Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report jvHSccqW.exe

Overview

General Information

Sample Name:jvHSccqW.exe
Analysis ID:358594
MD5:efeff4b4242776d6576b0fb18f35d52c
SHA1:557fa8532f5340ee628df64cb9a199ef935f1dc5
SHA256:2399e5acd8e6fec2e83de445cf83b598676f57fdfedd1f67a7872a5009866591
Tags:AsyncRATexe
Infos:

Most interesting Screenshot:

Detection

AsyncRAT
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected AsyncRAT
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • jvHSccqW.exe (PID: 6356 cmdline: 'C:\Users\user\Desktop\jvHSccqW.exe' MD5: EFEFF4B4242776D6576B0FB18F35D52C)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "newss.myq-see.com", "Ports": "1177", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "HMaZiL8g7SjFAvgHIXWZdtT729qvTY9R", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE3DCCAsSgAwIBAgIQAMDC8f2wXucoHHZWb62H+zANBgkqhkiG9w0BAQ0FADAPMQ0wCwYDVQQDDARmdWtlMCAXDTIxMDEwMzAwMDk1MFoYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDDARmdWtlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApN6Lx96xgRB2ew7bmjJo+AirgsTz5e47pySUi2lxHrb6HydPSeIMWx1FkowQbDiu9waY3LN+b3HZT0XWf8Ls6khK0RvqPdBU4PA3x5Ayg5P6UVox2pzxMuIEDWD5qabMZtf3Wf+yZXI6D4uYNBtc2vC3jiYLfzE24U0JCRWMB5rP8gbfWqna2o1d8gY+Q0HJw1p4xkq6k3y7rBRr5tdNdGzkP6Dn3o+YLaCr4O6sVeMC+MNbcAFNHEc7K+5txH/1YgnJ9l32wIHxTVjBsaeyf7P6zYbVhYvGkGWbQIdF3f5e1tys1NK4taEzVuHnCzdSCH+Ho0L8mVIHjqtAiqvskZxCplT0eh94b50iDmevZgdkFMN0wPloUdUrfHobL9y637Ni5Et8Jgmouw6GG3DUO3pOOCI88SsjnmLnKJauj1dYCp35FI4WdTLov1cv+gtdHxJqG8TroCjJ+p2aQ/AmsHaZbRGShu2V7eHti/JPvWuhaGm+wD8zo9pf+czwVEvv7T21haZlWMtNxiS3UUaTQkfmI10V37sOXEXbcpaEVAchD3QcL8DvpuTApmYL/nhnHPlA6ln21ty0sn2rvoTr4yUCfS0jjZNGK3rN3Z/YJkEZQ5myJ/4ONFxhQhgRx+0LC7TH0jLL9x6UexjZNdN51dhOU6vxfYFFVKW9cnKGZ0kCAwEAAaMyMDAwHQYDVR0OBBYEFGwlNXg0Bwn+JqaeWIOfs0fXpFeIMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEQItDXUfGw7/MGuEqw8skKgfI58JL5L/oJsvST3FeFD1JzIa9X4wIzhbXT3OqGsDn5AfJZ0I+cmmz6hSkbLbEaF3aN3vsXGSLaatftjB6Ek2JgGEHBeVxKKwJuNtfK83kpanZ4TKvMnLhqUTmEMMl2k8SIN8pO3MrYTHmzOVIJtYpEyXOnUH6PftjM4atDTrlS05jlgpPFXUhm9GSqcTcCjTNihXZdU+rMc9ruoSyd5AdsuJaeM0yKQNGw/p6p+2RpMEUqgVRz1XW61NOPQSubAwZJqHgoy0pthfsCNxu0s/0SfwvCoqWzcFsoQs/eX4KALk8ThrTfP+PW3nNuXjLymGGkww1Env/xCF4h3wqa4IKkyBYpatMEhqyyXPtuhQmDuk2lXbGrJQwDydFMm9nBbUB1FO/7vBege8cZvVJ+y2/6TYkimJZ/WMTSrcbHD5FgT9QbvfXO1vitvDxcSwhT1cfgIQwT40CgzpdswCkWsP6/CA8RLKZcerJEIW1c/Y0dCaT4dpPetC0lXmIBFU5eCD0FlOtBAigoHVqWBkIlE8morqQedXgPe9gXH6AWVxExDjqITOrDweETVpVvFY8q7TB7XhZPcEHvJFH0/3D9nBwObkxjv5HZx1kYCilHAkCbAU714DIN0nKdgY6km9Ntpp52wqrtbeY2Y9YQ9w5Dk", "ServerSignature": "MTAsavgxOutIMsaUSguW3Z+vRa7Czv4HK1F4b5ydoIcOoRYF06jsDGYbw2TAG4BXSn2zVnQhvNK4tFeH5qvxVSiGY2dIfW4h4BOb5+fbWBQ5WikeA72thrnmb/lJVQKnbs/jQSxZXrdIbD9i74whKkiA1VBJin26yQuvSa1s6d+x9I3DLsrylv5yW3LPtHu+TOjAyWJ5Iadsk1O1vkpN9aWpf6BQeNLbtz5D6btb7Y5X+rHoCyROyasfR8tW/dYlsBtk98dCjKaAERKdh71Vw7ekm7Jj4S+dbaeQtuCUIDevWuA+QcqcuP+WaWEgrCMhAoEoqj65M/sIymI0dvxYk15N72icZIsyFCCUuDDqdpF+ykOxyieGYTcZeU6/0toOS4zRGRwFQ4Y5bQPzODNlkdLdLZPEvOgH8hgUY/AyhWrx4Ok8r2acKwM6t2xhgQR6PCrNWHDHrzdjUqrTFmsn9C7asP0+lzrB/VDe9CVnWm0MN5pNAYS3IEGYZAmKU/3H3YIiLWoEb3UMyJckPoR8AlPmLhdkrGCu50K+Jp0b1GwLlF5cItQGrxsUXQeZdGEswNU1Q5SrGI45La3/IjsI/ODQbQEI+lu64ZFUj3HsqMN1TCAlNgKd44R6t1Cuf/rYkUaHdRVIufxMUqiuX6YcgxHpBENYgi4aylBXTuPBCkw=", "Group": "Default"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
jvHSccqW.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.219246907.0000000000FE2000.00000002.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000002.484166821.0000000000FE2000.00000002.00020000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        Process Memory Space: jvHSccqW.exe PID: 6356JoeSecurity_AsyncRATYara detected AsyncRATJoe Security

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.jvHSccqW.exe.fe0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            0.2.jvHSccqW.exe.fe0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Antivirus / Scanner detection for submitted sampleShow sources
              Source: jvHSccqW.exeAvira: detected
              Found malware configurationShow sources
              Source: 00000000.00000000.219246907.0000000000FE2000.00000002.00020000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "newss.myq-see.com", "Ports": "1177", "Version": "0.5.7B", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "", "AES_key": "HMaZiL8g7SjFAvgHIXWZdtT729qvTY9R", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "null", "BDOS": "false", "Startup_Delay": "3", "HWID": "null", "Certificate": "MIIE3DCCAsSgAwIBAgIQAMDC8f2wXucoHHZWb62H+zANBgkqhkiG9w0BAQ0FADAPMQ0wCwYDVQQDDARmdWtlMCAXDTIxMDEwMzAwMDk1MFoYDzk5OTkxMjMxMjM1OTU5WjAPMQ0wCwYDVQQDDARmdWtlMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEApN6Lx96xgRB2ew7bmjJo+AirgsTz5e47pySUi2lxHrb6HydPSeIMWx1FkowQbDiu9waY3LN+b3HZT0XWf8Ls6khK0RvqPdBU4PA3x5Ayg5P6UVox2pzxMuIEDWD5qabMZtf3Wf+yZXI6D4uYNBtc2vC3jiYLfzE24U0JCRWMB5rP8gbfWqna2o1d8gY+Q0HJw1p4xkq6k3y7rBRr5tdNdGzkP6Dn3o+YLaCr4O6sVeMC+MNbcAFNHEc7K+5txH/1YgnJ9l32wIHxTVjBsaeyf7P6zYbVhYvGkGWbQIdF3f5e1tys1NK4taEzVuHnCzdSCH+Ho0L8mVIHjqtAiqvskZxCplT0eh94b50iDmevZgdkFMN0wPloUdUrfHobL9y637Ni5Et8Jgmouw6GG3DUO3pOOCI88SsjnmLnKJauj1dYCp35FI4WdTLov1cv+gtdHxJqG8TroCjJ+p2aQ/AmsHaZbRGShu2V7eHti/JPvWuhaGm+wD8zo9pf+czwVEvv7T21haZlWMtNxiS3UUaTQkfmI10V37sOXEXbcpaEVAchD3QcL8DvpuTApmYL/nhnHPlA6ln21ty0sn2rvoTr4yUCfS0jjZNGK3rN3Z/YJkEZQ5myJ/4ONFxhQhgRx+0LC7TH0jLL9x6UexjZNdN51dhOU6vxfYFFVKW9cnKGZ0kCAwEAAaMyMDAwHQYDVR0OBBYEFGwlNXg0Bwn+JqaeWIOfs0fXpFeIMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQENBQADggIBAEQItDXUfGw7/MGuEqw8skKgfI58JL5L/oJsvST3FeFD1JzIa9X4wIzhbXT3OqGsDn5AfJZ0I+cmmz6hSkbLbEaF3aN3vsXGSLaatftjB6Ek2JgGEHBeVxKKwJuNtfK83kpanZ4TKvMnLhqUTmEMMl2k8SIN8pO3MrYTHmzOVIJtYpEyXOnUH6PftjM4atDTrlS05jlgpPFXUhm9GSqcTcCjTNihXZdU+rMc9ruoSyd5AdsuJaeM0yKQNGw/p6p+2RpMEUqgVRz1XW61NOPQSubAwZJqHgoy0pthfsCNxu0s/0SfwvCoqWzcFsoQs/eX4KALk8ThrTfP+PW3nNuXjLymGGkww1Env/xCF4h3wqa4IKkyBYpatMEhqyyXPtuhQmDuk2lXbGrJQwDydFMm9nBbUB1FO/7vBege8cZvVJ+y2/6TYkimJZ/WMTSrcbHD5FgT9QbvfXO1vitvDxcSwhT1cfgIQwT40CgzpdswCkWsP6/CA8RLKZcerJEIW1c/Y0dCaT4dpPetC0lXmIBFU5eCD0FlOtBAigoHVqWBkIlE8morqQedXgPe9gXH6AWVxExDjqITOrDweETVpVvFY8q7TB7XhZPcEHvJFH0/3D9nBwObkxjv5HZx1kYCilHAkCbAU714DIN0nKdgY6km9Ntpp52wqrtbeY2Y9YQ9w5Dk", "ServerSignature": "MTAsavgxOutIMsaUSguW3Z+vRa7Czv4HK1F4b5ydoIcOoRYF06jsDGYbw2TAG4BXSn2zVnQhvNK4tFeH5qvxVSiGY2dIfW4h4BOb5+fbWBQ5WikeA72thrnmb/lJVQKnbs/jQSxZXrdIbD9i74whKkiA1VBJin26yQuvSa1s6d+x9I3DLsrylv5yW3LPtHu+TOjAyWJ5Iadsk1O1vkpN9aWpf6BQeNLbtz5D6btb7Y5X+rHoCyROyasfR8tW/dYlsBtk98dCjKaAERKdh71Vw7ekm7Jj4S+dbaeQtuCUIDevWuA+QcqcuP+WaWEgrCMhAoEoqj65M/sIymI0dvxYk15N72icZIsyFCCUuDDqdpF+ykOxyieGYTcZeU6/0toOS4zRGRwFQ4Y5bQPzODNlkdLdLZPEvOgH8hgUY/AyhWrx4Ok8r2acKwM6t2xhgQR6PCrNWHDHrzdjUqrTFmsn9C7asP0+lzrB/VDe9CVnWm0MN5pNAYS3IEGYZAmKU/3H3YIiLWoEb3UMyJckPoR8AlPmLhdkrGCu50K+Jp0b1GwLlF5cItQGrxsUXQeZdGEswNU1Q5SrGI45La3/IjsI/ODQbQEI+lu64ZFUj3HsqMN1TCAlNgKd44R6t1Cuf/rYkUaHdRVIufxMUqiuX6YcgxHpBENYgi4aylBXTuPBCkw=", "Group": "Default"}
              Machine Learning detection for sampleShow sources
              Source: jvHSccqW.exeJoe Sandbox ML: detected
              Source: 0.0.jvHSccqW.exe.fe0000.0.unpackAvira: Label: TR/Dropper.Gen
              Source: 0.2.jvHSccqW.exe.fe0000.0.unpackAvira: Label: TR/Dropper.Gen

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: jvHSccqW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: jvHSccqW.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

              Networking:

              barindex
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: newss.myq-see.com
              Source: global trafficTCP traffic: 192.168.2.5:49714 -> 154.16.67.107:1177
              Source: unknownDNS traffic detected: queries for: newss.myq-see.com
              Source: jvHSccqW.exe, 00000000.00000003.295949209.000000000582F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: jvHSccqW.exe, 00000000.00000003.295949209.000000000582F000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windows
              Source: jvHSccqW.exe, 00000000.00000003.295949209.000000000582F000.00000004.00000001.sdmp, 77EC63BDA74BD0D0E0426DC8F8008506.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: jvHSccqW.exe, 00000000.00000002.485611389.0000000003351000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

              Key, Mouse, Clipboard, Microphone and Screen Capturing:

              barindex
              Yara detected AsyncRATShow sources
              Source: Yara matchFile source: jvHSccqW.exe, type: SAMPLE
              Source: Yara matchFile source: 00000000.00000000.219246907.0000000000FE2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.484166821.0000000000FE2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jvHSccqW.exe PID: 6356, type: MEMORY
              Source: Yara matchFile source: 0.0.jvHSccqW.exe.fe0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.jvHSccqW.exe.fe0000.0.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\jvHSccqW.exeCode function: 0_2_0190D5F00_2_0190D5F0
              Source: C:\Users\user\Desktop\jvHSccqW.exeCode function: 0_2_019095300_2_01909530
              Source: C:\Users\user\Desktop\jvHSccqW.exeCode function: 0_2_01908C600_2_01908C60
              Source: C:\Users\user\Desktop\jvHSccqW.exeCode function: 0_2_0190F2980_2_0190F298
              Source: C:\Users\user\Desktop\jvHSccqW.exeCode function: 0_2_019089180_2_01908918
              Source: jvHSccqW.exe, 00000000.00000002.484213116.0000000000FEE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs jvHSccqW.exe
              Source: jvHSccqW.exe, 00000000.00000002.489036936.00000000058A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dll.muij% vs jvHSccqW.exe
              Source: jvHSccqW.exe, 00000000.00000002.489155695.0000000005C90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs jvHSccqW.exe
              Source: jvHSccqW.exe, 00000000.00000002.485577057.0000000003330000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs jvHSccqW.exe
              Source: jvHSccqW.exe, 00000000.00000002.489025524.0000000005890000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs jvHSccqW.exe
              Source: jvHSccqW.exe, 00000000.00000002.489396058.0000000005DC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs jvHSccqW.exe
              Source: jvHSccqW.exeBinary or memory string: OriginalFilenameStub.exe" vs jvHSccqW.exe
              Source: jvHSccqW.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: jvHSccqW.exe, Client/Settings.csBase64 encoded string: 'xjAr2iPJC2iJ+2CveITMT3iyJYbeCtjLsXVSXfhPjQ2mu/N+EQG8LtddC6VG2YepJicnitdBMhxlkuJ9WigjsQ==', 't65m9ichioTw5NwvXoSAB/xrLZPaNj2oSBOWGJXp4p4hsFKptjXLFWWFymSpj0qoCzF3wAb19CNWSSS6hHRfYBBBWTTYjxPCqRqv1P1N2Lw=', 'LSpYyWHnBJTlbll+sbysj2rZPcCY+qJj7D9pDY5JVmyqaeNgVsDqC57feFeQVgOwROi5IouysmBVnB9wM6UaTfhD0vo0+s2cIRJRHUOe3Hg=', 'nkb96ORAKm9eRtYbwlBjBG9JAAFc4EgRgxg2A0kIkcmUyFFT7ybvQsmffqAv3Aq9b8P3cUoEl8G/tPq0FHPj/F8XWOMYvxvI5v2nOFjdRv+m9WuGAV29NW2OmOs95d9Wbdi/fp0AxvnSSzt/g7CXTY5twH0zZUi78VUWmsJtSJU0aSAZAiYj1/aghhIAsAKGXdA2uazOW5DrklS7XS/OUOL2etlMt89dgeKTq8htpfhdIADii9tGQebse68Gynes402rDvB6kA/5Gdpjxgxr0IK1DjU1GK51GyrCmSvY41zgU3LePXXk0PtWwFtOF8nVfQZQmKeW5HChgeMK2jPDEtAK6C3tVVnb5hvZUuV5Tyth/q7xPfmzs7W42kmDIE8B2/AT8vtvyrMbvnJeFa+YqCq7F9XMaQedwSQuMD/AX6dLHNtbwvwlBSFSbNzRZ9QEZde3Cky8jmsYQj6lLnjd3xU3ARs7rYgVPNCxQp1dpdgTIVrkeNd0O9ITQyxM5Sq2Un1BdxaFj1UgGkM/7YhUCzIzzHQlqhctLOqr/EmLdxyAUwDLNDl7C0nsk+T+eMAMutTfaCQzXzM+F+IyqTUCQOVa0QHNJPkDSOJvGzdmrSi24V0KsLKxKp+anW04b1NpNeRIlZHN+E+FaO7FPMIqGBI5fcyBdO33ddWKC1k0vCx9QocNP8txztqkFJwa1bJ8YD56BmZgZ++0+9yXcoUvfsv5WMaEQCApMwET92b11pbeztZLV2XnwkbFPkexhGA30WejIJOtPeQ2fJWuGjZCcsWmXU4oNQO6WzIgA95CPYe/uP0jN4SAPDXYX/SGOqEGuOs5+YgO52GWM5GD+M9Db7yIOou20NHmZD+18vX3JBh1tdYwdFn7p9F0cL9xTs6d0PGDva82N+FxZMxO1HXIVIwSg028HzYSnCzqu6lUsMFDOEidvg4KMUjf4BRLsgMfaWFZXCZdjwmWJ26yFjmf5MT1ZKqaYj8Mw/rcntnY8IsRSwY7fGlEGbwGQ2Y6yGFHsv1BCUlznMwicVtVlNxxHQlVPyEkmMcVm8FhY4FedAo3MPgfvzNODU/v0dn5bEPEynRKky4VjVz1LWHFrPy+2JKxIZCE06pBhjoJaH0wE8wYbhviqHdgOIfp0cca0kM9pW35dCMVm0TnJ1Zy3BQeJ24825CwZiEYQp0AdigxSauSVMMS8uo3oNCqXJnVPPMXBfi17PaBLc8uPtA7gfVgvm4/Ej61P/NNlsyvVkbeeQiSn2Z5xik2WlSffqEfJSBZXO+vDoS9DuIY+6LwWZizTAfTbFAfyDFBvhr2E2sB18Ok2YxZuxgMUSpCR38MINvaqkM/HF1xFpy/1tsmRXd+BJoXo+nDrQrnKqDZf+rgosWNXWedYMAlpKhjcKDrbuUeygB2061W+BO6P2bInqgX+PkpctbgQQjsToLG3wB/4r0x2Z2mzQ1/GWm8FJ/nYGR8Uw6NsNBlTpmIxCrqoczAuh2LNpZW6FSP/KWBzrbdXh8X7V/YBwxJv8VOEtIFI6Kc8KDgh7FJWDB4L7tuuzVbOHGtlg2Xw2Nt5gNutIIs3LAt5NAijy136jHgfLdJaWKQ76o8xK2MJLQnr1ykNh0zPfav1UDrbROLGhKDIOpIBbnktw5yuLFbFQKHYYQwhKYTX21/1pEX0K/ZD+6iPisTvd2OLIB43BA0j97Yr2UqijD9Trql5+hzRsfXLKWqHYwtWDQw0AY/qk+ShlW1w4HZclszzl7H6mZVYBwy4MnMxjhBXsj4Nc1Menovk/s7Qt3QFrC+W+78Vtpb68iUS6aL3xH18aNzLA0mo5kOvabUjgZGyaaJT7F9RgK64xi0v2R4eDIZWgOhNxoPSksXRg7lje2Ti/e8x7Kx6GigHul3M1/bqWTm1dwzz5iO6tYDQ+aofmX2fWnSK+4uWAetK/rejwSb8GXED99vz9ulASEbOUBGaHKzSltZf6NnVGHNbEJaMdHAXvT4MxW8txkJNsm5kw40DiGZouu8+KkdCnW+Dg086ytRk4p6GekUci9mlKTuw6gWRY6KOQpL/eEjorC9stye1TMiJDvJVEkRjTau16SEadtApubngvIwPgHd1PPYgjCSBxzBnJckwNwxGxC6brtwYxEEdZN173+P5Z29/RiRBzlWjfYWGb4xGlmxd18HsCYB0lJG5ATXHn4J6HMISYxiARtj0NMUn6oX7cFSwKd0bCO1OeajGjcHPsxKazJWTf1hApg/1NJd3x/R1+MT1c1ldRGoKNTPNJtg3P86H8eLRFeXx+TzFHnwV8WCS8KU', 'LVENKTde2btwpyksp2hI5gKhtQ97MzdaqZJt5TB+FpjLaj7XKNKyGZXIUiTuvU6zHBwSFmxeNJG+Jbx8YK/5tWifSHDYJJhPu6myyqYdsz2xjkMIfPRk9Byj+jmoI/kS16HyhzDHql1bM2NPFeD4KCIPcQGPe7LRB2UvlSWW6Q2MuqqpZT753hMg91X9pM2AzXdC3R6Cc/rTjjqRYoxG6XPoLeJlXXZOUO6PTCVhu2Z2CGiTtqdczrZ0Uw/dwUE/tpL4teYjoIzuceYOeJBG+IAgsVZNj7GzKkUR7VXKOs3WuXYaTB6bRV6/XJ8lSzOKSjYJxj6+MEaMlk5//V0MeL/H3KQuugwntW7xWFVcCV7fKzbGUNjxmyQ
              Source: 0.0.jvHSccqW.exe.fe0000.0.unpack, Client/Settings.csBase64 encoded string: 'xjAr2iPJC2iJ+2CveITMT3iyJYbeCtjLsXVSXfhPjQ2mu/N+EQG8LtddC6VG2YepJicnitdBMhxlkuJ9WigjsQ==', 't65m9ichioTw5NwvXoSAB/xrLZPaNj2oSBOWGJXp4p4hsFKptjXLFWWFymSpj0qoCzF3wAb19CNWSSS6hHRfYBBBWTTYjxPCqRqv1P1N2Lw=', 'LSpYyWHnBJTlbll+sbysj2rZPcCY+qJj7D9pDY5JVmyqaeNgVsDqC57feFeQVgOwROi5IouysmBVnB9wM6UaTfhD0vo0+s2cIRJRHUOe3Hg=', 'nkb96ORAKm9eRtYbwlBjBG9JAAFc4EgRgxg2A0kIkcmUyFFT7ybvQsmffqAv3Aq9b8P3cUoEl8G/tPq0FHPj/F8XWOMYvxvI5v2nOFjdRv+m9WuGAV29NW2OmOs95d9Wbdi/fp0AxvnSSzt/g7CXTY5twH0zZUi78VUWmsJtSJU0aSAZAiYj1/aghhIAsAKGXdA2uazOW5DrklS7XS/OUOL2etlMt89dgeKTq8htpfhdIADii9tGQebse68Gynes402rDvB6kA/5Gdpjxgxr0IK1DjU1GK51GyrCmSvY41zgU3LePXXk0PtWwFtOF8nVfQZQmKeW5HChgeMK2jPDEtAK6C3tVVnb5hvZUuV5Tyth/q7xPfmzs7W42kmDIE8B2/AT8vtvyrMbvnJeFa+YqCq7F9XMaQedwSQuMD/AX6dLHNtbwvwlBSFSbNzRZ9QEZde3Cky8jmsYQj6lLnjd3xU3ARs7rYgVPNCxQp1dpdgTIVrkeNd0O9ITQyxM5Sq2Un1BdxaFj1UgGkM/7YhUCzIzzHQlqhctLOqr/EmLdxyAUwDLNDl7C0nsk+T+eMAMutTfaCQzXzM+F+IyqTUCQOVa0QHNJPkDSOJvGzdmrSi24V0KsLKxKp+anW04b1NpNeRIlZHN+E+FaO7FPMIqGBI5fcyBdO33ddWKC1k0vCx9QocNP8txztqkFJwa1bJ8YD56BmZgZ++0+9yXcoUvfsv5WMaEQCApMwET92b11pbeztZLV2XnwkbFPkexhGA30WejIJOtPeQ2fJWuGjZCcsWmXU4oNQO6WzIgA95CPYe/uP0jN4SAPDXYX/SGOqEGuOs5+YgO52GWM5GD+M9Db7yIOou20NHmZD+18vX3JBh1tdYwdFn7p9F0cL9xTs6d0PGDva82N+FxZMxO1HXIVIwSg028HzYSnCzqu6lUsMFDOEidvg4KMUjf4BRLsgMfaWFZXCZdjwmWJ26yFjmf5MT1ZKqaYj8Mw/rcntnY8IsRSwY7fGlEGbwGQ2Y6yGFHsv1BCUlznMwicVtVlNxxHQlVPyEkmMcVm8FhY4FedAo3MPgfvzNODU/v0dn5bEPEynRKky4VjVz1LWHFrPy+2JKxIZCE06pBhjoJaH0wE8wYbhviqHdgOIfp0cca0kM9pW35dCMVm0TnJ1Zy3BQeJ24825CwZiEYQp0AdigxSauSVMMS8uo3oNCqXJnVPPMXBfi17PaBLc8uPtA7gfVgvm4/Ej61P/NNlsyvVkbeeQiSn2Z5xik2WlSffqEfJSBZXO+vDoS9DuIY+6LwWZizTAfTbFAfyDFBvhr2E2sB18Ok2YxZuxgMUSpCR38MINvaqkM/HF1xFpy/1tsmRXd+BJoXo+nDrQrnKqDZf+rgosWNXWedYMAlpKhjcKDrbuUeygB2061W+BO6P2bInqgX+PkpctbgQQjsToLG3wB/4r0x2Z2mzQ1/GWm8FJ/nYGR8Uw6NsNBlTpmIxCrqoczAuh2LNpZW6FSP/KWBzrbdXh8X7V/YBwxJv8VOEtIFI6Kc8KDgh7FJWDB4L7tuuzVbOHGtlg2Xw2Nt5gNutIIs3LAt5NAijy136jHgfLdJaWKQ76o8xK2MJLQnr1ykNh0zPfav1UDrbROLGhKDIOpIBbnktw5yuLFbFQKHYYQwhKYTX21/1pEX0K/ZD+6iPisTvd2OLIB43BA0j97Yr2UqijD9Trql5+hzRsfXLKWqHYwtWDQw0AY/qk+ShlW1w4HZclszzl7H6mZVYBwy4MnMxjhBXsj4Nc1Menovk/s7Qt3QFrC+W+78Vtpb68iUS6aL3xH18aNzLA0mo5kOvabUjgZGyaaJT7F9RgK64xi0v2R4eDIZWgOhNxoPSksXRg7lje2Ti/e8x7Kx6GigHul3M1/bqWTm1dwzz5iO6tYDQ+aofmX2fWnSK+4uWAetK/rejwSb8GXED99vz9ulASEbOUBGaHKzSltZf6NnVGHNbEJaMdHAXvT4MxW8txkJNsm5kw40DiGZouu8+KkdCnW+Dg086ytRk4p6GekUci9mlKTuw6gWRY6KOQpL/eEjorC9stye1TMiJDvJVEkRjTau16SEadtApubngvIwPgHd1PPYgjCSBxzBnJckwNwxGxC6brtwYxEEdZN173+P5Z29/RiRBzlWjfYWGb4xGlmxd18HsCYB0lJG5ATXHn4J6HMISYxiARtj0NMUn6oX7cFSwKd0bCO1OeajGjcHPsxKazJWTf1hApg/1NJd3x/R1+MT1c1ldRGoKNTPNJtg3P86H8eLRFeXx+TzFHnwV8WCS8KU', 'LVENKTde2btwpyksp2hI5gKhtQ97MzdaqZJt5TB+FpjLaj7XKNKyGZXIUiTuvU6zHBwSFmxeNJG+Jbx8YK/5tWifSHDYJJhPu6myyqYdsz2xjkMIfPRk9Byj+jmoI/kS16HyhzDHql1bM2NPFeD4KCIPcQGPe7LRB2UvlSWW6Q2MuqqpZT753hMg91X9pM2AzXdC3R6Cc/rTjjqRYoxG6XPoLeJlXXZOUO6PTCVhu2Z2CGiTtqdczrZ0Uw/dwUE/tpL4teYjoIzuceYOeJBG+IAgsVZNj7GzKkUR7VXKOs3WuXYaTB6bRV6/XJ8lSzOKSjYJxj6+MEaMlk5//V0MeL/H3KQuugwntW7xWFVcCV7fKzbGUNjxmyQ
              Source: 0.2.jvHSccqW.exe.fe0000.0.unpack, Client/Settings.csBase64 encoded string: 'xjAr2iPJC2iJ+2CveITMT3iyJYbeCtjLsXVSXfhPjQ2mu/N+EQG8LtddC6VG2YepJicnitdBMhxlkuJ9WigjsQ==', 't65m9ichioTw5NwvXoSAB/xrLZPaNj2oSBOWGJXp4p4hsFKptjXLFWWFymSpj0qoCzF3wAb19CNWSSS6hHRfYBBBWTTYjxPCqRqv1P1N2Lw=', 'LSpYyWHnBJTlbll+sbysj2rZPcCY+qJj7D9pDY5JVmyqaeNgVsDqC57feFeQVgOwROi5IouysmBVnB9wM6UaTfhD0vo0+s2cIRJRHUOe3Hg=', 'nkb96ORAKm9eRtYbwlBjBG9JAAFc4EgRgxg2A0kIkcmUyFFT7ybvQsmffqAv3Aq9b8P3cUoEl8G/tPq0FHPj/F8XWOMYvxvI5v2nOFjdRv+m9WuGAV29NW2OmOs95d9Wbdi/fp0AxvnSSzt/g7CXTY5twH0zZUi78VUWmsJtSJU0aSAZAiYj1/aghhIAsAKGXdA2uazOW5DrklS7XS/OUOL2etlMt89dgeKTq8htpfhdIADii9tGQebse68Gynes402rDvB6kA/5Gdpjxgxr0IK1DjU1GK51GyrCmSvY41zgU3LePXXk0PtWwFtOF8nVfQZQmKeW5HChgeMK2jPDEtAK6C3tVVnb5hvZUuV5Tyth/q7xPfmzs7W42kmDIE8B2/AT8vtvyrMbvnJeFa+YqCq7F9XMaQedwSQuMD/AX6dLHNtbwvwlBSFSbNzRZ9QEZde3Cky8jmsYQj6lLnjd3xU3ARs7rYgVPNCxQp1dpdgTIVrkeNd0O9ITQyxM5Sq2Un1BdxaFj1UgGkM/7YhUCzIzzHQlqhctLOqr/EmLdxyAUwDLNDl7C0nsk+T+eMAMutTfaCQzXzM+F+IyqTUCQOVa0QHNJPkDSOJvGzdmrSi24V0KsLKxKp+anW04b1NpNeRIlZHN+E+FaO7FPMIqGBI5fcyBdO33ddWKC1k0vCx9QocNP8txztqkFJwa1bJ8YD56BmZgZ++0+9yXcoUvfsv5WMaEQCApMwET92b11pbeztZLV2XnwkbFPkexhGA30WejIJOtPeQ2fJWuGjZCcsWmXU4oNQO6WzIgA95CPYe/uP0jN4SAPDXYX/SGOqEGuOs5+YgO52GWM5GD+M9Db7yIOou20NHmZD+18vX3JBh1tdYwdFn7p9F0cL9xTs6d0PGDva82N+FxZMxO1HXIVIwSg028HzYSnCzqu6lUsMFDOEidvg4KMUjf4BRLsgMfaWFZXCZdjwmWJ26yFjmf5MT1ZKqaYj8Mw/rcntnY8IsRSwY7fGlEGbwGQ2Y6yGFHsv1BCUlznMwicVtVlNxxHQlVPyEkmMcVm8FhY4FedAo3MPgfvzNODU/v0dn5bEPEynRKky4VjVz1LWHFrPy+2JKxIZCE06pBhjoJaH0wE8wYbhviqHdgOIfp0cca0kM9pW35dCMVm0TnJ1Zy3BQeJ24825CwZiEYQp0AdigxSauSVMMS8uo3oNCqXJnVPPMXBfi17PaBLc8uPtA7gfVgvm4/Ej61P/NNlsyvVkbeeQiSn2Z5xik2WlSffqEfJSBZXO+vDoS9DuIY+6LwWZizTAfTbFAfyDFBvhr2E2sB18Ok2YxZuxgMUSpCR38MINvaqkM/HF1xFpy/1tsmRXd+BJoXo+nDrQrnKqDZf+rgosWNXWedYMAlpKhjcKDrbuUeygB2061W+BO6P2bInqgX+PkpctbgQQjsToLG3wB/4r0x2Z2mzQ1/GWm8FJ/nYGR8Uw6NsNBlTpmIxCrqoczAuh2LNpZW6FSP/KWBzrbdXh8X7V/YBwxJv8VOEtIFI6Kc8KDgh7FJWDB4L7tuuzVbOHGtlg2Xw2Nt5gNutIIs3LAt5NAijy136jHgfLdJaWKQ76o8xK2MJLQnr1ykNh0zPfav1UDrbROLGhKDIOpIBbnktw5yuLFbFQKHYYQwhKYTX21/1pEX0K/ZD+6iPisTvd2OLIB43BA0j97Yr2UqijD9Trql5+hzRsfXLKWqHYwtWDQw0AY/qk+ShlW1w4HZclszzl7H6mZVYBwy4MnMxjhBXsj4Nc1Menovk/s7Qt3QFrC+W+78Vtpb68iUS6aL3xH18aNzLA0mo5kOvabUjgZGyaaJT7F9RgK64xi0v2R4eDIZWgOhNxoPSksXRg7lje2Ti/e8x7Kx6GigHul3M1/bqWTm1dwzz5iO6tYDQ+aofmX2fWnSK+4uWAetK/rejwSb8GXED99vz9ulASEbOUBGaHKzSltZf6NnVGHNbEJaMdHAXvT4MxW8txkJNsm5kw40DiGZouu8+KkdCnW+Dg086ytRk4p6GekUci9mlKTuw6gWRY6KOQpL/eEjorC9stye1TMiJDvJVEkRjTau16SEadtApubngvIwPgHd1PPYgjCSBxzBnJckwNwxGxC6brtwYxEEdZN173+P5Z29/RiRBzlWjfYWGb4xGlmxd18HsCYB0lJG5ATXHn4J6HMISYxiARtj0NMUn6oX7cFSwKd0bCO1OeajGjcHPsxKazJWTf1hApg/1NJd3x/R1+MT1c1ldRGoKNTPNJtg3P86H8eLRFeXx+TzFHnwV8WCS8KU', 'LVENKTde2btwpyksp2hI5gKhtQ97MzdaqZJt5TB+FpjLaj7XKNKyGZXIUiTuvU6zHBwSFmxeNJG+Jbx8YK/5tWifSHDYJJhPu6myyqYdsz2xjkMIfPRk9Byj+jmoI/kS16HyhzDHql1bM2NPFeD4KCIPcQGPe7LRB2UvlSWW6Q2MuqqpZT753hMg91X9pM2AzXdC3R6Cc/rTjjqRYoxG6XPoLeJlXXZOUO6PTCVhu2Z2CGiTtqdczrZ0Uw/dwUE/tpL4teYjoIzuceYOeJBG+IAgsVZNj7GzKkUR7VXKOs3WuXYaTB6bRV6/XJ8lSzOKSjYJxj6+MEaMlk5//V0MeL/H3KQuugwntW7xWFVcCV7fKzbGUNjxmyQ
              Source: 0.0.jvHSccqW.exe.fe0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 0.0.jvHSccqW.exe.fe0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: jvHSccqW.exe, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: jvHSccqW.exe, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.jvHSccqW.exe.fe0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
              Source: 0.2.jvHSccqW.exe.fe0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: classification engineClassification label: mal76.troj.evad.winEXE@1/2@1/1
              Source: C:\Users\user\Desktop\jvHSccqW.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
              Source: jvHSccqW.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\jvHSccqW.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: jvHSccqW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: jvHSccqW.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: C:\Users\user\Desktop\jvHSccqW.exeCode function: 0_2_00FE39AC push 720A0000h; retf 0024h0_2_00FE39B1
              Source: C:\Users\user\Desktop\jvHSccqW.exeCode function: 0_2_00FE2A66 push 0000003Eh; retn 0000h0_2_00FE2DC0
              Source: C:\Users\user\Desktop\jvHSccqW.exeCode function: 0_2_00FE2F81 push eax; ret 0_2_00FE2F95
              Source: C:\Users\user\Desktop\jvHSccqW.exeCode function: 0_2_00FE7201 push es; iretd 0_2_00FE7202

              Boot Survival:

              barindex
              Yara detected AsyncRATShow sources
              Source: Yara matchFile source: jvHSccqW.exe, type: SAMPLE
              Source: Yara matchFile source: 00000000.00000000.219246907.0000000000FE2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.484166821.0000000000FE2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jvHSccqW.exe PID: 6356, type: MEMORY
              Source: Yara matchFile source: 0.0.jvHSccqW.exe.fe0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.jvHSccqW.exe.fe0000.0.unpack, type: UNPACKEDPE
              Source: C:\Users\user\Desktop\jvHSccqW.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AsyncRATShow sources
              Source: Yara matchFile source: jvHSccqW.exe, type: SAMPLE
              Source: Yara matchFile source: 00000000.00000000.219246907.0000000000FE2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.484166821.0000000000FE2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jvHSccqW.exe PID: 6356, type: MEMORY
              Source: Yara matchFile source: 0.0.jvHSccqW.exe.fe0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.jvHSccqW.exe.fe0000.0.unpack, type: UNPACKEDPE
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: jvHSccqW.exeBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\jvHSccqW.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeWindow / User API: threadDelayed 4909Jump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeWindow / User API: threadDelayed 4795Jump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exe TID: 6600Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exe TID: 6676Thread sleep time: -4611686018427385s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exe TID: 6676Thread sleep count: 59 > 30Jump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exe TID: 6684Thread sleep count: 4909 > 30Jump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exe TID: 6684Thread sleep count: 4795 > 30Jump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: jvHSccqW.exe, 00000000.00000002.489155695.0000000005C90000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: jvHSccqW.exeBinary or memory string: vmware
              Source: jvHSccqW.exe, 00000000.00000003.444659868.0000000005883000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
              Source: jvHSccqW.exe, 00000000.00000002.489155695.0000000005C90000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: jvHSccqW.exe, 00000000.00000002.489155695.0000000005C90000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: jvHSccqW.exe, 00000000.00000002.489155695.0000000005C90000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\jvHSccqW.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeMemory allocated: page read and write | page guardJump to behavior
              Source: jvHSccqW.exe, 00000000.00000003.268119312.000000000169F000.00000004.00000001.sdmpBinary or memory string: Program Manager
              Source: jvHSccqW.exe, 00000000.00000002.485386872.0000000001DC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: jvHSccqW.exe, 00000000.00000002.485386872.0000000001DC0000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: jvHSccqW.exe, 00000000.00000002.485386872.0000000001DC0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
              Source: jvHSccqW.exe, 00000000.00000003.268119312.000000000169F000.00000004.00000001.sdmpBinary or memory string: Program ManagerE7227815
              Source: jvHSccqW.exe, 00000000.00000002.485386872.0000000001DC0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
              Source: jvHSccqW.exe, 00000000.00000002.485386872.0000000001DC0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\jvHSccqW.exeQueries volume information: C:\Users\user\Desktop\jvHSccqW.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\jvHSccqW.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings:

              barindex
              Yara detected AsyncRATShow sources
              Source: Yara matchFile source: jvHSccqW.exe, type: SAMPLE
              Source: Yara matchFile source: 00000000.00000000.219246907.0000000000FE2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.484166821.0000000000FE2000.00000002.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: jvHSccqW.exe PID: 6356, type: MEMORY
              Source: Yara matchFile source: 0.0.jvHSccqW.exe.fe0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.jvHSccqW.exe.fe0000.0.unpack, type: UNPACKEDPE
              Source: jvHSccqW.exe, 00000000.00000002.488936663.0000000005816000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
              Source: C:\Users\user\Desktop\jvHSccqW.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation1Scheduled Task/Job1Process Injection1Virtualization/Sandbox Evasion2OS Credential DumpingQuery Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Boot or Logon Initialization ScriptsScheduled Task/Job1Disable or Modify Tools1LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection1Security Account ManagerVirtualization/Sandbox Evasion2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information111NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol11SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSyncSystem Information Discovery13Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              jvHSccqW.exe100%AviraTR/Dropper.Gen
              jvHSccqW.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              0.0.jvHSccqW.exe.fe0000.0.unpack100%AviraTR/Dropper.GenDownload File
              0.2.jvHSccqW.exe.fe0000.0.unpack100%AviraTR/Dropper.GenDownload File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://ctldl.windows0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              newss.myq-see.com
              		154.16.67.107
              		truefalse
                		high

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                newss.myq-see.comfalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://ctldl.windowsjvHSccqW.exe, 00000000.00000003.295949209.000000000582F000.00000004.00000001.sdmpfalse
                  • Avira URL Cloud: safe
                  		unknown
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namejvHSccqW.exe, 00000000.00000002.485611389.0000000003351000.00000004.00000001.sdmpfalse
                    		high

                    Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public

                    IPDomainCountryFlagASNASN NameMalicious
                    154.16.67.107
                    		unknownSouth Africa
                    		40676AS40676USfalse

                    General Information

                    Joe Sandbox Version:31.0.0 Emerald
                    Analysis ID:358594
                    Start date:25.02.2021
                    Start time:22:03:17
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 19s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Sample file name:jvHSccqW.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:24
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal76.troj.evad.winEXE@1/2@1/1
                    EGA Information:Failed
                    HDC Information:
                    • Successful, ratio: 0.7% (good quality ratio 0.3%)
                    • Quality average: 16.8%
                    • Quality standard deviation: 22.5%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 5
                    • Number of non-executed functions: 2
                    Cookbook Comments:
                    • Adjust boot time
                    • Enable AMSI
                    • Found application associated with file extension: .exe
                    Warnings:
                    Show All
                    • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 51.103.5.159, 204.79.197.200, 13.107.21.200, 40.88.32.150, 51.11.168.160, 93.184.220.29, 13.64.90.137, 23.54.113.53, 52.255.188.83, 52.147.198.201, 67.26.73.254, 67.27.158.126, 8.253.95.249, 8.248.147.254, 8.253.207.121, 184.30.20.56, 20.54.26.129, 2.20.142.210, 2.20.142.209, 92.122.213.194, 92.122.213.247, 51.104.144.132
                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, cs9.wac.phicdn.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, ocsp.digicert.com, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, client.wns.windows.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: /opt/package/joesandbox/database/analysis/358594/sample/jvHSccqW.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    22:04:11API Interceptor2x Sleep call for process: jvHSccqW.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASN

                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    AS40676USN5eld3tiba.exeGet hashmaliciousBrowse
                    • 172.107.43.174
                    shed.exeGet hashmaliciousBrowse
                    • 172.106.242.148
                    urgent specification request.exeGet hashmaliciousBrowse
                    • 23.228.252.187
                    SecuriteInfo.com.Trojan.GenericKD.45746214.12120.exeGet hashmaliciousBrowse
                    • 45.61.139.76
                    SecuriteInfo.com.BehavesLike.Win32.Generic.dc.exeGet hashmaliciousBrowse
                    • 45.61.139.76
                    NF54.vbsGet hashmaliciousBrowse
                    • 88.214.59.150
                    XE54.vbsGet hashmaliciousBrowse
                    • 88.214.59.150
                    PA71.vbsGet hashmaliciousBrowse
                    • 88.214.59.150
                    WI57.vbsGet hashmaliciousBrowse
                    • 88.214.59.150
                    QD63.vbsGet hashmaliciousBrowse
                    • 88.214.59.150
                    MV55.vbsGet hashmaliciousBrowse
                    • 88.214.59.150
                    HL66.vbsGet hashmaliciousBrowse
                    • 88.214.59.150
                    zSDBuG8gDl.exeGet hashmaliciousBrowse
                    • 185.229.243.67
                    03728d6617cd13b19bd69625f7ead202.exeGet hashmaliciousBrowse
                    • 185.229.243.67
                    AANK5mcsUZ.exeGet hashmaliciousBrowse
                    • 104.217.200.38
                    mh47fywu0o.exeGet hashmaliciousBrowse
                    • 104.217.141.196
                    P020433098747993990.PDF.exeGet hashmaliciousBrowse
                    • 185.162.88.26
                    sample catalog_copy.exeGet hashmaliciousBrowse
                    • 107.160.127.252
                    210127.exeGet hashmaliciousBrowse
                    • 172.107.55.21
                    DHL-#AWB130501923096PDF.exeGet hashmaliciousBrowse
                    • 185.162.88.26

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                    Process:C:\Users\user\Desktop\jvHSccqW.exe
                    File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                    Category:dropped
                    Size (bytes):59134
                    Entropy (8bit):7.995450161616763
                    Encrypted:true
                    SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                    MD5:E92176B0889CC1BB97114BEB2F3C1728
                    SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                    SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                    SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                    Process:C:\Users\user\Desktop\jvHSccqW.exe
                    File Type:data
                    Category:modified
                    Size (bytes):328
                    Entropy (8bit):3.084754685484954
                    Encrypted:false
                    SSDEEP:6:kK5bqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:43kPlE99SNxAhUeo+aKt
                    MD5:246BEC775D58E976C2E5A9367B1E0B71
                    SHA1:1D3EFCA090254B07E9E8407257D9E6DCCCED7755
                    SHA-256:65397B6692B8A7BB9E00260AD65276CDE902A51E2D06DA53828E4AA091BA67C9
                    SHA-512:7AC1DE3B3C3DAB30925631439ABD5D5888705EDA5FC9E8BA590C93CDB08AC1D6FBD87D114FE009E35B89A9AA12F3B054DCE19EEE02309E1CCEC9FA8771D6CC39
                    Malicious:false
                    Reputation:low
                    Preview: p...... ........@B.3....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):5.444852828545967
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    • Win32 Executable (generic) a (10002005/4) 49.75%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Windows Screen Saver (13104/52) 0.07%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    File name:jvHSccqW.exe
                    File size:46080
                    MD5:efeff4b4242776d6576b0fb18f35d52c
                    SHA1:557fa8532f5340ee628df64cb9a199ef935f1dc5
                    SHA256:2399e5acd8e6fec2e83de445cf83b598676f57fdfedd1f67a7872a5009866591
                    SHA512:ba28499ff3baf5fc56d4b77342095122a0c4dfabee6d639fa5f6f474ad0415f7a6de2668c5a41dea7faa1eb8835d7e81b01dd1a892db6619a8a6a3d4892459b7
                    SSDEEP:768:4uwHvTpY8oiWUUGyKmo2q8zKjGKG6PIyzjbFgX3ioP6mfoZXBDZyx:4uwHvTpTf23KYDy3bCXSQf4dyx
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@................................

                    File Icon

                    Icon Hash:00828e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x40c6ee
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                    DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                    Time Stamp:0x5EB79023 [Sun May 10 05:24:51 2020 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:v4.0.30319
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc6940x57.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x7ff.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xa6f40xa800False0.499465215774data5.4994123035IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rsrc0xe0000x7ff0x800False0.41748046875data4.88506844918IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x100000xc0x200False0.044921875data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_VERSION0xe0a00x2ccdata
                    RT_MANIFEST0xe36c0x493exported SGML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Version Infos

                    DescriptionData
                    Translation0x0000 0x04b0
                    LegalCopyright
                    Assembly Version1.0.0.0
                    InternalNameStub.exe
                    FileVersion1.0.0.0
                    CompanyName
                    LegalTrademarks
                    Comments
                    ProductName
                    ProductVersion1.0.0.0
                    FileDescription
                    OriginalFilenameStub.exe

                    Network Behavior

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Feb 25, 2021 22:04:10.320004940 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:10.482769012 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:10.482872009 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:10.527359009 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:10.702203989 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:10.702227116 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:10.702370882 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:10.706372023 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:10.870584011 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:10.971750021 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:12.691809893 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:12.910052061 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:12.910321951 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:13.128930092 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:26.430538893 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:26.654350996 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:26.654511929 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:26.825553894 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:26.973553896 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:27.144078016 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:27.215955019 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:27.451097965 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:27.451172113 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:27.685641050 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:40.216777086 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:40.451437950 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:40.451858997 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:40.623414040 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:40.818084002 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:40.989783049 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:41.012784958 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:41.248166084 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:41.248289108 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:41.482537985 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:53.941447973 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:54.170099020 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:54.172399998 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:54.346194983 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:54.397264957 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:54.568160057 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:54.598596096 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:54.826316118 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:54.826509953 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:55.060729980 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:57.112668037 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:57.163088083 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:04:57.333658934 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:04:57.381860971 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:07.718311071 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:07.951443911 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:07.951662064 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:08.123596907 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:08.179764986 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:08.351942062 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:08.375176907 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:08.611773968 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:08.611918926 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:08.843782902 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:21.453201056 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:21.685910940 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:21.686032057 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:21.859544992 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:21.899708033 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:22.070270061 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:22.089847088 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:22.311014891 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:22.311285973 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:22.545649052 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:27.113698006 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:27.165659904 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:27.336261034 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:27.384622097 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:35.183702946 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:35.404809952 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:35.404905081 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:35.576008081 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:35.619482040 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:35.790024042 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:35.815161943 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:36.045651913 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:36.045840025 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:36.280075073 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:48.929539919 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:49.155081987 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:49.155215025 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:49.328382969 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:49.386205912 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:49.556647062 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:49.579850912 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:49.811225891 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:49.811405897 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:50.045640945 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:57.115108013 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:57.168124914 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:05:57.338890076 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:05:57.386899948 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:06:02.681866884 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:06:02.905075073 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:06:02.905217886 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:06:03.077801943 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:06:03.121752024 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:06:03.292238951 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:06:03.310587883 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:06:03.545720100 CET117749714154.16.67.107192.168.2.5
                    Feb 25, 2021 22:06:03.545828104 CET497141177192.168.2.5154.16.67.107
                    Feb 25, 2021 22:06:03.780078888 CET117749714154.16.67.107192.168.2.5

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Feb 25, 2021 22:03:56.743313074 CET5221253192.168.2.58.8.8.8
                    Feb 25, 2021 22:03:56.809534073 CET53522128.8.8.8192.168.2.5
                    Feb 25, 2021 22:03:57.711662054 CET5430253192.168.2.58.8.8.8
                    Feb 25, 2021 22:03:57.726392984 CET5378453192.168.2.58.8.8.8
                    Feb 25, 2021 22:03:57.760504007 CET53543028.8.8.8192.168.2.5
                    Feb 25, 2021 22:03:57.775048018 CET53537848.8.8.8192.168.2.5
                    Feb 25, 2021 22:03:57.817925930 CET6530753192.168.2.58.8.8.8
                    Feb 25, 2021 22:03:57.821000099 CET6434453192.168.2.58.8.8.8
                    Feb 25, 2021 22:03:57.869700909 CET53653078.8.8.8192.168.2.5
                    Feb 25, 2021 22:03:57.871443033 CET53643448.8.8.8192.168.2.5
                    Feb 25, 2021 22:03:57.901843071 CET6206053192.168.2.58.8.8.8
                    Feb 25, 2021 22:03:57.906250954 CET6180553192.168.2.58.8.8.8
                    Feb 25, 2021 22:03:57.950452089 CET53620608.8.8.8192.168.2.5
                    Feb 25, 2021 22:03:57.954894066 CET53618058.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:00.116924047 CET5479553192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:00.179063082 CET53547958.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:00.717344046 CET4955753192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:00.776315928 CET53495578.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:01.398634911 CET6173353192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:01.455738068 CET53617338.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:02.309930086 CET6544753192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:02.369333982 CET53654478.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:03.224991083 CET5244153192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:03.276603937 CET53524418.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:04.140477896 CET6217653192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:04.188950062 CET53621768.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:05.006977081 CET5959653192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:05.056700945 CET53595968.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:05.870940924 CET6529653192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:05.919836998 CET53652968.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:06.792341948 CET6318353192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:06.886455059 CET53631838.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:08.029510021 CET6015153192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:08.078099966 CET53601518.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:10.038857937 CET5696953192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:10.313076019 CET53569698.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:11.277034998 CET5516153192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:11.325793028 CET53551618.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:13.076601028 CET5475753192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:13.125665903 CET53547578.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:25.570389032 CET4999253192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:25.621350050 CET53499928.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:34.125613928 CET6007553192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:34.174144030 CET53600758.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:52.387094975 CET5501653192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:52.444765091 CET53550168.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:52.757637978 CET6434553192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:52.809149027 CET53643458.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:53.096856117 CET5712853192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:53.158231020 CET53571288.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:58.394128084 CET5479153192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:58.447798014 CET53547918.8.8.8192.168.2.5
                    Feb 25, 2021 22:04:59.853595972 CET5046353192.168.2.58.8.8.8
                    Feb 25, 2021 22:04:59.902231932 CET53504638.8.8.8192.168.2.5
                    Feb 25, 2021 22:05:00.350521088 CET5039453192.168.2.58.8.8.8
                    Feb 25, 2021 22:05:00.408370972 CET53503948.8.8.8192.168.2.5
                    Feb 25, 2021 22:05:31.741476059 CET5853053192.168.2.58.8.8.8
                    Feb 25, 2021 22:05:31.792717934 CET53585308.8.8.8192.168.2.5

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    Feb 25, 2021 22:04:10.038857937 CET192.168.2.58.8.8.80xdefcStandard query (0)newss.myq-see.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    Feb 25, 2021 22:04:10.313076019 CET8.8.8.8192.168.2.50xdefcNo error (0)newss.myq-see.com154.16.67.107A (IP address)IN (0x0001)

                    Code Manipulations

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    Analysis Process: jvHSccqW.exe PID: 6356 Parent PID: 5704

                    General

                    Start time:22:04:04
                    Start date:25/02/2021
                    Path:C:\Users\user\Desktop\jvHSccqW.exe
                    Wow64 process (32bit):true
                    Commandline:'C:\Users\user\Desktop\jvHSccqW.exe'
                    Imagebase:0xfe0000
                    File size:46080 bytes
                    MD5 hash:EFEFF4B4242776D6576B0FB18F35D52C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:.Net C# or VB.NET
                    Yara matches:
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.219246907.0000000000FE2000.00000002.00020000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.484166821.0000000000FE2000.00000002.00020000.sdmp, Author: Joe Security
                    Reputation:low

                    Chronological Activities

                    Disassembly

                    Code Analysis

                    Reset < >

                      Analysis Process: jvHSccqW.exe PID: 6356 Parent PID: 5704 jvHSccqW.exeCOMMON

                      Executed Functions

                      Function 0190D5F0, Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.485277617.0000000001900000.00000040.00000001.sdmp, Offset: 01900000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: 8k
                      • API String ID: 0-2351306452
                      • Opcode ID: 14f0f3af2c74df271e306e9fc01a316b43d4b56c6c8b2ab261f6d6f7291f972f
                      • Instruction ID: 46dab05fbcee7031ab5fd89deac2ebb6234e430d3e99d5dc12495b04489b704a
                      • Opcode Fuzzy Hash: 14f0f3af2c74df271e306e9fc01a316b43d4b56c6c8b2ab261f6d6f7291f972f
                      • Instruction Fuzzy Hash: 02D16E70E00209CFCB15DFE8C484AAEFBF6FF88314F158559E919AB291D734A946CB90
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01908C60, Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.485277617.0000000001900000.00000040.00000001.sdmp, Offset: 01900000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: 8k
                      • API String ID: 0-2351306452
                      • Opcode ID: bfd96e7df74918e760894cd8c3edaee0e817a4697e20ee56e4035b1a8cc0c1e3
                      • Instruction ID: c0e6c784274f67701db2914c7d9820e5be8b1ad738e2513ac504bdf06697f299
                      • Opcode Fuzzy Hash: bfd96e7df74918e760894cd8c3edaee0e817a4697e20ee56e4035b1a8cc0c1e3
                      • Instruction Fuzzy Hash: 2EB15E70F00209CFDB11DFA9C9857DEBBF6AF88314F148529E919A7394DB749885CB81
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01909530, Relevance: 1.5, Strings: 1, Instructions: 266COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.485277617.0000000001900000.00000040.00000001.sdmp, Offset: 01900000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: 8k
                      • API String ID: 0-2351306452
                      • Opcode ID: fad7c60633515bda4640805648482444ec7103e94ca32e6aa69a3465042e9df8
                      • Instruction ID: 6691dba6442628718c672ccd469a6696427f4bc20f16e7f06134be0c29e632bc
                      • Opcode Fuzzy Hash: fad7c60633515bda4640805648482444ec7103e94ca32e6aa69a3465042e9df8
                      • Instruction Fuzzy Hash: BBB16D70E00209CFDB11CFA9C98579EBBF6AF88358F148529E81DA7395DB749885CB81
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0190617C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNELBASE(?), ref: 01906252
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.485277617.0000000001900000.00000040.00000001.sdmp, Offset: 01900000, based on PE: false
                      Similarity
                      • API ID: LibraryLoad
                      • String ID: 8k
                      • API String ID: 1029625771-2351306452
                      • Opcode ID: 0a3c52c3736dae092c705eb7c6a7a301d20c00a97db189128139b3d85cd11b5e
                      • Instruction ID: f0a47f6f0ba565c8ac937279990b4576d8b517dd5027277a329d22197d0ee069
                      • Opcode Fuzzy Hash: 0a3c52c3736dae092c705eb7c6a7a301d20c00a97db189128139b3d85cd11b5e
                      • Instruction Fuzzy Hash: 714132B1E002598FDB15CFA8C88579EBBF1BB49314F148629E819EB380D7789496CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 01903614, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 89libraryCOMMON
                      Download Yara Rule
                      APIs
                      • LoadLibraryA.KERNELBASE(?), ref: 01906252
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.485277617.0000000001900000.00000040.00000001.sdmp, Offset: 01900000, based on PE: false
                      Similarity
                      • API ID: LibraryLoad
                      • String ID: 8k
                      • API String ID: 1029625771-2351306452
                      • Opcode ID: b3e15e85f204ffee209e388a9db6874584facfd77dfd82dd3c6d45a92190109f
                      • Instruction ID: ca900189501a5bcbf679a92dc65e08aa4d813de369ddd621e7caf22631047f44
                      • Opcode Fuzzy Hash: b3e15e85f204ffee209e388a9db6874584facfd77dfd82dd3c6d45a92190109f
                      • Instruction Fuzzy Hash: 7C3132B0E002498FDF15DFA8C88579EBBF5BB49314F148629E819EB380D7789495CB91
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Non-executed Functions

                      Function 01908918, Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.485277617.0000000001900000.00000040.00000001.sdmp, Offset: 01900000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID: 8k
                      • API String ID: 0-2351306452
                      • Opcode ID: 60c38a31bfabc71d27e33c2f563621d8e78e5c9ecd2d59c9a15d50d907a3f0d1
                      • Instruction ID: 8a5963d1722885df8c3e9f2318b9a186e0b19ec6c28fb5e2494b803cc225bb66
                      • Opcode Fuzzy Hash: 60c38a31bfabc71d27e33c2f563621d8e78e5c9ecd2d59c9a15d50d907a3f0d1
                      • Instruction Fuzzy Hash: A0919E70F002099FDF11CFA8C9847EEBBF6AF88314F148529E419A7394EB749885CB81
                      Uniqueness

                      Uniqueness Score: -1.00%

                      Function 0190F298, Relevance: .3, Instructions: 260COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.485277617.0000000001900000.00000040.00000001.sdmp, Offset: 01900000, based on PE: false
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7f098c1e82d2f5de39fdcada1b8d3765691325553c1e60ca1512820b11e5cfde
                      • Instruction ID: fc979756ab09c7048fe0225cfd4480b402b65b1a045dfab5fc07ba2fbbd675da
                      • Opcode Fuzzy Hash: 7f098c1e82d2f5de39fdcada1b8d3765691325553c1e60ca1512820b11e5cfde
                      • Instruction Fuzzy Hash: 17818E34B08214CFCF299F79945467E76B7BFC8304B468829A51AEB3C8DF35D9068B91
                      Uniqueness

                      Uniqueness Score: -1.00%