322 28a1580-28a1586 320->322 323 28a1587-28a15a8 320->323 322->323
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,028A0E0A,?,00000004,?), ref: 028A1571
              Memory Dump Source
              • Source File: 00000000.00000002.1622972634.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_28a0000_xwuh6EHyYm.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: e238e16e396edffcfd721a43afadb8e894c01d7b189b78c5a6aabb2096ff0cb6
              • Instruction ID: 84283df50cb65fb7fd09c9a59571c72c693bc5ce008a90af8aed86b7a6ad2309
              • Opcode Fuzzy Hash: e238e16e396edffcfd721a43afadb8e894c01d7b189b78c5a6aabb2096ff0cb6
              • Instruction Fuzzy Hash: 982104B5800359DFDB10CF9AC885ADEFBF4FB48310F10842AE958A7251C374A644CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028A0560 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 315 28a0560-28a157e ReadProcessMemory 317 28a1580-28a1586 315->317 318 28a1587-28a15a8 315->318 317->318
              APIs
              • ReadProcessMemory.KERNELBASE(?,?,?,?,00010002,?,?,?,?,?,?,028A0E0A,?,00000004,?), ref: 028A1571
              Memory Dump Source
              • Source File: 00000000.00000002.1622972634.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_28a0000_xwuh6EHyYm.jbxd
              Similarity
              • API ID: MemoryProcessRead
              • String ID:
              • API String ID: 1726664587-0
              • Opcode ID: b2b5bf651205b339b3763f953c7df4806d3b6df096bbdc7e8df49156b96939d7
              • Instruction ID: 0efc2f1f7bfa114144d289605415739a74a5f443e3d952dce53d309b63266228
              • Opcode Fuzzy Hash: b2b5bf651205b339b3763f953c7df4806d3b6df096bbdc7e8df49156b96939d7
              • Instruction Fuzzy Hash: 7421E4B5900359DFDB10CF9AD884BDEBBF4FB08314F50842AE958A7250D378AA44CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028A0554 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 325 28a0554-28a1488 327 28a148a-28a1492 325->327 328 28a1494-28a14c0 Wow64SetThreadContext 325->328 327->328 329 28a14c9-28a14ea 328->329 330 28a14c2-28a14c8 328->330 330->329
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,028A0DCC), ref: 028A14B3
              Memory Dump Source
              • Source File: 00000000.00000002.1622972634.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_28a0000_xwuh6EHyYm.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 709ec8781ad2163d54e6d6c38f52ac5025675736347746bcdc1317b6b875d12b
              • Instruction ID: d56aa1b3d7e5d65311c314ffb775a3207a13b2bd1a5a27424ba29930123b3a7f
              • Opcode Fuzzy Hash: 709ec8781ad2163d54e6d6c38f52ac5025675736347746bcdc1317b6b875d12b
              • Instruction Fuzzy Hash: 861112BAD002498FDB10CF9AC848BDEBBF5EB88324F14C469E558A7240D778A544CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028A0578 Relevance: 1.6, APIs: 1, Instructions: 57threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 332 28a0578-28a1488 334 28a148a-28a1492 332->334 335 28a1494-28a14c0 Wow64SetThreadContext 332->335 334->335 336 28a14c9-28a14ea 335->336 337 28a14c2-28a14c8 335->337 337->336
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,028A0DCC), ref: 028A14B3
              Memory Dump Source
              • Source File: 00000000.00000002.1622972634.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_28a0000_xwuh6EHyYm.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 27d978bb5a1badff95ad2d80217f593fe68663ae628345f359c9bf6f94902368
              • Instruction ID: 406b9fa7ce718e1694ddfc1add4e8158deca912766752cb7b5a0ceb7ac23dbae
              • Opcode Fuzzy Hash: 27d978bb5a1badff95ad2d80217f593fe68663ae628345f359c9bf6f94902368
              • Instruction Fuzzy Hash: 471112BA9002498FDB10CF9AC848BDEBBF5EB88324F14C029E558B7240D778A544CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 028A1443 Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 339 28a1443-28a1488 340 28a148a-28a1492 339->340 341 28a1494-28a14c0 Wow64SetThreadContext 339->341 340->341 342 28a14c9-28a14ea 341->342 343 28a14c2-28a14c8 341->343 343->342
              APIs
              • Wow64SetThreadContext.KERNEL32(?,00000000,?,?,?,?,00000000,?,?,?,028A0DCC), ref: 028A14B3
              Memory Dump Source
              • Source File: 00000000.00000002.1622972634.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028A0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_28a0000_xwuh6EHyYm.jbxd
              Similarity
              • API ID: ContextThreadWow64
              • String ID:
              • API String ID: 983334009-0
              • Opcode ID: 34258d034e2b06217848a255e1fdf3e3c40435ccf2510c8f13a6b9c9e6966e5e
              • Instruction ID: 7a149ce957f71576dfd2969cef299059f77f63d693005062de894c035f8e6670
              • Opcode Fuzzy Hash: 34258d034e2b06217848a255e1fdf3e3c40435ccf2510c8f13a6b9c9e6966e5e
              • Instruction Fuzzy Hash: 5E1126B5D002498FDB20CFAAD844BEEFBF5EB88324F14C069D458A3241D7789545CFA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 027BD3B4 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 345 27bd3b4-27bd3c6 346 27bd45a-27bd461 345->346 347 27bd3cc 345->347 348 27bd3ce-27bd3da 346->348 347->348 350 27bd3e0-27bd402 348->350 351 27bd466-27bd46b 348->351 352 27bd470-27bd485 350->352 353 27bd404-27bd422 350->353 351->350 357 27bd43c-27bd444 352->357 356 27bd42a-27bd43a 353->356 356->357 358 27bd492 356->358 359 27bd487-27bd490 357->359 360 27bd446-27bd457 357->360 359->360
              Memory Dump Source
              • Source File: 00000000.00000002.1622787058.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_27bd000_xwuh6EHyYm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7c3e69f2bf5a55bc7ef92b085d6453feb7462e7b6f0bf3b94fe46b9275a672bb
              • Instruction ID: 42cdb79037b60409d267260c23a294d7f60f60ccfc939648f2ce6f91e18fb432
              • Opcode Fuzzy Hash: 7c3e69f2bf5a55bc7ef92b085d6453feb7462e7b6f0bf3b94fe46b9275a672bb
              • Instruction Fuzzy Hash: 1C2122B1500200DFDB2ADF14D9C4B67BF65FF88324F24C5A9EC094B256C336E456CAA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 027BD3AF Relevance: .1, Instructions: 56COMMON
              Download Yara Rule

              Control-flow Graph

              • Executed
              • Not Executed
              control_flow_graph 362 27bd3af-27bd3c6 363 27bd45a-27bd461 362->363 364 27bd3cc 362->364 365 27bd3ce-27bd3da 363->365 364->365 367 27bd3e0-27bd402 365->367 368 27bd466-27bd46b 365->368 369 27bd470-27bd485 367->369 370 27bd404-27bd422 367->370 368->367 374 27bd43c-27bd444 369->374 373 27bd42a-27bd43a 370->373 373->374 375 27bd492 373->375 376 27bd487-27bd490 374->376 377 27bd446-27bd457 374->377 376->377
              Memory Dump Source
              • Source File: 00000000.00000002.1622787058.00000000027BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 027BD000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_27bd000_xwuh6EHyYm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction ID: b2fda74e05cc2213831eb4b6f1d989e48a0c3dc1e7b3a9dca022a495621912fd
              • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
              • Instruction Fuzzy Hash: 6511AF76504280CFCB16CF10D5C4B56BF72FB94314F24C5A9DC494B656C33AE45ACBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Executed Functions

              Function 00DB5CF0 Relevance: .3, Instructions: 281COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7625e33958ac5e36ff14f64d35cfb6bb6524682d526862b09705821e44c964c3
              • Instruction ID: 3ca55956975e1b0e09e72107b5d5ee80299892a1aea387b09d5a5cfd30831d1c
              • Opcode Fuzzy Hash: 7625e33958ac5e36ff14f64d35cfb6bb6524682d526862b09705821e44c964c3
              • Instruction Fuzzy Hash: 6DB14E70E00609CFDF14DFA9D9957EEBBF2AF88304F188129E41AA7254EB749845CF91
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB65C0 Relevance: .3, Instructions: 266COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 71370bab7286b85b89bdb65bcbd717877ab3280b2e6d013239bbcbf2754977e7
              • Instruction ID: 35bb41505278befaaac58a9a8b684b973ce9602099cb074e4a94238f635ecdb0
              • Opcode Fuzzy Hash: 71370bab7286b85b89bdb65bcbd717877ab3280b2e6d013239bbcbf2754977e7
              • Instruction Fuzzy Hash: 2DB14D74E00209CFDF14CFA9D8957DDBBF2AF88714F188129D41AA7294EB78D845CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB1727 Relevance: 5.4, Strings: 4, Instructions: 444COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: a^q$ a^q$,$xbq
              • API String ID: 0-2180861429
              • Opcode ID: fc09f2d55a27bb6b742875a14ac5cae3abb22c02456afc406a7780c00d3ad4a2
              • Instruction ID: b62f3286b2a0dc5501adad68c310b2064cc12f3b9b13b20682a7df73c50080b7
              • Opcode Fuzzy Hash: fc09f2d55a27bb6b742875a14ac5cae3abb22c02456afc406a7780c00d3ad4a2
              • Instruction Fuzzy Hash: 7B028F74701200DFD705AF28D4A4B5EBBE2AB84304F14896DE4069F3A9DF71EC46CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB887F Relevance: 4.2, Strings: 3, Instructions: 464COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: 4'^q$4'^q$LR^q
              • API String ID: 0-3152497598
              • Opcode ID: fefeede5b9017649e26e45bf6a3f35098b33f87f895345734b6e5c7a272e08c0
              • Instruction ID: fbde392c1408a4f2fc541dd282701a61898185692eab4d62b683ae8b4871ea0c
              • Opcode Fuzzy Hash: fefeede5b9017649e26e45bf6a3f35098b33f87f895345734b6e5c7a272e08c0
              • Instruction Fuzzy Hash: 9C31E371B04209CFCF45EB78E9057AE7BA4EB51704F14449DE04A9B2A9DF345E068BA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB1962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: a^q$ a^q$xbq
              • API String ID: 0-2081302502
              • Opcode ID: bb6e11a481484f8b3f4cbfd1b78dd9dcfb3cbee4ab4c93bd2279fbcec0bdef0a
              • Instruction ID: 7bab118f6c3a6106bff765f789f811112fda0584c0e283dcff9e15393eaa8c25
              • Opcode Fuzzy Hash: bb6e11a481484f8b3f4cbfd1b78dd9dcfb3cbee4ab4c93bd2279fbcec0bdef0a
              • Instruction Fuzzy Hash: 45616D74740200DFD705AF28D854B9EBBE2EB84704F14896DE1069F3A5DFB1ED468BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB9E10 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: xbq$[
              • API String ID: 0-1843721657
              • Opcode ID: 531eaf1d62935506a6b7827d8a3ca11e5e0e4566fff58bc3eaefd8d514d96ccf
              • Instruction ID: 038b15a46f0ac22b7a6a8cb55f7477cfe13ea933b419338c824cf37addff09c0
              • Opcode Fuzzy Hash: 531eaf1d62935506a6b7827d8a3ca11e5e0e4566fff58bc3eaefd8d514d96ccf
              • Instruction Fuzzy Hash: 989136B0A01300EFE715DF2CE8547D57BA2B785B14F14852AD416CB3A4DBB19A46CBB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB0EB8 Relevance: 2.7, Strings: 2, Instructions: 161COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: (bq$Te^q
              • API String ID: 0-2856382362
              • Opcode ID: ee5b1b2f4ed1276c44fd7f4a407ed5ecd21b53df795a286c68623e21f1c8f797
              • Instruction ID: e17944acb2921a6820122f19884e9f721e4ed615345400669183e81857bec5e2
              • Opcode Fuzzy Hash: ee5b1b2f4ed1276c44fd7f4a407ed5ecd21b53df795a286c68623e21f1c8f797
              • Instruction Fuzzy Hash: 51517A34B102149FC744DF6DC458A9EBBF6EF89710F6581A9E806DB3A6CA75DC018BA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB0D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: Hbq$dLdq
              • API String ID: 0-411705877
              • Opcode ID: 6fd66dfa693e1161a81970920c6573762fa5d5fbeeb291d43e3d841104aa66ec
              • Instruction ID: 7e8e7f1b5312af8257b223e711c3c288759e613f7ae6b823d7f69b2a41bfdedd
              • Opcode Fuzzy Hash: 6fd66dfa693e1161a81970920c6573762fa5d5fbeeb291d43e3d841104aa66ec
              • Instruction Fuzzy Hash: BA41A0317042049FCB159F69D458A9EBFF6EF89300F1985AAE406DB3A2CB75DD05CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB9278 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: $^q$$^q
              • API String ID: 0-355816377
              • Opcode ID: b1b6207bf8ff8f81267f2df31facb58d429f1159dff682188e714bf93446ad4e
              • Instruction ID: ca1139b7fd652d623434f022165a238787b7678f6d300cda1f737f7a2fa959b4
              • Opcode Fuzzy Hash: b1b6207bf8ff8f81267f2df31facb58d429f1159dff682188e714bf93446ad4e
              • Instruction Fuzzy Hash: 31415B30A0C845DBC7185F6A94A846DFBB2BB847053788855F1478B7A8CF32DC17CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB899C Relevance: 1.7, Strings: 1, Instructions: 446COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: LR^q
              • API String ID: 0-2625958711
              • Opcode ID: 8c5e9cea8602c01badc2e21abb3053b1b0da5092d2bc65bfe7dea25e3f91a33a
              • Instruction ID: abb464085ef4e062ae6ff6655a90e7ecb6381f0931f83aee31b87ec083317afa
              • Opcode Fuzzy Hash: 8c5e9cea8602c01badc2e21abb3053b1b0da5092d2bc65bfe7dea25e3f91a33a
              • Instruction Fuzzy Hash: 500162B1F01101DFDB44EB7899127EE36B4EF54B00F24445EE506DB291EA709E0187B1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB896D Relevance: 1.7, Strings: 1, Instructions: 413COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: LR^q
              • API String ID: 0-2625958711
              • Opcode ID: a67d8863b52a792ba5b6e4cb6fc207f6baa0c8195996f6515898a86fe41bcf93
              • Instruction ID: 1ecf4bb19c2c617f015714a86ee0b984bb2ffc0ca99ffc07acbe5a2be2e40aa0
              • Opcode Fuzzy Hash: a67d8863b52a792ba5b6e4cb6fc207f6baa0c8195996f6515898a86fe41bcf93
              • Instruction Fuzzy Hash: 1C01D270B04241CFCB45AB7889122EE36A4EF95700F14449EE446DB2D5EB708E06C7A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB2DA8 Relevance: 1.5, Strings: 1, Instructions: 259COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: ./\
              • API String ID: 0-3176372042
              • Opcode ID: 38419a6292a19796bdc82ed71762c9250c7e929a8edbb1245c928e56be28f518
              • Instruction ID: 5f5da7a8391060f5dd4214112b6732ffe930a3d70bd5fcd1c0027cc1a3477370
              • Opcode Fuzzy Hash: 38419a6292a19796bdc82ed71762c9250c7e929a8edbb1245c928e56be28f518
              • Instruction Fuzzy Hash: 4BA1CF31A00205DFCB15DF69C4845AEBBF2FF85310F1486A9D45AAB396DB30ED46CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB9BB8 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: Te^q
              • API String ID: 0-671973202
              • Opcode ID: 75efb5d2f93c164861f292a950f4879315470007e614caed995a422110375f2c
              • Instruction ID: 4dad9ddfaebaee143175600cf144865feb125290b5bd347a4cee2203b1c96d0f
              • Opcode Fuzzy Hash: 75efb5d2f93c164861f292a950f4879315470007e614caed995a422110375f2c
              • Instruction Fuzzy Hash: 1A517B34600244DFD714DB2AC9A8BA9BBF2BF48714F248159E6029B3F5CB71AC41CB60
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB1339 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: LR^q
              • API String ID: 0-2625958711
              • Opcode ID: bcc2a8dfec979277836100d8447166ea6a1b5114e55b1a6f58234a8ef48cfb3f
              • Instruction ID: a8b29a79dd099c3070ecca81b34c5ecfc6eacfe55eee8e472061572b60fe6ac8
              • Opcode Fuzzy Hash: bcc2a8dfec979277836100d8447166ea6a1b5114e55b1a6f58234a8ef48cfb3f
              • Instruction Fuzzy Hash: 7D410434F002168FCB04AB7CC465AAE7BF6EFC5314B544169D54ADB395EE30CC0287A1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB9261 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: $^q
              • API String ID: 0-388095546
              • Opcode ID: fa04e5abee566c79690f37f97cf17ed7a328e568264e62d861310911deb61ea3
              • Instruction ID: 64844d10ba106597c73e8c9ab403a019b9b192c10e973b542661f854bafa3d35
              • Opcode Fuzzy Hash: fa04e5abee566c79690f37f97cf17ed7a328e568264e62d861310911deb61ea3
              • Instruction Fuzzy Hash: FE418C30A0C980DBC7191F6984684ADFFB2BB857053788895F147CA7A4CB35CC17CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB0D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: dLdq
              • API String ID: 0-3390252261
              • Opcode ID: e4f542e2b76eceac4012377862d0ec092e2ae362fca47ac9f1996bd91ccd282a
              • Instruction ID: e3f9c55c67271a55c343cb0186b0a3bfacaaff42089b5be8ade83c99984ad320
              • Opcode Fuzzy Hash: e4f542e2b76eceac4012377862d0ec092e2ae362fca47ac9f1996bd91ccd282a
              • Instruction Fuzzy Hash: 68313C35A00204DFDB15DF69C458B9EBBF6AF48300F188569E406AB3A1CB75ED45CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB9190 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: Te^q
              • API String ID: 0-671973202
              • Opcode ID: d4afc89868fc59f330450214586e41e19ed1f297b5f64ad52ae71f5e70e0512e
              • Instruction ID: f03d020ea961e51f3a89ebee84d4306a4cf4af45a98bdf7ed588a5e4c2d8b7ba
              • Opcode Fuzzy Hash: d4afc89868fc59f330450214586e41e19ed1f297b5f64ad52ae71f5e70e0512e
              • Instruction Fuzzy Hash: 73218130B10154DFDB049B6CD868BADBBF6AF88710F244159E506DB3B1CF719C058BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB3321 Relevance: 1.3, Strings: 1, Instructions: 61COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: |
              • API String ID: 0-2343686810
              • Opcode ID: aa430c43bd617a58919d5a86a4db43a5514eb99fa086c25cedc4b8e2854fa087
              • Instruction ID: 840651ec3060df016520392963801eb8fa11601f8f51ececae0d285985507ab1
              • Opcode Fuzzy Hash: aa430c43bd617a58919d5a86a4db43a5514eb99fa086c25cedc4b8e2854fa087
              • Instruction Fuzzy Hash: C9117C75B00210DFCB44DF79C814BAE7BF5AF88700F10846AE94AEB3A0DB359D019B95
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB9697 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: Te^q
              • API String ID: 0-671973202
              • Opcode ID: 81e0207975a765ee1c3bf718b7264554282e1c7830af8c70eb4595251b448c6d
              • Instruction ID: 71f31d1d4ec9783a9200b9f9bc2489beb6b3cc5c3e08653ef98ecf816a6894d3
              • Opcode Fuzzy Hash: 81e0207975a765ee1c3bf718b7264554282e1c7830af8c70eb4595251b448c6d
              • Instruction Fuzzy Hash: 58118130B50200CFDB149F69C459BAEBBF6EF88710F15405AE902EB3A1CEB59C01CBA4
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB96A8 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: Te^q
              • API String ID: 0-671973202
              • Opcode ID: d4dbadd6285f0041871afe38209045a8e4b295ad04840c710906d1c408b882e4
              • Instruction ID: 3d2edec49f98454b9c5fcb3d30cea2ac7bc9b5af466e0e1aa8f9df9250f41eb7
              • Opcode Fuzzy Hash: d4dbadd6285f0041871afe38209045a8e4b295ad04840c710906d1c408b882e4
              • Instruction Fuzzy Hash: 4B113034B50204DFDB149F69C499FADBBE6EF88710F144059E502AB3A5CEB59C01CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DBA5D0 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: Te^q
              • API String ID: 0-671973202
              • Opcode ID: 8adc39850755d097301b7813b9829a96c7efdf3d6d07e0471fefb9a9c85ee900
              • Instruction ID: 619a4e8896355b0e9181c37deb21dd16379c6f0ea5c80f4d3f63c285155e4ff2
              • Opcode Fuzzy Hash: 8adc39850755d097301b7813b9829a96c7efdf3d6d07e0471fefb9a9c85ee900
              • Instruction Fuzzy Hash: 7F11AC71B102049FCB049B18D919BAE7BF6AB88710F240059F502EB3A1CF719D05CBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB0E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: Hbq
              • API String ID: 0-1245868
              • Opcode ID: 6875523071aa9ea465a2e7809e2a3115e0f22968667e0e968f248151064e9775
              • Instruction ID: c8feaaf98fa8e4f8906062d9986667d8f5d64da32c7c0721119a981adc607c4d
              • Opcode Fuzzy Hash: 6875523071aa9ea465a2e7809e2a3115e0f22968667e0e968f248151064e9775
              • Instruction Fuzzy Hash: 26F0C8303042545FC3469B3DA81446E7FEBEFCA25035A44F6E10ACB3E6DD298C068775
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB8CD8 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID: LR^q
              • API String ID: 0-2625958711
              • Opcode ID: 2cffcf40ecfb2b205fbde2f9d1872ab522f74850cd7133ac483e2372ee048017
              • Instruction ID: 3cb5c11d4821ebac4a098e1ea715c11c5ba1021a79e714ab2cba89ca9ebf5cfd
              • Opcode Fuzzy Hash: 2cffcf40ecfb2b205fbde2f9d1872ab522f74850cd7133ac483e2372ee048017
              • Instruction Fuzzy Hash: 87016271B00115DFCB44EB68D912AEE77B9EF88B00F1040ADE54ADB290EB709E01C7E1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB5CE4 Relevance: .3, Instructions: 275COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 017e369623ce3d0f3eaa117a1f8647ef0414537deb3ba15b05af22190c44a0a0
              • Instruction ID: ca1ad645922c105222ca6cd800a76333e77aa4ff03b516ce39367b05d9437f07
              • Opcode Fuzzy Hash: 017e369623ce3d0f3eaa117a1f8647ef0414537deb3ba15b05af22190c44a0a0
              • Instruction Fuzzy Hash: D5B13D70E00609CFDF10DFA9D9957DEBBF1AF48314F188129E41AA7254EB749845CFA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB65B7 Relevance: .3, Instructions: 257COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bd5d7f5de60d56ea46b42a6a65ca5485774efe2fb8728b5785ff3b4f7e279ffb
              • Instruction ID: 18d923ae6a821cd8c5b94fab3e95186490eb37547ed7229a367bdbb49bd6cab5
              • Opcode Fuzzy Hash: bd5d7f5de60d56ea46b42a6a65ca5485774efe2fb8728b5785ff3b4f7e279ffb
              • Instruction Fuzzy Hash: 4CA14C70E00209CFDF10CFA9D9957DDBBF1AF48714F188129D85AA7294EB78D885CBA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DBA208 Relevance: .3, Instructions: 251COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 34099d7b18fa59fef51869dd87f4eb314e287e5840b3df0eedb1b0cf8668cc9c
              • Instruction ID: 58b3ccc76c849d1854231b5c36042b78e8359324faa4a9c45c3385ecde26c16e
              • Opcode Fuzzy Hash: 34099d7b18fa59fef51869dd87f4eb314e287e5840b3df0eedb1b0cf8668cc9c
              • Instruction Fuzzy Hash: 62A18C70B05205DFCB09EF78D454AADB7F2EF89304B108969D9069B395DF30DD4A8BA1
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB2A20 Relevance: .2, Instructions: 230COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dda2d650501c46e8cb2f03dd4c0c8670fd4a0e86a6246bb45a21edb7099a7431
              • Instruction ID: c6844947eff419adfeed6dd4a54351dc119eb15d791bf8175a9ed85bb1566424
              • Opcode Fuzzy Hash: dda2d650501c46e8cb2f03dd4c0c8670fd4a0e86a6246bb45a21edb7099a7431
              • Instruction Fuzzy Hash: F3A19C746053419FCB05EF30E458A5E7BB2FF84750B208A69D5068F3AADF35998ACF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB2A30 Relevance: .2, Instructions: 227COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e9959eef61aff0129c89876dea9943d0b4028021ca1e80a098b51a7ebe829b99
              • Instruction ID: 34c97986000fe76139661a625e885fae5c41810aba404478f7dd7d240a040c64
              • Opcode Fuzzy Hash: e9959eef61aff0129c89876dea9943d0b4028021ca1e80a098b51a7ebe829b99
              • Instruction Fuzzy Hash: FDA19C746053419FCB05EF34E45895E7BB2FF84750B208A69D5068F3AADF31998ACF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB942B Relevance: .1, Instructions: 120COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 200f571fe0aa24315cad90ec2b0dfc63ceaa8d7b5fddfc20230ae57646b2e00a
              • Instruction ID: 63d541584a35ea9dfed1df320c0be9b70aab439ea729a24fd55fb576e34122d5
              • Opcode Fuzzy Hash: 200f571fe0aa24315cad90ec2b0dfc63ceaa8d7b5fddfc20230ae57646b2e00a
              • Instruction Fuzzy Hash: 35417C34600155DFCB14DF68C994AAEFBB2FF45314F2184A9E516AB3A6CB31EC01CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB37F8 Relevance: .1, Instructions: 118COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 714c484dba91ac19525d3936e5520a03cce909cf97421cc01ec066d2fe74427d
              • Instruction ID: 2d5b31581bff54bbe286238648d052fbd6141dc4e418b77f3a97a8a48ba8e9f0
              • Opcode Fuzzy Hash: 714c484dba91ac19525d3936e5520a03cce909cf97421cc01ec066d2fe74427d
              • Instruction Fuzzy Hash: 9241CD71B002448FCB28EF7DD5956AEBBF6EBC8314F14842DD14A9B380CF3499468BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB0AA0 Relevance: .1, Instructions: 118COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e31acdf2fd8d9dbad4f6ef957b3bf5069b2445c7bdeefe084fd3b0fe2938afa
              • Instruction ID: 2de3184fb3b23dac623c4ac31242d425cea254e79c782bafabf97f639185665e
              • Opcode Fuzzy Hash: 9e31acdf2fd8d9dbad4f6ef957b3bf5069b2445c7bdeefe084fd3b0fe2938afa
              • Instruction Fuzzy Hash: F551B03861A205DFC706EF28F9A49497B63FB84305750866ED40ACB37DEB35A946CF90
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB11D0 Relevance: .1, Instructions: 114COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b2ce9b0aef51d6ca0b77d9031fe5fca570f4f22bbefe5b604f18cfa9a09cab63
              • Instruction ID: 536f61855285b9d60e5dba9ceae8cefebc5050d37c4daa7961608746ed62803a
              • Opcode Fuzzy Hash: b2ce9b0aef51d6ca0b77d9031fe5fca570f4f22bbefe5b604f18cfa9a09cab63
              • Instruction Fuzzy Hash: EA41A070E00209EFCB04EFBDC5546AEBBFAEF88300F648569D44AD7345DA349D428BA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB4210 Relevance: .1, Instructions: 90COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4e30d74ff6d5dae6356e7541ba06faaf07da95eb35b753f6020b92a1b174ea7d
              • Instruction ID: aa0dcd6ae19880c84517deb7f4144d99b5407958adb38fc0cdc02153145266fc
              • Opcode Fuzzy Hash: 4e30d74ff6d5dae6356e7541ba06faaf07da95eb35b753f6020b92a1b174ea7d
              • Instruction Fuzzy Hash: D041E1B0D00349DFDB10DF99C584ADEBFF5BF48314F148429E41AAB254DB74A985CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB4207 Relevance: .1, Instructions: 90COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 315ff4501b1cb84df64c8e20a22ea953b1338fa9e295d0a8ce61e21867057f26
              • Instruction ID: 1eaf4bd95e343bbc0e7df6645ba8424702a158a9d7ec8138a7794191bb507f7e
              • Opcode Fuzzy Hash: 315ff4501b1cb84df64c8e20a22ea953b1338fa9e295d0a8ce61e21867057f26
              • Instruction Fuzzy Hash: E04102B5D00349DFCB10DF99C580ADEBFF4BF48314F148429E81AAB254DB749989CB94
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB0998 Relevance: .1, Instructions: 76COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 74d9e48f368042f2faff216170f12efc46a1da35655f1e2d9add40a87d461bec
              • Instruction ID: 67b9b545282475cd79ccc2cb9a744b9edcd90ab1c9df095baf687e0f94d9f47b
              • Opcode Fuzzy Hash: 74d9e48f368042f2faff216170f12efc46a1da35655f1e2d9add40a87d461bec
              • Instruction Fuzzy Hash: FE216030704702EFDB65AB74A9686EF3FA8AF55301B19886DD407C72A5EF34C9018B75
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D0D4A0 Relevance: .1, Instructions: 75COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874639909.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_d0d000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 088bf1c746a8c07ce1ce4bc109727feb4b8dfabb65b315a4bfa11a9619a2ddc4
              • Instruction ID: 807504a6eee94406bd669e75b8620f8cca1a41b9431c50f7ece83a00ff04b011
              • Opcode Fuzzy Hash: 088bf1c746a8c07ce1ce4bc109727feb4b8dfabb65b315a4bfa11a9619a2ddc4
              • Instruction Fuzzy Hash: FF213371504200DFDB01DF84D9C4B26BF62FB94328F24C56AED0D0A29AC336D846CAB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB09A8 Relevance: .1, Instructions: 71COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 926200d6906ac62c713356297c4e70a3017b7b6402914c0d102c3b701204f432
              • Instruction ID: 9b9858bfe21df2ba5d5908cda5d52bd2218aa66361ec963bb4f2236f308945e4
              • Opcode Fuzzy Hash: 926200d6906ac62c713356297c4e70a3017b7b6402914c0d102c3b701204f432
              • Instruction Fuzzy Hash: 0B216F30714302DFDF64ABB5A9686EF7EA8AF44305718882DD40BC6254EF34C902DB76
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB8FF3 Relevance: .1, Instructions: 71COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a61825dc300c2f87d4a74a0c15785641fd530687884036b670407faa6aba8632
              • Instruction ID: 7ed2f6b5e66515ed2e087231897d72d5d8d8d8048151e543b775c5e507a221c3
              • Opcode Fuzzy Hash: a61825dc300c2f87d4a74a0c15785641fd530687884036b670407faa6aba8632
              • Instruction Fuzzy Hash: 66215930601215CFCB15AB78D9646AEBBB6EF89304F14442CD446EB3A5DF319C8ACBA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB9E6B Relevance: .1, Instructions: 67COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4ccae131901beb0147b9997542dfc7845e30d705ca4a0d072494a78e2ad196ea
              • Instruction ID: 3b19eab95a36064df4cc5565928d0ac0619329d398d4e9ebaa918ccae9cdaad9
              • Opcode Fuzzy Hash: 4ccae131901beb0147b9997542dfc7845e30d705ca4a0d072494a78e2ad196ea
              • Instruction Fuzzy Hash: 72217AB5A01300EFE715DF28E8947D07BA2B784B10F04856AD401CB365DB708A46CBB2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DBA1FB Relevance: .1, Instructions: 59COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 31c6d2eaa4d22a95971705972bcd6c6358478896f1c5542bc12e0e833eeb70e7
              • Instruction ID: 6b9006cb32e97ca257e28da571c3c9ec644adb4cf6ab8d2db9411674fb69db7c
              • Opcode Fuzzy Hash: 31c6d2eaa4d22a95971705972bcd6c6358478896f1c5542bc12e0e833eeb70e7
              • Instruction Fuzzy Hash: A11106317082008BCB04A77CD9945AD77E69BC4654700867DCD0ADB399EF31DD0A47F6
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB1431 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: c93d1e8405bf3b04cece823d02b1facd5c0401bbb81def64e55f5ee05061b83b
              • Instruction ID: 80b1bf462287e75df02c83bfd267191b2bea474691bce0b566b57c6116106c72
              • Opcode Fuzzy Hash: c93d1e8405bf3b04cece823d02b1facd5c0401bbb81def64e55f5ee05061b83b
              • Instruction Fuzzy Hash: 2D118274A01205DFCB51EB78D45856A7BF2BF8970575504BDD40ACB3A4EB30CD42CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DBB5B0 Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9660025ac7b285d61108a7c69cbb66ad00976c7df798c8dde00f27675eec7267
              • Instruction ID: 4454dc0c0d7f7f96a1fde5942512c973a32577ffd79ae8f4879f5cfbeb2a373d
              • Opcode Fuzzy Hash: 9660025ac7b285d61108a7c69cbb66ad00976c7df798c8dde00f27675eec7267
              • Instruction Fuzzy Hash: B511D370A01205DFCB40FB78D8116AEBBF5EF81314B108A6DD5168B396EB71990A8BF5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00D0D49B Relevance: .1, Instructions: 56COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874639909.0000000000D0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D0D000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_d0d000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
              • Instruction ID: 11a7841cbd6368016eace637ae154998693f23e8f66a5b67a54f7fe16c071c81
              • Opcode Fuzzy Hash: ce69cba98bfff612cefda2c4877fe7df6cc59bd7a6ce96c012d28fad0f514114
              • Instruction Fuzzy Hash: 45110372404280CFCB02CF44D9C4B16BF72FB94328F28C5AADD090B256C336D85ACBA2
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB1440 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9edf7295c6613351c8a118498be35d8a2829621675338e1b14b1667b0e3eefd
              • Instruction ID: f8057c874fc7da197c89ccf196a21956416dfd52ebb250158bd4952223b006f6
              • Opcode Fuzzy Hash: a9edf7295c6613351c8a118498be35d8a2829621675338e1b14b1667b0e3eefd
              • Instruction Fuzzy Hash: C611AD74B01209DFCB54EBB9D554A6A7BE6AF8870571008BDD00ACB364EA31CC41CBA0
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DBB5C0 Relevance: .1, Instructions: 53COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 19f87bd2f86093fcfe05941d437f729d8944114f04d5454eca70e0288f91d6be
              • Instruction ID: 0e10aa68218e054ba6d38662ed8977408733ff2ea331291b38e2df9f6df66c71
              • Opcode Fuzzy Hash: 19f87bd2f86093fcfe05941d437f729d8944114f04d5454eca70e0288f91d6be
              • Instruction Fuzzy Hash: 9F11C470601205DFCB40FB38D4116AEBBF5EF85314B108A6DD1068B386EB719A0ACBF5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB37E9 Relevance: .0, Instructions: 47COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 2f903e55ad817569ff846de1706c109a46f30be1321212ab1f461a2a8267cc47
              • Instruction ID: 929642aa8e449d84a549ec41809c0f167cfa5f1bf2e16cd8fc15d116878aab64
              • Opcode Fuzzy Hash: 2f903e55ad817569ff846de1706c109a46f30be1321212ab1f461a2a8267cc47
              • Instruction Fuzzy Hash: 9201DF303012008BCB18AB3DA6A46BE76A3EBC5354B04853DE00BCB791CF35CC4A9765
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB8D68 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5e8c3dc3cc7f3e914afe1969cb22de689f84b2b886afeaf54d023ff7f4e90cb2
              • Instruction ID: aacd62ce37c1fb0224ef3b11989a95cef858e5b652ccf6ed7dadff55cda6fc63
              • Opcode Fuzzy Hash: 5e8c3dc3cc7f3e914afe1969cb22de689f84b2b886afeaf54d023ff7f4e90cb2
              • Instruction Fuzzy Hash: 85111EB5800648CFCB20CF9AD584BDEBBF4EB48324F20841AD559A7250C778A984CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB8D60 Relevance: .0, Instructions: 41COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b8fdb421464949ae13bed39df8f15877bf89c2f52713114de8c8d30e19ff5947
              • Instruction ID: 39e013f43744aecf777e5ee086e06588fe33068c1f58fde0310efa936f5a7b6a
              • Opcode Fuzzy Hash: b8fdb421464949ae13bed39df8f15877bf89c2f52713114de8c8d30e19ff5947
              • Instruction Fuzzy Hash: B71112B5800648CFCB10CF99D584BDEBBF4AB08324F20841AC569B7250C738A584CFA5
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB25F1 Relevance: .0, Instructions: 13COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 630054c83e22b7d63cd688932b5da73a4587202f3a52f42600b6809db9fb036e
              • Instruction ID: bd9ff83b65daae6dbfdf59dc23192d5c6feb345dff870cd2f57fcec78a63b998
              • Opcode Fuzzy Hash: 630054c83e22b7d63cd688932b5da73a4587202f3a52f42600b6809db9fb036e
              • Instruction Fuzzy Hash: D4D052300242008FC344DF98E498D82BBA8BF55A00B01009AE8018B223C721A810EF61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB0A8F Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 62bf6f95656ed9636aa051fea51fc873df68be8401f46f291ea80f0ab7c5e85a
              • Instruction ID: 62cef7f1a91351c23a6efd147c70e5563532153833f4a419cfafe767b5d47037
              • Opcode Fuzzy Hash: 62bf6f95656ed9636aa051fea51fc873df68be8401f46f291ea80f0ab7c5e85a
              • Instruction Fuzzy Hash: 9DC08C21144307EFE31027A0F90CAED3D29ABC1305F008822A043842A5CE7C4802533F
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB0A73 Relevance: .0, Instructions: 9COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d3183a2da057eac562d16e17bb7472d4f9ee042539f1056fc2a0b51baf360a75
              • Instruction ID: dcadec8146d34fcf1a7bcf89453c5994748da8fb49f2c7d14a552d07dc5cf448
              • Opcode Fuzzy Hash: d3183a2da057eac562d16e17bb7472d4f9ee042539f1056fc2a0b51baf360a75
              • Instruction Fuzzy Hash: DDC08C2114474AEFEB1027A0F90CAED3E29A7C1305F008826A043842A5CE7C4842973F
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB2600 Relevance: .0, Instructions: 8COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 218e4c13fab5a2c69efbf71f30264478f9006db640652dd49332cb3f09782a52
              • Instruction ID: 98ee300482e656ecfc93354bbd4b8bb06d33255cd89fb234c33b14f871955a40
              • Opcode Fuzzy Hash: 218e4c13fab5a2c69efbf71f30264478f9006db640652dd49332cb3f09782a52
              • Instruction Fuzzy Hash: 34C048392642088F8244EA99E598C12B7A8BF58A00341009AE5058B732CB21F810DA61
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions

              Function 00DBA7A8 Relevance: 1.0, Instructions: 1020COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cef0378dc99612f05ee58f96854980ecf8666d6edc3a40e3ec17a89a5bd4eb32
              • Instruction ID: 44d054ae8c57c634c08c8bacab0329952ca791a7423e21635aec010bb6207a1b
              • Opcode Fuzzy Hash: cef0378dc99612f05ee58f96854980ecf8666d6edc3a40e3ec17a89a5bd4eb32
              • Instruction Fuzzy Hash: 69827B30700205CFDB14DF69C99476EBAE2FF84304F648569E14A8B3A6CFB1DD4A8B61
              Uniqueness

              Uniqueness Score: -1.00%

              Function 00DB59A8 Relevance: .2, Instructions: 238COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.2874902457.0000000000DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DB0000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_db0000_RegAsm.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: aedb50ecc0fb888b4db5417a1cf8eaffb57647e5167271d4c88c733f42a148dd
              • Instruction ID: 7c814a4ed1d2ede48b8440d2fa85324fa9f2ae5bd16407d450f6f7e928eb26a2
              • Opcode Fuzzy Hash: aedb50ecc0fb888b4db5417a1cf8eaffb57647e5167271d4c88c733f42a148dd
              • Instruction Fuzzy Hash: 0D917170E00709CFDF14CFA9D9917DDBBF2AF88704F188129D41AA7258DB749885CB55
              Uniqueness

              Uniqueness Score: -1.00%