Edit tour

Windows Analysis Report
2xPiYIsfF2.exe

Overview

General Information

Sample name:	2xPiYIsfF2.exe renamed because original name is a hash value
Original sample name:	7f8e9b9a8d61036952bb4314476e59b4.exe
Analysis ID:	1550130
MD5:	7f8e9b9a8d61036952bb4314476e59b4
SHA1:	2b8ee0f96325ee896bf5a1b287e71c3dc5912c53
SHA256:	96813ba6cac67b87eb7e8b7b70aaf9333972acddd4fa25522e3b689c3bcd25f3
Tags:	AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

2xPiYIsfF2.exe (PID: 984 cmdline: "C:\Users\user\Desktop\2xPiYIsfF2.exe" MD5: 7F8E9B9A8D61036952BB4314476E59B4)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "cdt2023.ddns.net,chromedata.accesscam.org,chromedata.webredirect.org,cepas2023.duckdns.org,127.0.0.1,45.40.96.97", "Ports": "6606,7707,8808,3313,3314,9441,9442,9443,2900,1018,2019,2020,2021,5155,6666,9999,5505", "Version": "AWS | 3Losh", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "svchost.exe", "AES_key": "KkZYHxIGysm6Zcj8kvXvAi9bjz0et3Lq", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "false", "BDOS": "null", "Startup_Delay": "3", "HWID": "OwErlRIx9Ksn0/q0hdM1Kx86vaoPpELZCmTMB0RLN7GRj1LCBKblFaQfwvLyzsFTI/N60zD3zcjW4fPwI37sow==", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "ServerSignature": "Kh6LNSh8tc00sDInglbl7OHHaoQrJnj4B5un5cpLy67rzMw8vZGBGGFvQp5AaHmNmaJBVTE1QpfF/V3ZHMGhjmokjqCefgJ/W90hffuCkTr3CXoC2ifs1hvSAxXoNv49n0d1sQOkwlIReir1S33ZcZ/bdKK6/QbrxhAlX+cSkmFsG4jbPuLVdNJtn3lRy3Pn5WY9QP/hSAQQK3BHuLoMBjhC4hl4s7lYuOreW/abq9kN6kbxlzdteDEuno6VvZkuaRqD3DyiABDaMKuXlwDGJsTodRFX80+f6TUQ/HjShVUWjI3x+//TFgpy9oTXm6fS0HYmZAz1hgD4iM65En4g6J8BKkrSvvOTX3pho66TeYq9ozC3JF/by3Q0CqwNuphHJaTCosI/TOqQj4oV8st4zmLQomDRqWAvVZkZvVupddapAMNd7kRthzYBJ7Lj1du12Ht9iM+LpiCE3gwAff/JKA7YlKpz5RwQoKROvQjTUkoBxqDg4aH/02Y5X+LR9lTfBCFJ+hcmP0lDh5p8gdW8hvlc7oqdd9bJqbgcuEXT/1f/TlMwsSorROC+7IDwAe9i5DUzoU73D7Lgk1vETjfu9nOjUt8z21khN9qvg7XRQaJ4RPgIf5bRBMI73HcLzmDBvvv3QpBtVsa/FZkoOGR9fxiBBj6laF7EO3z+bL89qGE=", "Group": "C.M.D_2024"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
2xPiYIsfF2.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
2xPiYIsfF2.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
2xPiYIsfF2.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd608:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xfe38:$a2: Stub.exe 0xfec8:$a2: Stub.exe 0x9d1d:$a3: get_ActivatePong 0xd820:$a4: vmware 0xd698:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xac4a:$a6: get_SslClient
2xPiYIsfF2.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd69a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x57c:$x1: AsyncRAT 0x5ba:$x1: AsyncRAT

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd408:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10238:$a2: Stub.exe 0x102c8:$a2: Stub.exe 0x9b1d:$a3: get_ActivatePong 0xd620:$a4: vmware 0xd498:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xaa4a:$a6: get_SslClient
00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd49a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.4512353763.0000000001279000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3ac6b:$x1: AsyncRAT 0x3aca9:$x1: AsyncRAT 0x5da33:$x1: AsyncRAT 0x5da71:$x1: AsyncRAT 0x610c7:$x1: AsyncRAT 0x61105:$x1: AsyncRAT
00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2bbc3:$x1: AsyncRAT 0x2bc01:$x1: AsyncRAT
Process Memory Space: 2xPiYIsfF2.exe PID: 984	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: 2xPiYIsfF2.exe PID: 984	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x13e4a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: 2xPiYIsfF2.exe PID: 984	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2176f:$x1: AsyncRAT 0x217a1:$x1: AsyncRAT 0x217bb:$x1: AsyncRAT 0x28f53:$x1: AsyncRAT 0x28f85:$x1: AsyncRAT 0x13f10:$s6: VirtualBox 0x13ec3:$s8: Win32_ComputerSystem
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.2xPiYIsfF2.exe.be0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.2xPiYIsfF2.exe.be0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.2xPiYIsfF2.exe.be0000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd608:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xfe38:$a2: Stub.exe 0xfec8:$a2: Stub.exe 0x9d1d:$a3: get_ActivatePong 0xd820:$a4: vmware 0xd698:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xac4a:$a6: get_SslClient
0.0.2xPiYIsfF2.exe.be0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd69a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-06T14:07:59.688403+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.5	49706	TCP
2024-11-06T14:08:37.826465+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.5	49905	TCP

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-06T14:07:48.384272+0100	2035595	1	Domain Observed Used for C2 Detected	128.90.103.230	9443	192.168.2.5	49704	TCP

ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-06T14:07:48.384272+0100	2035607	1	Domain Observed Used for C2 Detected	128.90.103.230	9443	192.168.2.5	49704	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-06T14:07:48.384272+0100	2842478	1	Malware Command and Control Activity Detected	128.90.103.230	9443	192.168.2.5	49704	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 2xPiYIsfF2.exe

Avira: detected

Found malware configuration

Source: 2xPiYIsfF2.exe

Malware Configuration Extractor: AsyncRAT {"Server": "cdt2023.ddns.net,chromedata.accesscam.org,chromedata.webredirect.org,cepas2023.duckdns.org,127.0.0.1,45.40.96.97", "Ports": "6606,7707,8808,3313,3314,9441,9442,9443,2900,1018,2019,2020,2021,5155,6666,9999,5505", "Version": "AWS | 3Losh", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "svchost.exe", "AES_key": "KkZYHxIGysm6Zcj8kvXvAi9bjz0et3Lq", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "false", "External_config_on_Pastebin": "false", "BDOS": "null", "Startup_Delay": "3", "HWID": "OwErlRIx9Ksn0/q0hdM1Kx86vaoPpELZCmTMB0RLN7GRj1LCBKblFaQfwvLyzsFTI/N60zD3zcjW4fPwI37sow==", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "ServerSignature": "Kh6LNSh8tc00sDInglbl7OHHaoQrJnj4B5un5cpLy67rzMw8vZGBGGFvQp5AaHmNmaJBVTE1QpfF/V3ZHMGhjmokjqCefgJ/W90hffuCkTr3CXoC2ifs1hvSAxXoNv49n0d1sQOkwlIReir1S33ZcZ/bdKK6/QbrxhAlX+cSkmFsG4jbPuLVdNJtn3lRy3Pn5WY9QP/hSAQQK3BHuLoMBjhC4hl4s7lYuOreW/abq9kN6kbxlzdteDEuno6VvZkuaRqD3DyiABDaMKuXlwDGJsTodRFX80+f6TUQ/HjShVUWjI3x+//TFgpy9oTXm6fS0HYmZAz1hgD4iM65En4g6J8BKkrSvvOTX3pho66TeYq9ozC3JF/by3Q0CqwNuphHJaTCosI/TOqQj4oV8st4zmLQomDRqWAvVZkZvVupddapAMNd7kRthzYBJ7Lj1du12Ht9iM+LpiCE3gwAff/JKA7YlKpz5RwQoKROvQjTUkoBxqDg4aH/02Y5X+LR9lTfBCFJ+hcmP0lDh5p8gdW8hvlc7oqdd9bJqbgcuEXT/1f/TlMwsSorROC+7IDwAe9i5DUzoU73D7Lgk1vETjfu9nOjUt8z21khN9qvg7XRQaJ4RPgIf5bRBMI73HcLzmDB

Multi AV Scanner detection for submitted file

Source: 2xPiYIsfF2.exe

ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 2xPiYIsfF2.exe

Joe Sandbox ML: detected

Source: 2xPiYIsfF2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2xPiYIsfF2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 128.90.103.230:9443 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 128.90.103.230:9443 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 128.90.103.230:9443 -> 192.168.2.5:49704
Source: Network traffic	Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 128.90.103.230:9443 -> 192.168.2.5:49704

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: cdt2023.ddns.net
Source: Malware configuration extractor	URLs: chromedata.accesscam.org
Source: Malware configuration extractor	URLs: chromedata.webredirect.org
Source: Malware configuration extractor	URLs: cepas2023.duckdns.org

Yara detected Generic Downloader

Source: Yara match	File source: 2xPiYIsfF2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2xPiYIsfF2.exe.be0000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 128.90.103.230:9443

Source: Joe Sandbox View

ASN Name: PHMGMT-AS1US PHMGMT-AS1US

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49706
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.5:49905

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: chromedata.webredirect.org

Source: 2xPiYIsfF2.exe, 00000000.00000002.4512353763.0000000001279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: 2xPiYIsfF2.exe, 00000000.00000002.4512353763.0000000001279000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabu
Source: 2xPiYIsfF2.exe, 00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 2xPiYIsfF2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2xPiYIsfF2.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2xPiYIsfF2.exe PID: 984, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: 2xPiYIsfF2.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 2xPiYIsfF2.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.2xPiYIsfF2.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.2xPiYIsfF2.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.4512353763.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: 2xPiYIsfF2.exe PID: 984, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: 2xPiYIsfF2.exe PID: 984, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Code function: 0_2_012174C0	0_2_012174C0
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Code function: 0_2_01217D90	0_2_01217D90
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Code function: 0_2_01217178	0_2_01217178
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Code function: 0_2_01218290	0_2_01218290
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Code function: 0_2_0121D7B0	0_2_0121D7B0

Source: 2xPiYIsfF2.exe, 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs 2xPiYIsfF2.exe
Source: 2xPiYIsfF2.exe	Binary or memory string: OriginalFilenameStub.exe" vs 2xPiYIsfF2.exe

Source: 2xPiYIsfF2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 2xPiYIsfF2.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 2xPiYIsfF2.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.2xPiYIsfF2.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.2xPiYIsfF2.exe.be0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.4512353763.0000000001279000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: 2xPiYIsfF2.exe PID: 984, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: 2xPiYIsfF2.exe PID: 984, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 2xPiYIsfF2.exe, UMVUTXjKgh.cs

Base64 encoded string: 'WW8C0vydmbF4/SENk1SB1+UbN2GxFZtM5h3Rf877xDoXDggrKVkhcVl2PeAnXO9CXN1wtHUUGXFhc5MxjlLVtQ==', 'rgo/FgPHKpN/x5qwXKUz0VjF0zT34/ue+yhzcn/nEWA0P1PHKUQzBPVKAnNVboCPvZ+FHe+mSi+xj0NOTADmw1n77pH7PMkQugfGfoQSTzc=', 'pA0WLDzgb86NR31q/K4DbNIofSJBMNmwhYRDHvs2Oz9288FoinKswg4St7AR6L4WqATgVL08ws0yIzSMhJOTQzaHN0FD2B5y+IWPgeSXSEF1s4KqJ4N5w91CgmlOGmUhCNvfFd5CqtUpzUVNkyujuDPP4v1W5f8hsILgtcyoEeKcvZ2rpcmCsbMZvSKO46xt+HRov6h0bxy+k9lWfj1EAJIVPSvled7usfXfoJw8vUrH21QMzvNXivFgWx1MowzynbefsWm0izWjFPSLUl2cxEgAhSeyJL6Edr2Y519WhKTtoEsiDQry4UvDR43kriD/nlEshUM14yoHcZTgn+cKnmMEc5/zgf0PIeGFuu9UGBVmESMige7pAvmTF7SMNGg/4ibamW0UKaOPLjgVktkhh5rlQcKZwBOomnXWH+N9oq0jpltwEFuSvQYz4fS2vbeRim6p9pde0ZR8RDQoK97zf+RCSKi4Av0FKcBgiBrtEUcQEW7FL1q5KD+MN7hD1Ejs6QmI+7ERgp9F0Y3dftocVvvjlVb4DjnTwGbgWlCTyEXP5uct0lzwI3iAUjkrY7hadyLRRuCUqOee26txrgVAcWKcG6ZNC3tFmxStBsgfOOm5a168yLPiROAT4nep3PwMPJMmS3ZX/wHo2V+x3aPn6ZDngsJ1DAFHGOEnpuVC6SGeHSB0wZgQSvq0yZrZuuVE2YSeWsc17i4TJBF2SynFH2l/ja+5MvpjkY2FUw/LnxefQBj49WWDBsJ05hViPtxq+otfnBlrBEB3z0nzI3p04lHmN+B1tS8unVtHjgILbVn2hoHIEdEI1uaiuyDwuJj8Q5MhIeAzBNaC/kRETmzy0KxPxcChYuFtgjgQf1jEAhQeQHePrFxTeSWp+x79YtM6r4Sq45qnZ2aa/msGC3aRv6a1CGjI+TCai882w9rXTaH4Ng9hP6uWZQNX+Er/c/C5NdFMEIiSfjVZvOwJ4wPopNCxPhOA2M38YU3cGnjGbgBJT865ngVtUyCn1xJadyvRfW8BDcbNUp8jtJhdkZOWNYnhiVazhjyWqs6L668K1nTR6jR3GE02VHojLLL6vfp6ZKLQQ6CzZ3mauwm2tXWtESkbBmrXsZxdglnNZsQI3RU5C4vVGysRhAm65cVBmWhkx2uDX+MuspPRCx4tqDVfVgZL2sMSHkPurmQ90FaNxaJkRxtXjW13RAkoU0W6TG5y3QfQ55DhXPfcf44qBnz8zqBv9tFR7aYQx1vzGmO6onqysUFSZzesRuTp7DWXJ3sR8nZ5ysuSlecIhGCYySBgBpZAS6pATdWw1Cp1UWN+j2Cjs7O3/1XZvyiJcE6P6dq4Wdnh1WAxDxKR5uLhjA0LwRulpe+ApnCtdm14st4Z5htzMxKOhNwintMOXw2/orQYhwgHDPIOjLgRHz30MDYLjP4jU7JRvV3DNmu2/Zv/N47H9BP/gnCKwA8qUwhLTNh18jZ+E6JX/1/QtWInlbnD5fAqIt+3sn/j1daYZBJwu1BwIQO3K1Xu9sOATRASMy40b0oIB11kgHzpS7oy2c4nW7lYvyKKXX4OyBnTnE+pI8tWH1WKPaYYWxbV/MB0DgeHXfwNNdtHjC5L1dSG4lhD2rpO4KXqywcIHTSREht0Oi2FD59TBxRFtii0uDkZ5twkPmsaFtQ9Q0VWBgQdTRlL+KItbIjHdC0fFYJNf8UlA+/6wx+CLwNfOjzuLic+wtJZvcmDaAXsNbRzygUZ16Idmys83MfjNn1N239ZRIPqNCVZ+//+wRakoS7tDrzRm9TRjlEGKLX2qVdxq4PkxQK50xPGJbsscQ3y9YILB/6InnRzQzvemQ4bxqOFNXK5WZhqQXUL1ciFHRzmQGhayrCfN8D7GMRrOGFoxhP/rXzu74SGUPtr3lcqtEk7LghgHsm7XasagjAkqbCGdSbOEteFLL0rJPqeCOlO//7NlFtOJ7RYyLXSGbKtorrtFo4admYyBknqfvcEVZvt6TJQ6F1c8QHUne65/eKALrhYB+7q1trS7M4P7Qbp8g2FwZT3uQQ+uwZ6ICEU8sxoYvOAAwdnQcmRt2z/mYE5UPcj9GB/r//5GH5M7X6B1u1zM9noo4hUD+SSMfpu10q4Azcck1AzRfY7Av6kN016R5Ev0HFZ6ASSqlMpAUdPWuw9e7Wv+xuVCNaxvGhlcCpoweQJPHOrULkIWqWXosCQMQ/V7+oT1YXnAd/nw4VfbWMnm7HJ2qdCyD6rbDt3kTfZxvpAX2VBDB+RA1QUoweKmZ78kbdmiqNX97eGU4kBk5sQc9q06COt4RU3GVyV1hMULPKDhvIBun2owWAWHbZ2CE8h+BmKQuw=', 'gupO28d9AgywSRxycYGh1IMlYLOi9ElgL+y9WTRtzfSxcuIGdZOPCvtQGOPqOpZ8gm2zEIH7prO/xzo7I+sbRNnZzpON7DDxoIo2MKG9aMuoqN0+598D9cakLX39Ekdb3BVyu+KcDv9zipYk4KG4DdGzZ52IqawJGvcnBIDfNN6LF2ME4/2E1Wro9gqXpt1ReqdSeJQ9rUqR5zpxt2Otnr7kNtp0wtIMRyF4h4/LNWV4EE8zNe7vhq/xFqEZXHDt+BC8oQJKFF0+w1gMt6gLb0iKkYB3AY1gawGDEsCh52uuiu4b65+nlRCqAXtjmLyDtGRwvPbNr7hPczLskH1YASHkog1d4G+RUVZhJfcYsv3ABhx8fRWnFxp+QO/X+hr39JdO0cHLROUDyv1IXhPyyYpJGaRZw19gHOMAefS45hHgMJNCMhgtXpmvUjM

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@1/1

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk

Source: 2xPiYIsfF2.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 2xPiYIsfF2.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2xPiYIsfF2.exe

ReversingLabs: Detection: 78%

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: 2xPiYIsfF2.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 2xPiYIsfF2.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: 2xPiYIsfF2.exe, ysXcPVGWJvCX.cs

.Net Code: MXIJoVbVokLcRY System.AppDomain.Load(byte[])

Source: 2xPiYIsfF2.exe, QlSTlmGLjgJN.cs

High entropy of concatenated method names: 'WnVnBXPgnxdc', 'RDiiOEQTYHrfW', 'UkKdtqAlNjm', 'RxkDIhXYbYNL', 'iGcKWrRgzisPdXzAH', 'MtZWLfwPpSVf', 'HTQQyKGwNfmOAX', 'YMFAoBlgokxJ', 'WHscnEPfhOW', 'tinKJNGLKHvLF'

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 2xPiYIsfF2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2xPiYIsfF2.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2xPiYIsfF2.exe PID: 984, type: MEMORYSTR

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: 2xPiYIsfF2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2xPiYIsfF2.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2xPiYIsfF2.exe PID: 984, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 2xPiYIsfF2.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Memory allocated: 1210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Memory allocated: 2F40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Memory allocated: 4F40000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Window / User API: threadDelayed 6856			Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Window / User API: threadDelayed 2974			Jump to behavior

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe TID: 6152	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe TID: 6204	Thread sleep time: -24903104499507879s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe TID: 4832	Thread sleep count: 6856 > 30	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe TID: 4832	Thread sleep count: 2974 > 30	Jump to behavior

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: 2xPiYIsfF2.exe, 00000000.00000002.4512606463.000000000132C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8qg
Source: 2xPiYIsfF2.exe	Binary or memory string: vmware
Source: 2xPiYIsfF2.exe, 00000000.00000002.4512353763.0000000001279000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: 2xPiYIsfF2.exe, 00000000.00000002.4514321618.000000000557A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Queries volume information: C:\Users\user\Desktop\2xPiYIsfF2.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\2xPiYIsfF2.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 2xPiYIsfF2.exe, type: SAMPLE
Source: Yara match	File source: 0.0.2xPiYIsfF2.exe.be0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 2xPiYIsfF2.exe PID: 984, type: MEMORYSTR

Source: 2xPiYIsfF2.exe, 00000000.00000002.4514670846.000000000570B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\2xPiYIsfF2.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Obfuscated Files or Information	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
2xPiYIsfF2.exe	79%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
2xPiYIsfF2.exe	100%	Avira	TR/Dropper.Gen
2xPiYIsfF2.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bg.microsoft.map.fastly.net	199.232.210.172	true	false		high
chromedata.webredirect.org	128.90.103.230	true	true		unknown

Contacted URLs

Name	Malicious	Reputation
cdt2023.ddns.net	false	high
chromedata.webredirect.org	false	high
cepas2023.duckdns.org	false	high
chromedata.accesscam.org	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	2xPiYIsfF2.exe, 00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
128.90.103.230	chromedata.webredirect.org	United States		22363	PHMGMT-AS1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1550130
Start date and time:	2024-11-06 14:06:50 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2xPiYIsfF2.exe renamed because original name is a hash value
Original Sample Name:	7f8e9b9a8d61036952bb4314476e59b4.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@1/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 60 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 199.232.210.172
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target 2xPiYIsfF2.exe, PID 984 because it is empty
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: 2xPiYIsfF2.exe

Simulations

Behavior and APIs

Time	Type	Description
08:07:49	API Interceptor	7816620x Sleep call for process: 2xPiYIsfF2.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bg.microsoft.map.fastly.net	Invoice.msg	Get hash	malicious	Unknown	Browse	199.232.210.172
	13019197532345811579.js	Get hash	malicious	Strela Downloader	Browse	199.232.214.172
	Gantt_Excel_Pro_Daily_Free1.xlsm	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://tr.apsis.one/e/BQf6Ly_NQaGdZtIyE9-tng/3lrpV7lSSP2Z5s0c5xWdEg/ln_9BtzivhtI_KJQNj5kCuaI/vcJdXtLBbK596W10niZVw8e08muc2sIkVCjdxfo2wWNAJh03ylvMgHM	Get hash	malicious	Unknown	Browse	199.232.210.172
	SpamLog.pptx	Get hash	malicious	Unknown	Browse	199.232.210.172
	Business_Proposal_37362525-__Pdf.eml	Get hash	malicious	Unknown	Browse	199.232.214.172
	https://www.google.co.in/url?q=jODz3y3HOSozuuQiApLh&rct=5CHARyytTPSJ3J3wDcT&sa=t&esrc=sf_rand_string_mixed(5)FgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2Fir.nbaikp3.sa.com%2Fdelaw%2Flawn%2Fkoo%2Fsf_rand_string_mixed(24)/	Get hash	malicious	Unknown	Browse	199.232.214.172
	SpamLog.pptx	Get hash	malicious	Unknown	Browse	199.232.210.172
	https://encirc-my.sharepoint.com/:u:/g/personal/gaynor_isaac_encirc360_com/EblrlakCiY9DrsVe1OHInZUBp5tMLaT62sfCgcgcXrtL7g?e=RtyeKG	Get hash	malicious	Unknown	Browse	199.232.210.172
	update.hta	Get hash	malicious	Cobalt Strike, Sliver	Browse	199.232.214.172
chromedata.webredirect.org	CDT.ps1	Get hash	malicious	AsyncRAT	Browse	45.164.103.8
	U2DhKOFGy6.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	nRfBYvq4io.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	OQQZ5w8pzt.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	65q17S35cb.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	Reservation Detail Booking.com ID.bat	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	Reservation Detail Booking.com ID4336.vbs	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	128.90.129.125
	image.ps1	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	128.90.129.125
	info2.ps1	Get hash	malicious	AsyncRAT	Browse	91.109.188.7
	hindi.js	Get hash	malicious	AsyncRAT	Browse	45.164.102.28

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
PHMGMT-AS1US	OhWWbQcp7Q.exe	Get hash	malicious	AveMaria, UACMe	Browse	128.90.129.125
	hb21QzBgft.exe	Get hash	malicious	AveMaria, UACMe	Browse	128.90.129.125
	U2DhKOFGy6.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	uVyl5BbR2M.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	ahMvIr4vjN.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	WlewaiA251.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	meORoynQKS.exe	Get hash	malicious	ArrowRAT	Browse	128.90.129.125
	OeyoNPTUuj.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	NUO7hWbWCz.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125
	nRfBYvq4io.exe	Get hash	malicious	AsyncRAT	Browse	128.90.129.125

Process:	C:\Users\user\Desktop\2xPiYIsfF2.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\2xPiYIsfF2.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.2310997727285145
Encrypted:	false
SSDEEP:	6:kKXD9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:/aDImsLNkPlE99SNxAhUe/3
MD5:	638F8F9722ED297246D89E434A952A4D
SHA1:	2DBD8F908CEB3F24BD086D56771BC09A18EB9CCD
SHA-256:	F8F401C442F9660E4771F8F599206D42E3AF20FFCA34C0E782704C61FE385FE1
SHA-512:	38DAB7A9A8D68F242BECCB62602C8DC0941BB31ED2831A812DB46027A1FD38DDA0B7D2F4D8C0E89807CF0D4DA7FE4FD5E63CFC2B1940C42972C83F8C0DAA91FB
Malicious:	false
Reputation:	low
Preview:	p...... .......... .L0..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	4.437965253993621
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	2xPiYIsfF2.exe
File size:	90'112 bytes
MD5:	7f8e9b9a8d61036952bb4314476e59b4
SHA1:	2b8ee0f96325ee896bf5a1b287e71c3dc5912c53
SHA256:	96813ba6cac67b87eb7e8b7b70aaf9333972acddd4fa25522e3b689c3bcd25f3
SHA512:	df56a290d7acc0bed5402b7963554f7264fce00f1d2f3fc2006feb5ae4cc41bd577417257a58642a8da0fc84025677dfc67b8c264be3fe6dbf7570f6a24da119
SSDEEP:	1536:Q23fiwQkmEVHKSDpTL+eOss4YuVE8jU6a0x1MVHb6rcKqTFlMVElUX8rzTRcx:Q23fiwQkpE8jU6alVHb6YKq5X1LOx
TLSH:	58931A053BE8802AF2BE8FB459F6728545F5F56F2902D91D1C8950CB1632BC29D42EBF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....dMe................................. ... ....@.. .......................`............`................................

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x4117fe
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x654D64CA [Thu Nov 9 23:01:30 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x117b0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x7ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xf804	0xfa00	3a321f8c74068ae7a9ccec4d4868152e	False	0.510859375	data	5.577047670279842	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x7ff	0x800	33cdbc5c50f34a35b4f0e61582ac7f11	False	0.41650390625	data	4.884866150337139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	657167a4ac6d858de92b49e26d282de8	False	0.041015625	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x120a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0x1236c	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-06T14:07:48.384272+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	128.90.103.230	9443	192.168.2.5	49704	TCP
2024-11-06T14:07:48.384272+0100	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	128.90.103.230	9443	192.168.2.5	49704	TCP
2024-11-06T14:07:48.384272+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	128.90.103.230	9443	192.168.2.5	49704	TCP
2024-11-06T14:07:48.384272+0100	2035607	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	128.90.103.230	9443	192.168.2.5	49704	TCP
2024-11-06T14:07:59.688403+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.5	49706	TCP
2024-11-06T14:08:37.826465+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.5	49905	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 14:07:47.242758036 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:47.247688055 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:47.247771978 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:47.259416103 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:47.264338017 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:48.371781111 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:48.371798992 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:48.371851921 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:48.371927977 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:48.379483938 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:48.384272099 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:48.668497086 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:48.718931913 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:49.838764906 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:49.843681097 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:49.843746901 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:49.848582983 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:56.704356909 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:56.711960077 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:56.712071896 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:56.719324112 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:56.998493910 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:57.047066927 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:57.163502932 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:57.186162949 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:57.191134930 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:07:57.191188097 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:07:57.196064949 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:03.582657099 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:03.587433100 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:03.587570906 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:03.592463017 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:03.876923084 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:03.922060013 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:04.044238091 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:04.046533108 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:04.051548004 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:04.051681995 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:04.056610107 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:10.454097033 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:10.458909988 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:10.458965063 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:10.463835955 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:10.745047092 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:10.797086000 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:10.909120083 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:10.912300110 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:10.917154074 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:10.917234898 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:10.922080040 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:17.298676968 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:17.300338984 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:17.300378084 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:17.300421953 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:17.300453901 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:17.328944921 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:17.333903074 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:17.333996058 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:17.338973045 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:18.098391056 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:18.140826941 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:18.350760937 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:18.353538990 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:18.358381033 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:18.358422995 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:18.363487005 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:24.206643105 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:24.211385012 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:24.211611986 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:24.216413975 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:24.701903105 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:24.750195026 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:24.868449926 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:24.871884108 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:24.876751900 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:24.878679037 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:24.883624077 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:31.079022884 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:31.084053993 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:31.084783077 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:31.089699030 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:31.370508909 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:31.422071934 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:31.535620928 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:31.538537979 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:31.543395042 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:31.543452024 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:31.548261881 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:37.956058979 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:37.961007118 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:37.961066961 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:37.966042042 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:38.247351885 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:38.297847033 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:38.411634922 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:38.413888931 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:38.418701887 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:38.418787003 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:38.423520088 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:44.828933001 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:44.833801985 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:44.833897114 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:44.838732958 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:45.140208006 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:45.187773943 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:45.304369926 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:45.306287050 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:45.311192989 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:45.311247110 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:45.316983938 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:47.052510977 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:47.093947887 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:47.216653109 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:47.265885115 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:51.704221964 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:52.015827894 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:52.183450937 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:52.183465958 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:53.127319098 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:53.172089100 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:53.291213036 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:53.296794891 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:53.302383900 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:53.302462101 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:53.307354927 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:54.830424070 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:54.835447073 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:54.842730999 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:54.847893000 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:55.130153894 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:55.174727917 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:55.294671059 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:55.346693993 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:55.360285997 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:55.366476059 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:55.366568089 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:55.372267962 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:57.000730038 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:57.005736113 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:57.005892038 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:57.010828972 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:57.310914040 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:57.359653950 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:57.476078033 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:57.484179974 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:57.489156961 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:08:57.489304066 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:08:57.494362116 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:03.876178026 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:03.881226063 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:03.881284952 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:03.886174917 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:04.171768904 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:04.289771080 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:04.486399889 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:04.593978882 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:04.644851923 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:04.649667978 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:04.649729967 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:04.654536963 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:10.750859976 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:10.755702019 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:10.755764008 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:10.760869026 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:11.061943054 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:11.206712008 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:11.226963997 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:11.229116917 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:11.234106064 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:11.234224081 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:11.239151955 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:14.313775063 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:14.318674088 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:14.318730116 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:14.323591948 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:14.604619026 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:14.703331947 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:14.768429041 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:14.774262905 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:14.779249907 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:14.779328108 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:14.784198999 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:15.282773018 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:15.406434059 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:15.453526020 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:15.593950033 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:18.047790051 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:18.052726030 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:18.052769899 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:18.057612896 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:18.547250986 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:18.594007969 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:18.712766886 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:18.781435966 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:18.786331892 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:18.788718939 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:18.793689966 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:22.688404083 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:22.693681955 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:22.693809032 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:22.698683023 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:22.979326963 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:23.093940020 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:23.143759012 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:23.154438972 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:23.159286976 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:23.162789106 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:23.167720079 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:29.566729069 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:29.571891069 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:29.572004080 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:29.576884031 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:29.868350029 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:29.988420010 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:30.045690060 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:30.051465988 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:30.056385994 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:30.056451082 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:30.061315060 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:36.510783911 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:36.515656948 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:36.515706062 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:36.520592928 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:36.801537991 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:36.897761106 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:36.966902971 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:36.968975067 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:36.973759890 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:36.973877907 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:36.979516983 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:43.375888109 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:43.380867004 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:43.382777929 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:43.387727022 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:43.671672106 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:43.839869976 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:43.842834949 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:43.852108955 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:43.857506037 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:43.857609034 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:43.862728119 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:45.316701889 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:45.390893936 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:45.481261015 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:45.705637932 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:50.250711918 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:50.257415056 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:50.257502079 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:50.264478922 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:50.544024944 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:50.624021053 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:50.712471962 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:50.715104103 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:50.721759081 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:50.721832991 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:50.728475094 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:57.128820896 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:57.134118080 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:57.140763044 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:57.145657063 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:57.428647041 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:57.593966007 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:57.748614073 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:57.750991106 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:57.755919933 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:09:57.755989075 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:09:57.760974884 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:03.438913107 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:03.443881035 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:03.444925070 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:03.449944973 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:03.758120060 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:03.892805099 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:03.921629906 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:03.922827005 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:03.928656101 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:03.929622889 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:03.936508894 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:04.234174967 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:04.399199009 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:04.399264097 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:04.404598951 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:04.409436941 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:04.409483910 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:04.414308071 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:10.797869921 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:10.805303097 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:10.805355072 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:10.810241938 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:11.090671062 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:11.203345060 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:11.254394054 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:11.257119894 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:11.262012959 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:11.262132883 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:11.267098904 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:15.307945013 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:15.406780958 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:15.473495007 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:15.594785929 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:17.686780930 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:17.691672087 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:17.693177938 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:17.698146105 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:18.514269114 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:18.562696934 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:18.714711905 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:18.717781067 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:18.722651958 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:18.722700119 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:18.728441954 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:22.767050982 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:22.772449017 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:22.772521019 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:22.778143883 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:23.090460062 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:23.140901089 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:23.254822016 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:23.257491112 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:23.263092995 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:23.263191938 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:23.268321991 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:29.642790079 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:29.649331093 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:29.650826931 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:29.655720949 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:29.845266104 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:29.851213932 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:29.854852915 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:29.859693050 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:31.541806936 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:31.687680006 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:31.706885099 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:31.709309101 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:31.714668036 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:31.714749098 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:31.719563961 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:36.719422102 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:36.724375010 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:36.725059032 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:36.730012894 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:37.681022882 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:37.849232912 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:37.852916956 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:37.858731985 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:37.863634109 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:37.864413977 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:37.869271994 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:43.597198009 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:43.603553057 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:43.603632927 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:43.608675003 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:44.628758907 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:44.738814116 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:44.796401978 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:44.798969030 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:44.803920031 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:44.803960085 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:44.808804035 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:47.053072929 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:47.172950983 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:47.212973118 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:47.281768084 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:50.486205101 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:50.491255999 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:50.491323948 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:50.496177912 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:52.050600052 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:52.109415054 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:52.205636024 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:52.208262920 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:52.213160038 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:52.213212967 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:52.217995882 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:57.344643116 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:57.351649046 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:57.354954958 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:57.361788034 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:57.661573887 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:57.781440973 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:57.833198071 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:57.836560965 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:57.841356993 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:10:57.842883110 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:10:57.848131895 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:00.578900099 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:00.585242033 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:00.585295916 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:00.592834949 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:00.876545906 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:00.984580040 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:01.050004959 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:01.052172899 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:01.057123899 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:01.057284117 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:01.062094927 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:07.454843998 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:07.460370064 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:07.462925911 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:07.468027115 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:07.887391090 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:07.914313078 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:07.914391041 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:07.916279078 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:07.921421051 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:07.922873020 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:07.928643942 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:14.328958035 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:14.336294889 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:14.336357117 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:14.344348907 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:14.652636051 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:14.709420919 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:14.814840078 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:14.817466974 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:14.822352886 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:14.822416067 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:14.827382088 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:16.485271931 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:16.490262032 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:16.490304947 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:16.496081114 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:17.057821035 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:17.222151995 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:17.225387096 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:17.387113094 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:17.390146971 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:17.394967079 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:17.395083904 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:17.399930000 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:23.298060894 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:23.303091049 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:23.303195000 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:23.308156013 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:23.600462914 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:23.750850916 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:23.764903069 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:23.768457890 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:23.773433924 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:23.773540974 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:23.779753923 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:25.346843958 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:25.351843119 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:25.351912022 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:25.358010054 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:25.640146017 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:25.690851927 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:25.695718050 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:25.695832014 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:25.701631069 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:25.814944983 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:25.820482969 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:25.825261116 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:25.825450897 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:25.830291033 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:25.981555939 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:26.094425917 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:26.099291086 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:26.099471092 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:26.104360104 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:26.106296062 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:26.108345032 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:26.154397011 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:26.154503107 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:26.159584045 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:26.385827065 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:26.391928911 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:26.391983032 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:26.395945072 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:26.400867939 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:26.400908947 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:26.405848026 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:32.969455957 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:32.975354910 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:32.975411892 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:32.980345964 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:33.268846035 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:33.359551907 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:33.425298929 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:33.433043957 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:33.667848110 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:33.668406010 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:33.676528931 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:39.844386101 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:39.849221945 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:39.849282980 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:39.854098082 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:40.152142048 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:40.308768034 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:40.321902990 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:40.324635983 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:40.329873085 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:40.329935074 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:40.334892035 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:42.907088041 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:42.912045956 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:42.914910078 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:42.919699907 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:44.102787971 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:44.156443119 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:44.267066956 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:44.269972086 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:44.274832964 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:44.274883986 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:44.279709101 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:47.060409069 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:47.156467915 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:48.257575035 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:48.258312941 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:48.258363008 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:48.258887053 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:48.258919954 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:48.844333887 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:48.849211931 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:48.849267960 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:48.854074955 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:49.157519102 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:49.322294950 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:49.323016882 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:49.323276997 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:49.328262091 CET	9443	49704	128.90.103.230	192.168.2.5
Nov 6, 2024 14:11:49.328541040 CET	49704	9443	192.168.2.5	128.90.103.230
Nov 6, 2024 14:11:49.333539009 CET	9443	49704	128.90.103.230	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 6, 2024 14:07:47.142018080 CET	53814	53	192.168.2.5	1.1.1.1
Nov 6, 2024 14:07:47.239906073 CET	53	53814	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 6, 2024 14:07:47.142018080 CET	192.168.2.5	1.1.1.1	0xceec	Standard query (0)	chromedata.webredirect.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 6, 2024 14:07:47.239906073 CET	1.1.1.1	192.168.2.5	0xceec	No error (0)	chromedata.webredirect.org	128.90.103.230	A (IP address)	IN (0x0001)	false
Nov 6, 2024 14:07:48.771641970 CET	1.1.1.1	192.168.2.5	0xd171	No error (0)	bg.microsoft.map.fastly.net	199.232.210.172	A (IP address)	IN (0x0001)	false
Nov 6, 2024 14:07:48.771641970 CET	1.1.1.1	192.168.2.5	0xd171	No error (0)	bg.microsoft.map.fastly.net	199.232.214.172	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	08:07:42
Start date:	06/11/2024
Path:	C:\Users\user\Desktop\2xPiYIsfF2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2xPiYIsfF2.exe"
Imagebase:	0xbe0000
File size:	90'112 bytes
MD5 hash:	7F8E9B9A8D61036952BB4314476E59B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.2055288534.0000000000BE2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4512353763.0000000001279000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4513014326.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 012174C0 Relevance: 2.8, Strings: 2, Instructions: 281COMMON

Download Yara Rule

Strings

q?$x, xrefs: 012174FF
q?$x, xrefs: 012174DF

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: q?$x$q?$x
API String ID: 0-3866944754
Opcode ID: 0d789b6e173be94058247c66535d9af81af9664e626e2e003f764a3bfbc4070e
Instruction ID: 91a7dc37a19116c7d198cca33e2717bb787827ea33b0c8f43bdeeead69cb036b
Opcode Fuzzy Hash: 0d789b6e173be94058247c66535d9af81af9664e626e2e003f764a3bfbc4070e
Instruction Fuzzy Hash: DAB19170E1024ADFDF14CFADC9857ADBBF2BF98304F148529D915A7298EB749842CB81

Function 01217D90 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

q?$x, xrefs: 01217DCF
q?$x, xrefs: 01217DAF

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: q?$x$q?$x
API String ID: 0-3866944754
Opcode ID: adad1611ff1d3dd0f6f85f3a4d1b8c41e306e2abd901246f43cfd48f78b5025c
Instruction ID: 6a39c7a67d871c88a6a05b2199a1dd6e31a2c93188f5fed9b5268cb0fd59f58c
Opcode Fuzzy Hash: adad1611ff1d3dd0f6f85f3a4d1b8c41e306e2abd901246f43cfd48f78b5025c
Instruction Fuzzy Hash: C4B16170E1020ACFDF10CFA9D9857AEBBF2BF98314F148529E515E7258EB749885CB81

Function 012120E8 Relevance: 5.4, Strings: 4, Instructions: 449COMMON

Download Yara Rule

Strings

xaq, xrefs: 01212736
a]q, xrefs: 0121269F
a]q, xrefs: 012126FC
,, xrefs: 01212230

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: a]q$ a]q$,$xaq
API String ID: 0-452644037
Opcode ID: 3d8bf71c03317de5b06b29a9c521b71aa9554441bb61ae0eb12aae60c88f9bd2
Instruction ID: 7cf0bb717e645c128fc618f39ca308556619be18b67c1c9a4cdfd5d9bae8a1f3
Opcode Fuzzy Hash: 3d8bf71c03317de5b06b29a9c521b71aa9554441bb61ae0eb12aae60c88f9bd2
Instruction Fuzzy Hash: 3402BE34710206DFD719EF28D494B6E7BE2FFA4304F208529E5159B3A9DB74AC86CB81

Function 01212322 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

xaq, xrefs: 01212736
a]q, xrefs: 0121269F
a]q, xrefs: 012126FC

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: a]q$ a]q$xaq
API String ID: 0-315583803
Opcode ID: 4ec63376b318b709ae95417d707a2bfa248243baadc2bd6fa2653d274cecde16
Instruction ID: 6492a96a9f977c578f008eac913a3d9ba2a7e4338925a3b1ff60a66350c5f009
Opcode Fuzzy Hash: 4ec63376b318b709ae95417d707a2bfa248243baadc2bd6fa2653d274cecde16
Instruction Fuzzy Hash: FE618B347003059FD718EF28D4A4B6A7BE6FFA4314F208529D5169F3A8DBB1AC46CB80

Function 01210F81 Relevance: 3.9, Strings: 3, Instructions: 159COMMON

Download Yara Rule

Strings

Te]q, xrefs: 01210FB5
d6p, xrefs: 01210FCD
(aq, xrefs: 0121125A

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: (aq$Te]q$d6p
API String ID: 0-967301506
Opcode ID: 4632b645085565fffccb81df5c07db838792affdafd2f45f93cfccef7b3c3c78
Instruction ID: 1349581e80892893984c327c0eae2504344a0153c057b944d6ca9eb741174b34
Opcode Fuzzy Hash: 4632b645085565fffccb81df5c07db838792affdafd2f45f93cfccef7b3c3c78
Instruction Fuzzy Hash: FB519F30B102149FC748DF69C494A9EBBF6FF99700F2180A9E905DB3A5DB71EC018B81

Function 012174B4 Relevance: 2.8, Strings: 2, Instructions: 330COMMON

Download Yara Rule

Strings

q?$x, xrefs: 012174FF
q?$x, xrefs: 012174DF

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: q?$x$q?$x
API String ID: 0-3866944754
Opcode ID: dd1deccc876a5fa74b48e375d52809a96beadb8b5f48f54e4811332f04f6b2f0
Instruction ID: 133896de1c497f724d314e3754c1096fac0b53e2535fa7e405974154b676d0eb
Opcode Fuzzy Hash: dd1deccc876a5fa74b48e375d52809a96beadb8b5f48f54e4811332f04f6b2f0
Instruction Fuzzy Hash: 81C19D70E1024ADFDF14CFACD8857EDBBF2AFA8314F148529D904A7258EB349846CB81

Function 01217D86 Relevance: 2.8, Strings: 2, Instructions: 262COMMON

Download Yara Rule

Strings

q?$x, xrefs: 01217DCF
q?$x, xrefs: 01217DAF

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: q?$x$q?$x
API String ID: 0-3866944754
Opcode ID: c7f3640771de325b7af90bdd5d171381f34c519641238697669c7476a64da080
Instruction ID: 2f7217bca8452998f506e881320ece2d4b7089ffaa692c74e427d04481ffeeae
Opcode Fuzzy Hash: c7f3640771de325b7af90bdd5d171381f34c519641238697669c7476a64da080
Instruction Fuzzy Hash: 12A15F70E1020ACFDB10CFA9D9857DEBBF2AF98314F148129E519E7258EB759885CB81

Function 01210DE8 Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

dLcq, xrefs: 01210E23
Haq, xrefs: 01210F08

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: Haq$dLcq
API String ID: 0-1713614415
Opcode ID: 3f2ab1f813cde0d3961125f9647e44adf0da19c81af0b51d743a97e3a712cc6f
Instruction ID: e349b3ef3b40380dbcc355dd4c6c2d573e13b293ffbb2399470bed1abb329d11
Opcode Fuzzy Hash: 3f2ab1f813cde0d3961125f9647e44adf0da19c81af0b51d743a97e3a712cc6f
Instruction Fuzzy Hash: B641DF307042058FCB19DF69C494AAEBFF6EF89200F1444AAE105EB3A5CB75AC45CB90

Function 0121AB80 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

$]q, xrefs: 0121ABBF
$]q, xrefs: 0121ABB5

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: $]q$$]q
API String ID: 0-127220927
Opcode ID: 293dfc71121bf16907536aab743de0a3e712c6e264d529a4978732d6974731da
Instruction ID: 537f08eba25f6ac4f9941e255df29276c730f1829bbe6d14e7bef936cb59d79b
Opcode Fuzzy Hash: 293dfc71121bf16907536aab743de0a3e712c6e264d529a4978732d6974731da
Instruction Fuzzy Hash: A141AB70721485DBC3089F6D908982ABFB3BFA47013388844E8068B399CF769D53CB86

Function 0121BCE0 Relevance: 1.6, Instructions: 1574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b712bda4a9a4b0e320bb5dea978ca9eb9ac3d9e1d85c42f72c5d82d449092c5
Instruction ID: 95d0288d80a8a908387e9fba4fef39a10001d3dc15a2adcc2b557abbc5e56b1c
Opcode Fuzzy Hash: 4b712bda4a9a4b0e320bb5dea978ca9eb9ac3d9e1d85c42f72c5d82d449092c5
Instruction Fuzzy Hash: 2FD23A38711219CFCB19EB74D0A867E37F3AFA9304B60496DC41A9B398DF769C428B41

Function 0121B880 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

xaq, xrefs: 0121BBC6

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: xaq
API String ID: 0-793007810
Opcode ID: 41eebcce0decff97681cabea680cd25f5fa66fc1cfd0f3f4d423318cdd903bed
Instruction ID: ca77bda74806f0fb02b4095a0c17cad8cb5c343abc4c1ba921c5a932fa676ffb
Opcode Fuzzy Hash: 41eebcce0decff97681cabea680cd25f5fa66fc1cfd0f3f4d423318cdd903bed
Instruction Fuzzy Hash: B19157796282028FD739DF28E5647253FF2B7B5314F14613AC9248BE9CEB749885CB81

Function 0121AB69 Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

$]q, xrefs: 0121ABB5

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: $]q
API String ID: 0-1007455737
Opcode ID: 57f17620272a5e778326001a9a5292b2b7c0c8438df5edb1bda2e71b11ba2d23
Instruction ID: 9ea23ce5c82e7210e4d40fcb40a8bc842f97485bface8a1dc7bd33d1a2ea2682
Opcode Fuzzy Hash: 57f17620272a5e778326001a9a5292b2b7c0c8438df5edb1bda2e71b11ba2d23
Instruction Fuzzy Hash: 9151E0706255C5DFC7099F3C949942ABFF3BFA47017288849E4029B399CF769D42CB92

Function 0121B130 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0121B1CE

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: a5a7321fa9c46a3a6770828df3d2243712352417e592ae5d12b5bd3dcebbe354
Instruction ID: 246a5954087ffc5772c20548dcf32d1c728351426952e26306df41935131ccb0
Opcode Fuzzy Hash: a5a7321fa9c46a3a6770828df3d2243712352417e592ae5d12b5bd3dcebbe354
Instruction Fuzzy Hash: 14518D35610106DFE724DF69D859BA9BBF1BF58714F208159E5119B3F8CBB1AC41CB40

Function 01214A40 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

|, xrefs: 01214B50

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 1dbad77fc66e126847e361cc91f5642703f39fbcaab1e669712a6c8adcf2089c
Instruction ID: 5b2538c793803a727fc824604b9c2561350fdf89060099a9c79c1c55dfac68c5
Opcode Fuzzy Hash: 1dbad77fc66e126847e361cc91f5642703f39fbcaab1e669712a6c8adcf2089c
Instruction Fuzzy Hash: 1341E231B102159FC718EB78D850B6EBBF6EF89310F11846AD50ADB358EB75AD05CB90

Function 012159D4 Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

q?$x, xrefs: 01215A08

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: q?$x
API String ID: 0-1925620448
Opcode ID: 6700e5f02e03ce18434e0131519f3acf46362210fc26457a3717dcd46049bcb7
Instruction ID: 7a99bf6957f131f67eb7cba4e64f40a049128a06ba3f5dc64be93d5b95942246
Opcode Fuzzy Hash: 6700e5f02e03ce18434e0131519f3acf46362210fc26457a3717dcd46049bcb7
Instruction Fuzzy Hash: 5B410EB0D003499FCB14CF99C880ADEBFF5FF49310F20802AE809AB214DB75A945CB90

Function 01211402 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

LR]q, xrefs: 01211453

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: 9a6bff36985ed44f277c3036014a40a8df45d90f3bc38f74eebfa25e955a6a54
Instruction ID: 90a28afdd916d249a738e325cf9617b279988e7d4d8201687923c491e451f3fd
Opcode Fuzzy Hash: 9a6bff36985ed44f277c3036014a40a8df45d90f3bc38f74eebfa25e955a6a54
Instruction Fuzzy Hash: CF31EE34F102169FCB44EB78849066EBBF2FF88614B144069E24ADB3A5EE34DC42C791

Function 01210DD8 Relevance: 1.3, Strings: 1, Instructions: 91COMMON

Download Yara Rule

Strings

dLcq, xrefs: 01210E23

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: dLcq
API String ID: 0-2236789282
Opcode ID: ee5c38ecd16eae627c4a12560ec29b8d9ff9352c8c79c8da67893efbf0f6168b
Instruction ID: d796999d56c0eb7396cd07183ab95f85f8f9388dd9594eef292a0c75b7ac7d7e
Opcode Fuzzy Hash: ee5c38ecd16eae627c4a12560ec29b8d9ff9352c8c79c8da67893efbf0f6168b
Instruction Fuzzy Hash: 0331BE31A102059FDB18DF69C488B9EBBF2FF58304F14856AE501AB365CB75ED45CB90

Function 012159E0 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

q?$x, xrefs: 01215A08

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: q?$x
API String ID: 0-1925620448
Opcode ID: e3fd41e48562af0501a9bb4cd5a8f75d69dea58da3035caf781456d6345f8d6a
Instruction ID: 3bfd37bfa027dce4cc7f71d29ce33b23b28b0d26b7432d0b55f56c80431cc6b0
Opcode Fuzzy Hash: e3fd41e48562af0501a9bb4cd5a8f75d69dea58da3035caf781456d6345f8d6a
Instruction Fuzzy Hash: D241FDB0D003499FDB14DFA9C484ADEBFF5FF48300F20802AE809AB258DB75A945CB90

Function 0121AA5F Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0121AAB2

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: e1bd0aa0a32e73d1935eb273d8a229d57d35aef9fee2a972db913329746b0e7f
Instruction ID: 105ca36e85fe34f5ece73dd6d59f67192d5e24f59d8ea5196992806676563b34
Opcode Fuzzy Hash: e1bd0aa0a32e73d1935eb273d8a229d57d35aef9fee2a972db913329746b0e7f
Instruction Fuzzy Hash: EC31D4317212908FDB19CF28C559BAA7BF6BF98610F15846ED102DB3A5CB75CC05CB91

Function 0121AA88 Relevance: 1.3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0121AAB2

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 674f95831e20ec0514ecaf97219c0c2a1accd3b71f6814d2093f6596f9943cb1
Instruction ID: df75ee4ab42d8249aa2643992ab7aff47eff0d1564435fa9ced8ba54783ba5b8
Opcode Fuzzy Hash: 674f95831e20ec0514ecaf97219c0c2a1accd3b71f6814d2093f6596f9943cb1
Instruction Fuzzy Hash: 82217C31B201518FDB18DF68C558BAA7BF6BF98B10F21846AE106DB3A5CB758D01CB90

Function 0121AA98 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0121AAB2

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: f8933731b9878dd544ad414111cc2b18f51dcfa8280de06dd87f13dd8d618054
Instruction ID: e834d8c9af5fdfc8c4bff0e251f3af1072fb0962dcb7eec279beea07bdfa6e43
Opcode Fuzzy Hash: f8933731b9878dd544ad414111cc2b18f51dcfa8280de06dd87f13dd8d618054
Instruction Fuzzy Hash: 72219D307201558FDB08DB28C568BAE7BF6BF98B10F208459E102DB3A5CF748C008B91

Function 01214AF2 Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

|, xrefs: 01214B50

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 43b6b466ec0be96ba52591ad3a00ca5f94e238a625ab89ef4947e2f3c15ddaa2
Instruction ID: b9d1d5b113e572e6d71355a79d283e77c0e86d137da6e7fc7289854880b0bca1
Opcode Fuzzy Hash: 43b6b466ec0be96ba52591ad3a00ca5f94e238a625ab89ef4947e2f3c15ddaa2
Instruction Fuzzy Hash: 9B117F75F102159FDB54EF78C805BAE7BF1AF48710F104469E60AE7364EB349901CB94

Function 0121B018 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0121B043

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 24822fa0a288ae3e94aa011620092091158fd0e5f2a69d88b87e59cc9868274a
Instruction ID: 9c7d5967e56d2a23d1678ed45ac907b9da8094c65d38af4303046060affaa74e
Opcode Fuzzy Hash: 24822fa0a288ae3e94aa011620092091158fd0e5f2a69d88b87e59cc9868274a
Instruction Fuzzy Hash: 9A11D070B501049FDB14DF69C9A9BAEBBF2EF8C710F144059E506EB3A5CA719C41CB90

Function 0121B028 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0121B043

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 750e2d4006aebe9e328bf77329a4b7ccf278a0d3b8e55958b79b45aed7e48b4d
Instruction ID: fa8ae030165c8e6c44df83889de1656887b5ea09e1c3b0112100af41bc6e6654
Opcode Fuzzy Hash: 750e2d4006aebe9e328bf77329a4b7ccf278a0d3b8e55958b79b45aed7e48b4d
Instruction Fuzzy Hash: 0E118C70B50105DFDB14DF69C899BAEBBF6EF8C710F144069E902AB3A5CAB19C41CB90

Function 0121D5D8 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

Te]q, xrefs: 0121D605

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: c8fc382c96f18f420d34e4ffacfb02a2c5162f05b51e3098cce0aa0fffa2e180
Instruction ID: ca2e4356a6c24698443aeede072c879ad6e1adb753364698c12c7bf2ea2f2641
Opcode Fuzzy Hash: c8fc382c96f18f420d34e4ffacfb02a2c5162f05b51e3098cce0aa0fffa2e180
Instruction Fuzzy Hash: C511AC317202189FCB149B59C999BAE7BF6AB88710F200469E506EB3A0CEB19D018B90

Function 01210F07 Relevance: 1.3, Strings: 1, Instructions: 48COMMON

Download Yara Rule

Strings

Haq, xrefs: 01210F08

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 09f5594c5a3f2b106efa0aac7ee382204bf19f621c66d277d2b2dbc67689ad03
Instruction ID: ee3eef5fc9f4c721a0fedc8a085b47eada510d90ec39b2f9a9da30003b9a08ea
Opcode Fuzzy Hash: 09f5594c5a3f2b106efa0aac7ee382204bf19f621c66d277d2b2dbc67689ad03
Instruction Fuzzy Hash: 18F022207092900FC78AA73E54604AE7FE7DFDB52432908FAE149CB397CE259C0783A1

Function 0121A4A8 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

LR]q, xrefs: 0121A4BD

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: LR]q
API String ID: 0-3081347316
Opcode ID: bb0f7fe782196b265bc4f32402bd818754192d8b33ece16afe14149e2bc99f2a
Instruction ID: 84e216dfd829a21514a6754037668663bea35f1d7350cd67d35e2ea2060f7131
Opcode Fuzzy Hash: bb0f7fe782196b265bc4f32402bd818754192d8b33ece16afe14149e2bc99f2a
Instruction Fuzzy Hash: 31016271F5015AAFCB44EBA898116BE77F5FB68604F1040A9E50ADB254EB70AA418BC1

Function 0121A530 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

q?$x, xrefs: 0121A552

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: q?$x
API String ID: 0-1925620448
Opcode ID: aeb43683c3fa47bf0c3ccd173a13ed47ca8287bbd2421fa4f9a2c8a7790bf51d
Instruction ID: 4dcc44a5507fc3655974a447d75c16985dda8528505a5945a4b5bc4406666f3f
Opcode Fuzzy Hash: aeb43683c3fa47bf0c3ccd173a13ed47ca8287bbd2421fa4f9a2c8a7790bf51d
Instruction Fuzzy Hash: 631100B5C006498ECB20DF99D544BEEBBF4EB08310F20845AD519A7254C339A944CFA1

Function 0121A538 Relevance: 1.3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

Strings

q?$x, xrefs: 0121A552

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: q?$x
API String ID: 0-1925620448
Opcode ID: 72f7e761cf8edc176cf7db69fbfedac8a8bf0d340dd692bc008bbba9b8c32d3d
Instruction ID: ac5dde9ed0fd37acd8367f9566e4b1f685b1b4036fbbcf9ed90f8e22c0f22272
Opcode Fuzzy Hash: 72f7e761cf8edc176cf7db69fbfedac8a8bf0d340dd692bc008bbba9b8c32d3d
Instruction Fuzzy Hash: A0111EB48006498FCB20DF9AD588BDEBBF4FB08320F208419D519A7250C339A944CFA1

Function 012133B0 Relevance: 1.1, Instructions: 1117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b780c1bc68e513195322f3856d51aa9e2bbbb15c1a1d1f0fb75369d5da5a52e
Instruction ID: 25a96d2236f6fe8f95024d2820858e5cf0b9a49d64fe3b1d180fe56825725522
Opcode Fuzzy Hash: 4b780c1bc68e513195322f3856d51aa9e2bbbb15c1a1d1f0fb75369d5da5a52e
Instruction Fuzzy Hash: 7EB26E3860024ACFC768DF24E8A8AAD7BB2FB94305F108579D41A97399DB759CC6CF41

Function 012133A0 Relevance: .8, Instructions: 784COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b356b81882c0c400e59b96107ee2e40b183e01b3607aa497d3b2c0875d792fa
Instruction ID: 5b735a26b009e26eecdd7f09df4be2ad0ddc7860552ea1d94f5bc27b7d87db94
Opcode Fuzzy Hash: 7b356b81882c0c400e59b96107ee2e40b183e01b3607aa497d3b2c0875d792fa
Instruction Fuzzy Hash: 5582803860024ACFDB28DF24E8A8B9D7BF2FB94305F108579D51A97399DB749886CF41

Function 01214BC8 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 253296e5a059db85ca68026056fcaadb69881259e7edb8d0f3576f38143dad8c
Instruction ID: 378946e324b98b2a0345bd46e726c234dca83ce33e01df33bdbd6f81e8e32281
Opcode Fuzzy Hash: 253296e5a059db85ca68026056fcaadb69881259e7edb8d0f3576f38143dad8c
Instruction Fuzzy Hash: A8417F2160D3D65FD30A977948A80A93FF2EEA725431D05EBC0C5CF2A3DE69981BC352

Function 0121AD32 Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b41699e5d1f90faee1bb78523d896dcae8df6d1588de256dc1f69d137b46259
Instruction ID: bec6b6b3700a302aa2289e19e48310139472d445a4a37fdb341c1d72f668049b
Opcode Fuzzy Hash: 1b41699e5d1f90faee1bb78523d896dcae8df6d1588de256dc1f69d137b46259
Instruction Fuzzy Hash: C2519B34A00556CFCB14DFA8C984AAAFBF2FF54311F5584A5E915AB3A6C730ED41CB90

Function 01210B49 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 524f76e0ab8fc69526bcb5a40e66c90f90faa3de8077ddaf4405f3da6faf60da
Instruction ID: 53d73c35dff7961037679d18918eccd4c6b09e66dc577b63f8bcd2407dd70f19
Opcode Fuzzy Hash: 524f76e0ab8fc69526bcb5a40e66c90f90faa3de8077ddaf4405f3da6faf60da
Instruction Fuzzy Hash: 9E51E93C60120ACFCB5AFF24F5A49493B7BFFA5305710856AD0018B21CEB35A96ACF91

Function 01212CFF Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94825b0f9a6ae2b923632e4eb3732b7a313b04f5d34b06d37281dc7c20add7e
Instruction ID: 4d81db819869b81b2f07c93ac8a07ae5fecf07466786a39ece1020752cc00715
Opcode Fuzzy Hash: a94825b0f9a6ae2b923632e4eb3732b7a313b04f5d34b06d37281dc7c20add7e
Instruction Fuzzy Hash: 89417175B202389FCF049BA9E95479D77BBBFC8710F144525E804B3758CA38AC058B99

Function 01211298 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4364e136b648e16577184906fb9f46581159ceb409e276d0ff339ddb9e77f9f1
Instruction ID: 87ea9b4a4fccf4895e8b3312f65f33786a7fe3aede532e04432af2e4ade7fc54
Opcode Fuzzy Hash: 4364e136b648e16577184906fb9f46581159ceb409e276d0ff339ddb9e77f9f1
Instruction Fuzzy Hash: 034191B0E0420AAFCB08DFBD85506AEFFFAEF88300F248569D459D7346DA349941CB91

Function 012109A8 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30fa74834d3e4e0dcc0f447c4b192dbcbd81240ee76051df4c3be992155dc725
Instruction ID: 5d0c4d23583e6064f9c2cd9af37b079b4e33e5c672fbd70ffcc679b6a7bfc380
Opcode Fuzzy Hash: 30fa74834d3e4e0dcc0f447c4b192dbcbd81240ee76051df4c3be992155dc725
Instruction Fuzzy Hash: 4A41B4313202078FDB69EB79D46463E3AE6BF60604714493DE617C7248EF24D9818B99

Function 012109B8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00890a36c725b909819102c80fd42b4c560819c62856a2b927996b0cafd87cfa
Instruction ID: cb4d26528db80f02fd0066cfe2fae55cb0df3da6c0ef515ab5b780479a9e1ac5
Opcode Fuzzy Hash: 00890a36c725b909819102c80fd42b4c560819c62856a2b927996b0cafd87cfa
Instruction Fuzzy Hash: 3A31A3317202078FDB69EB79946463E7AE6BFA4204704493DE617C7248EF30D981CB9A

Function 0121A99A Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a208d91223877997b13c9fcfe80e0d5d1c56b01e8a23be4455d56ae980c48e38
Instruction ID: e7180dea7d4e0fea6c73d66ec81bfe15a395c4a423b0403c95ad053da3172d7f
Opcode Fuzzy Hash: a208d91223877997b13c9fcfe80e0d5d1c56b01e8a23be4455d56ae980c48e38
Instruction Fuzzy Hash: 4D31CD75E1124A8FDB14DFB9D9512EFBBF1EBA8240F20806AC509E3248E7709901CBA1

Function 01212E83 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5a037dbf1dacdbf8b84041bc1dd42cbcd0be37e26772a6771b53e1102b23d4
Instruction ID: 97529c63b42ed0a367407111a204e3f0811d7d5fb54f7fb5f890a8a513a0009b
Opcode Fuzzy Hash: 2c5a037dbf1dacdbf8b84041bc1dd42cbcd0be37e26772a6771b53e1102b23d4
Instruction Fuzzy Hash: FB21B4382483899FD306EB74E970A593F7DEF52300F1545A6D044CB66BDB35AD0AC761

Function 0121A7C0 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 13568de16a0a0a58afe480604c5952464bdc85790ba68617fbafb8fb340ee13a
Instruction ID: 3f22ae1682e09643f9846731f2d60de48d16177a042f5dec4725bfa201f83600
Opcode Fuzzy Hash: 13568de16a0a0a58afe480604c5952464bdc85790ba68617fbafb8fb340ee13a
Instruction Fuzzy Hash: 05216234B112198FCB15EB74C5646AE7BF6FF99204F64402CC406A7368DF759C46CB91

Function 0121BCD0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 051ea5670ff91ef0fcc5aacd72e7d5a87a516397adb429fda8b8cb7cd429b824
Instruction ID: c3c487bc8700a1163e76750b32d6111322274dc7e38b19adf5713eb68938f4f8
Opcode Fuzzy Hash: 051ea5670ff91ef0fcc5aacd72e7d5a87a516397adb429fda8b8cb7cd429b824
Instruction Fuzzy Hash: 7A21C3316102168FCB3CDA2898946AEB7F6EF94610B54487ED259D3398EB319C41CB82

Function 0121B378 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c5f4e29d6783f1d76e61eb679c922b36f49c9049b93ad426a6e0c482265fba3
Instruction ID: 38d85bd29ed300e2c8b47de59725b98a208aef78b5a9731082760a4428c7c48b
Opcode Fuzzy Hash: 3c5f4e29d6783f1d76e61eb679c922b36f49c9049b93ad426a6e0c482265fba3
Instruction Fuzzy Hash: 5A2107706102499FCB05FF34E450AAEBBF5EFA1314B108A69C0158B259EB75A91ACBC0

Function 0121B388 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2dd4142773dd248ca0a28e3577ed25b935392d0af78aba768deae71ce53b34
Instruction ID: fbebdb84c0626d6324583bc72d1bd7916e7c19e766152817cc04becd2fb1aa84
Opcode Fuzzy Hash: 7c2dd4142773dd248ca0a28e3577ed25b935392d0af78aba768deae71ce53b34
Instruction Fuzzy Hash: 1221057061024A9FCB05FF34E450A6EBBF5EFA1314B108629C0158F25DDB75991ACBC0

Function 012114F9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 078d16c0664258686ebcbac024b9b9b873d7bda772519482dea77f218702542c
Instruction ID: 7df1a59ff6a9deefeedb68ab981011ef6ff70e8ff029f278784f847e4f75e57f
Opcode Fuzzy Hash: 078d16c0664258686ebcbac024b9b9b873d7bda772519482dea77f218702542c
Instruction Fuzzy Hash: E611E074A10206AFC754EF78D41556ABBF6FF8820031448B9D50ADB359EB35DC12CB91

Function 01212BB0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24ed2512480ffe865f5c1b33aa90a518ce303cdc47aac655cb18cbc68408ee0f
Instruction ID: 3732bf029e9c6458c6c0097848a9ddae91472876a9ffba6d7c8db04de268524c
Opcode Fuzzy Hash: 24ed2512480ffe865f5c1b33aa90a518ce303cdc47aac655cb18cbc68408ee0f
Instruction Fuzzy Hash: 81117C796052068FD309DF69E890556FBF6FFE5624319C57AD108CB719EB30E811CB50

Function 01212EBF Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413d91f11fad8649b41b08a42a4deb931cfc643a391155db19a15bb5d4d3e6de
Instruction ID: 5173456f94bb32ac08fd01a177ff2b79602067b3c4d2be80ee0f528a176fcb7a
Opcode Fuzzy Hash: 413d91f11fad8649b41b08a42a4deb931cfc643a391155db19a15bb5d4d3e6de
Instruction Fuzzy Hash: C411B23824010EEFD705EF69EAA1B5A37BEFFA0304F10453594048725DEB35AD16CB91

Function 0121B11E Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ca78b1c2157123e17f171ec4a314318adc89b48ab056faadc3ca3ac8a03209
Instruction ID: a70af48d46cced129d9963c68dde3370b41fad36834aa3c30b5ff0f43578e44b
Opcode Fuzzy Hash: 51ca78b1c2157123e17f171ec4a314318adc89b48ab056faadc3ca3ac8a03209
Instruction Fuzzy Hash: F81148319642499FEF25DB69C954BEE7FF5EF58310F14442AD421F3288CB711885C7A1

Function 01211508 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2fce06ca6da94913e5487a86fa9db7cf03500e327632c102472c1cb2f82bda3
Instruction ID: ffc8e91078c7da5595b6c04f94cf4fd60d0dcfedff410463e939c096c874e638
Opcode Fuzzy Hash: b2fce06ca6da94913e5487a86fa9db7cf03500e327632c102472c1cb2f82bda3
Instruction Fuzzy Hash: E3118B74B0020AAFCB54EBB9E81552A7BE6FF882007144879D50ADB358EB35DC11CB91

Function 01214BBA Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95beb3ec10eb3de20db1e184fec31b7cb5d561edd3358414279922f10948593d
Instruction ID: f59d911c3bf0cf4239459645c3c151ffb41f902078d0bf5928035cffb7e62441
Opcode Fuzzy Hash: 95beb3ec10eb3de20db1e184fec31b7cb5d561edd3358414279922f10948593d
Instruction Fuzzy Hash: 14018B353002008BC718AB3DA9A17BE72EBEBD5228B54443DD50A8B755CF39DC0A8381

Function 01212ED0 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a112f457bd1a7107addf80559865eefc94029f8b3c4dbb25fb97d7d8480acc5
Instruction ID: 4a135cb56e224036ce703b7fb15d70b18ee77e5957c0d1fe7b69e9e69881c9a6
Opcode Fuzzy Hash: 2a112f457bd1a7107addf80559865eefc94029f8b3c4dbb25fb97d7d8480acc5
Instruction Fuzzy Hash: 0C11703864020EEFD709EF64EAA1F5A377EEBA4300F10453594088736DEB35AD16CB91

Function 01211C60 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 200a44b94b0379688b89dde2fe4f9cca193db03da95940c8b69c47ae2ba8aa72
Instruction ID: a7e635c90dfa909474305f738eb9dfd446fae05571ca00572073780254e41abd
Opcode Fuzzy Hash: 200a44b94b0379688b89dde2fe4f9cca193db03da95940c8b69c47ae2ba8aa72
Instruction Fuzzy Hash: 7B01DC3491420E8FC714FBB8E86996D7FB6FF91304B000635C41252388EF706958CBA6

Function 01211C4F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42c954bc5c1e0430db385d5b2af752909fd078b68211edfd7ab2f8f8cc4978d7
Instruction ID: 0ab9ad93a0882f8cc489cb40825f742293eb09d373e040bfb6d2c587f0b6796d
Opcode Fuzzy Hash: 42c954bc5c1e0430db385d5b2af752909fd078b68211edfd7ab2f8f8cc4978d7
Instruction Fuzzy Hash: B601AF34D28249CFD754EBB8D4556AC7FB1EFA2308F00462AC04697399EB705929CB96

Function 0121B2CE Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8313a374622f0da6b045f53753c89f970a5014c6e743e915de305ba9d74f01d2
Instruction ID: c4555bde739c273f2d9261aa6afb6e9a7b2d6a5e67d9368690b7470bec8d1cc4
Opcode Fuzzy Hash: 8313a374622f0da6b045f53753c89f970a5014c6e743e915de305ba9d74f01d2
Instruction Fuzzy Hash: 97F0EC79E681468FD711DB16C4567BC3FF0AF31600F15018BD841D716FC764850ACB11

Function 0121A050 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14e89fcc0e2a494386104033202e3bfce5dc36991c4ad54a52240c30b76a5471
Instruction ID: b16dc09b4b49ce29af41c7f807458dfa4ce55f993a88542d03d5e55f7eded7a6
Opcode Fuzzy Hash: 14e89fcc0e2a494386104033202e3bfce5dc36991c4ad54a52240c30b76a5471
Instruction Fuzzy Hash: 0DE0C2323141201BC744A6FDE881BDE3B99EFCA958FA404AAD008DF365DE25DD0507C1

Function 0121BC27 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88dd2cd9af5b50e35d2e4bec1bcc8923ad638fb9a79a139dae4dfab3080ef5e1
Instruction ID: ff0e2c1404cc726c5fb6226b9f092aff3812a86f2af6350f448d7a997a8b9755
Opcode Fuzzy Hash: 88dd2cd9af5b50e35d2e4bec1bcc8923ad638fb9a79a139dae4dfab3080ef5e1
Instruction Fuzzy Hash: 84E09A308412899BC712CF68EE46B497BA4AF01218F2006A9DC18472D1D7745A05CB40

Function 0121BC38 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33af0b23a87d0c59b27bf0a4486536e6571120ce06274f3b81aeac83d97d4e3b
Instruction ID: 499ddb5c642b99c9618923c8d9b3cf13ed79c8eb7f7a75f7400038d7c6ac4da2
Opcode Fuzzy Hash: 33af0b23a87d0c59b27bf0a4486536e6571120ce06274f3b81aeac83d97d4e3b
Instruction Fuzzy Hash: FED05E34E0120DEFCB44EFA8EA4199DBBBEEF45204B5045A9D809D3380EB31AF149F91

Function 01210B35 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945260d6eae92f42ea0a19686027e68618ed5771ed047cbb6b86c421d911d59c
Instruction ID: ce3d7de37b11ea185384d783b7abbaecd688c01a3dd92fefec166536bb6fb086
Opcode Fuzzy Hash: 945260d6eae92f42ea0a19686027e68618ed5771ed047cbb6b86c421d911d59c
Instruction Fuzzy Hash: 77C08020734144CED3185B74D01C3297E51BF7130EF600030B1634446E7DA416C4C31A

Function 01210B19 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e54a9a22e61069f84d2f5d734e304953430f5a31fe18844b4b14c49091ab3288
Instruction ID: 52900dae07fdf1cf92872aeb2701fbf0e394337e78a34b0965291db8f641a11d
Opcode Fuzzy Hash: e54a9a22e61069f84d2f5d734e304953430f5a31fe18844b4b14c49091ab3288
Instruction Fuzzy Hash: 34C08020734148CED3295B74D01C3297E51FB7130EF600135F1234446E6DA416C5C71A

Function 01212EA8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2351341bd1d80fe36bfd6c2d49743f6d1c5eed366edf38b806e692f58d24b092
Instruction ID: 55f369b00240cd01f742075c0195394f44edd1336b21247b1b9f69aa255e648c
Opcode Fuzzy Hash: 2351341bd1d80fe36bfd6c2d49743f6d1c5eed366edf38b806e692f58d24b092
Instruction Fuzzy Hash: D8C048392602088F8244EA99E598C12B7A8BF68A00351009AE5018BB22CB21F820DA61

Non-executed Functions

Function 01218290 Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

Xaq, xrefs: 012182BF
$]q, xrefs: 012182A6

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 870b0d0666c5d5d8c570e3cab7c881c70ac1bfd96acec2826e63ddfea60d1c61
Instruction ID: 1eb4c67fb698955a9303a50083e664543f525c5dfd30b3060c02e91d2c63aa03
Opcode Fuzzy Hash: 870b0d0666c5d5d8c570e3cab7c881c70ac1bfd96acec2826e63ddfea60d1c61
Instruction Fuzzy Hash: CB819E34B11218ABDB1CEF78989467E7BA7FFD8750B15842DE406E728CDE34D8428792

Function 01217178 Relevance: 2.7, Strings: 2, Instructions: 238COMMON

Download Yara Rule

Strings

q?$x, xrefs: 01217197
q?$x, xrefs: 012171B7

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID: q?$x$q?$x
API String ID: 0-3866944754
Opcode ID: 7e9c596a8b84d91db21c610ecd007fa8b5ff8792c78814b68fd7859621bf020d
Instruction ID: a871c094d1ae654b46cc96e3933d02f81779ee7ade52ccfdecfb898d8be4e4cb
Opcode Fuzzy Hash: 7e9c596a8b84d91db21c610ecd007fa8b5ff8792c78814b68fd7859621bf020d
Instruction Fuzzy Hash: 1F917F70E1020ADFDF10CFA9D9857DDBBF2EF98304F148129E905A7298EB749846CB81

Function 0121D7B0 Relevance: 1.0, Instructions: 1019COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4512312915.0000000001210000.00000040.00000800.00020000.00000000.sdmp, Offset: 01210000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1210000_2xPiYIsfF2.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52cacee283e558f55e91af0d8653e33f3a3b3f87dfdf60d66e42bc979c0b5dd1
Instruction ID: 01b831d9d38154887afe85636b52cbc86e1bed4480d4464a6f2b5e0515e90929
Opcode Fuzzy Hash: 52cacee283e558f55e91af0d8653e33f3a3b3f87dfdf60d66e42bc979c0b5dd1
Instruction Fuzzy Hash: C48249307102068FDB19EF69D8D4B6EBAE6FF94304F148479D5068B3A9DB75DC0A8B81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2xPiYIsfF2.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
2xPiYIsfF2.exe