Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
QHLQyYBiH7.exe

Overview

General Information

Sample name:QHLQyYBiH7.exe
renamed because original name is a hash value
Original sample name:5602b0e001ca58f3afa38ed2bebee63a.exe
Analysis ID:1569562
MD5:5602b0e001ca58f3afa38ed2bebee63a
SHA1:684042eb078191c1ae776491aed3ae302315224c
SHA256:d03990be37a53cf1ecb8189def43022ed7f04886b043c9640a32ea48fea1f1d4
Tags:AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
.NET source code contains potential unpacker
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Sigma detected: Potentially Suspicious Malware Callback Communication
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • QHLQyYBiH7.exe (PID: 4888 cmdline: "C:\Users\user\Desktop\QHLQyYBiH7.exe" MD5: 5602B0E001CA58F3AFA38ED2BEBEE63A)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
{"Server": "195.26.255.81", "Ports": "6606,7707,8808,0077,1996,2106,7777", "Version": "| Edit by Vinom Rat", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "Serv.exe", "AES_key": "x9K8SFfbc9rHbplQxeIAk3eFsy6rV3l4", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "true", "External_config_on_Pastebin": "true", "BDOS": "null", "Startup_Delay": "3", "HWID": "cmZpGwUhD3Q3V1iMbLVXav8uvPpzAtw4bzJPFTlbkTd+ccVIO2rmuKpEdkmUujJ4OcftVFceQCAEuOGjfHxnQQ==", "Certificate": "MIIE8jCCAtqgAwIBAgIQAMBXvryHIFhGdkjw26gQjzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjExMDI2MTQ0MzIxWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJD2GxJUHyTA9QZO0N7p5cJ8PvZk4qsoa/2Iv3RqmEvIUkT1Rjz4LIcv/iaqADsBOqWCdJtu+GSnp+JieUKMG2315yw4pycAGPh+dJHJQ68IEuGLI6XdzXm0bG0yH76mvmTjsRh05kOVZUjAe9Vc8yqfBIndJBj5Gr6nSqDJ+V5mhivt26yLDC4GUcd9yNar1yOL4tJ2aRICakfQGhQIMOKUf2DmekYlqM3aneaLR5byZHKmiNuce3koRvx87xdlgLFjTcNCSv52q4t+Q5UN6sPqVrj3VJbwT1iW85zbwd/7DdTQ2JMtoNWXnwNiSS68QWW6XBc6UVcFwhE+Yg4TQD8Zyq1Nr5t3XXD1TpsOg+MWNDyJxI1A5b3mEbzHO3+dHoLcQ9RQ+bFg2nqtjcAU9bNfwtKiyygEYZxgU8BoOhxloS6KhF9NG7pw9lesMzq4sFK+0ko545drME1QIu1VorD0Zp8+HvTLUHvUjGUn1BkQiV5CzUufzMlnQEsH5ldEHFYkHzk8MfqERnJLyV21XLZCr1DmYkr5v3ZB4plVfrf9GQ6j2640gdu6LLAZhBRaDZqAjHOjAlLG4VqRLxUSvrVQm1rbV8uvQzsMi+lqvbW2r8Fkln3TxyyxFbDGdtbfKWZcIHXRVD9TFlx6d2sZmJKuyE+w8wlunZ2FnXt3xMYhAgMBAAGjMjAwMB0GA1UdDgQWBBTn2gTEZrwxp3sRYiCSJ1160JNqZDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBU/BrVpV8yhvG+75g8+n1D+KZLPnlyem/K4JQpGq5KESruvdCvUb2x/8KNlopa6R+R3c46cogLt++2dk8vxpwMuQuj+luCws38h8YFw5n0k2Al2RI+k1Tt9RQERZnphVrzJ22u4qYhxXzRJvJQSHw7FP8SeDAoCC7Aj1A8jysJ7B1URC6Ao7wPrFH9Q/fyYGp0dFWHRg3dOS9AoS8npJLYsF9sUxaCmgMeSNGWd3sAErMAsdtSr1EnVTn2axh7DNqlsyP8MyypGNUtv+mhTVBsXh5c2Wg9PMhapj3UqRUk61Ma+R/7PTZTQiggqY5r02dtrAypV/m7ghDZqieXJs6tiPh9d05qJfQtXFhbEJi//NGmojp4KBX9P2B4QwmhgegTRsDyiqZ6E9+NJnb890uFMgnqfsctyuXp0IL8gZcqh8aw08QSeWwNem5bWveMOXZX+O4Nkbw1Cd+9y1HnStIekc1hFuVtQwILcWckUkjbGrFmhT4fZ6kR5b/wvYhAaFsanIXXmDYBY12dVWlo3FGwZZx47wc8LKm7bAPhy2LmqJ12C99PLR/LI89UNw+q7YuIE5JqmfCRRAwD+UZ26JwuIo2EMv10kNrpuqyrSA+OT0rJgnfagTV6Q3zX6rGnDgwYd89qYrEauLMb4LyKlVdfE2b3iEgOujN/YPzd93Zq/Q==", "ServerSignature": "K8KuGCGi6GbaC+fhnxy0xzTLxVXLlaLrV7S1Ve5PG2X1/FVTeHsvjes53nn7E9dhFyg8SramiA5oj5eeFk0oJQRZWPr2/ZCVCk+VCUm03v7Zpk9hWPiVpjVFYgoWg+rU/V0+3voSPA1tBLiE8JM3QaimeMLRg/So3xPrlCqUBGN1ratFgZG9UELKijQzfOrgD2EMdzzkGXr6UyjopQ0oj4V8pSLgFr7iU2wYJxCOoEqmkQeEvwHT512ClQtFyeJvOAV1KtCreYR3sxv1V4cekfydaNkt24J7c8+7Z2BGf7VE5iU71KCKHHojItI3EEOroZ2C9ssPwXK2JoVq6EATjqANvOEbm1J/LkNAHmzfpEZqzzDHm46tcTqhRXrpRFLQRJ9W40UnQLeRiyx05trqK7q/vncbZcJMYvk/ntFxjg3B/welUF/nkz5+sGd3NDhufH0sP6dNRcQyc9yLh0fdpkOHhRm/TpYlAaE1WcIolJ6XWHmVb+bP23Q3FE2IYSUd1NGGFIItn6X2UZ55Cab+BYKR/JsFi0/7kC5hQZJyehv8NH9dX7J0MT55Det1FvlrAVub4VDyH6RAAbT8OrLM/RL0mdas7ujBMBnxlu1svxrppwh+Tz043gBiFtK7jBo26nAS2TH/iOjy6Hfn4U1FZtiOjXPwv2ujYrG0EQyxbYs=", "Group": "Default"}
SourceRuleDescriptionAuthorStrings
QHLQyYBiH7.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    QHLQyYBiH7.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      QHLQyYBiH7.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xd18e:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x10038:$a2: Stub.exe
      • 0x100c8:$a2: Stub.exe
      • 0x99b4:$a3: get_ActivatePong
      • 0xd3a6:$a4: vmware
      • 0xd21e:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0xa8f9:$a6: get_SslClient
      QHLQyYBiH7.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xd220:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0xcf8e:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0x10238:$a2: Stub.exe
        • 0x102c8:$a2: Stub.exe
        • 0x97b4:$a3: get_ActivatePong
        • 0xd1a6:$a4: vmware
        • 0xd01e:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0xa6f9:$a6: get_SslClient
        00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0xd020:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        00000000.00000002.4534132615.0000000002A91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: QHLQyYBiH7.exe PID: 4888JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 1 entries
            SourceRuleDescriptionAuthorStrings
            0.0.QHLQyYBiH7.exe.6a0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.0.QHLQyYBiH7.exe.6a0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.0.QHLQyYBiH7.exe.6a0000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                • 0xd18e:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                • 0x10038:$a2: Stub.exe
                • 0x100c8:$a2: Stub.exe
                • 0x99b4:$a3: get_ActivatePong
                • 0xd3a6:$a4: vmware
                • 0xd21e:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                • 0xa8f9:$a6: get_SslClient
                0.0.QHLQyYBiH7.exe.6a0000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                • 0xd220:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

                System Summary

                barindex
                Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 195.26.255.81, DestinationIsIpv6: false, DestinationPort: 7777, EventID: 3, Image: C:\Users\user\Desktop\QHLQyYBiH7.exe, Initiated: true, ProcessId: 4888, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49708
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-05T21:01:59.087278+010020355951Domain Observed Used for C2 Detected195.26.255.817777192.168.2.649708TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-05T21:01:59.087278+010020356071Domain Observed Used for C2 Detected195.26.255.817777192.168.2.649708TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-05T21:01:59.087278+010028424781Malware Command and Control Activity Detected195.26.255.817777192.168.2.649708TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: QHLQyYBiH7.exeAvira: detected
                Source: QHLQyYBiH7.exeMalware Configuration Extractor: AsyncRAT {"Server": "195.26.255.81", "Ports": "6606,7707,8808,0077,1996,2106,7777", "Version": "| Edit by Vinom Rat", "Autorun": "false", "Install_Folder": "%AppData%", "Install_File": "Serv.exe", "AES_key": "x9K8SFfbc9rHbplQxeIAk3eFsy6rV3l4", "Mutex": "AsyncMutex_6SI8OkPnk", "AntiDetection": "true", "External_config_on_Pastebin": "true", "BDOS": "null", "Startup_Delay": "3", "HWID": "cmZpGwUhD3Q3V1iMbLVXav8uvPpzAtw4bzJPFTlbkTd+ccVIO2rmuKpEdkmUujJ4OcftVFceQCAEuOGjfHxnQQ==", "Certificate": "MIIE8jCCAtqgAwIBAgIQAMBXvryHIFhGdkjw26gQjzANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjExMDI2MTQ0MzIxWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAJD2GxJUHyTA9QZO0N7p5cJ8PvZk4qsoa/2Iv3RqmEvIUkT1Rjz4LIcv/iaqADsBOqWCdJtu+GSnp+JieUKMG2315yw4pycAGPh+dJHJQ68IEuGLI6XdzXm0bG0yH76mvmTjsRh05kOVZUjAe9Vc8yqfBIndJBj5Gr6nSqDJ+V5mhivt26yLDC4GUcd9yNar1yOL4tJ2aRICakfQGhQIMOKUf2DmekYlqM3aneaLR5byZHKmiNuce3koRvx87xdlgLFjTcNCSv52q4t+Q5UN6sPqVrj3VJbwT1iW85zbwd/7DdTQ2JMtoNWXnwNiSS68QWW6XBc6UVcFwhE+Yg4TQD8Zyq1Nr5t3XXD1TpsOg+MWNDyJxI1A5b3mEbzHO3+dHoLcQ9RQ+bFg2nqtjcAU9bNfwtKiyygEYZxgU8BoOhxloS6KhF9NG7pw9lesMzq4sFK+0ko545drME1QIu1VorD0Zp8+HvTLUHvUjGUn1BkQiV5CzUufzMlnQEsH5ldEHFYkHzk8MfqERnJLyV21XLZCr1DmYkr5v3ZB4plVfrf9GQ6j2640gdu6LLAZhBRaDZqAjHOjAlLG4VqRLxUSvrVQm1rbV8uvQzsMi+lqvbW2r8Fkln3TxyyxFbDGdtbfKWZcIHXRVD9TFlx6d2sZmJKuyE+w8wlunZ2FnXt3xMYhAgMBAAGjMjAwMB0GA1UdDgQWBBTn2gTEZrwxp3sRYiCSJ1160JNqZDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQBU/BrVpV8yhvG+75g8+n1D+KZLPnlyem/K4JQpGq5KESruvdCvUb2x/8KNlopa6R+R3c46cogLt++2dk8vxpwMuQuj+luCws38h8YFw5n0k2Al2RI+k1Tt9RQERZnphVrzJ22u4qYhxXzRJvJQSHw7FP8SeDAoCC7Aj1A8jysJ7B1URC6Ao7wPrFH9Q/fyYGp0dFWHRg3dOS9AoS8npJLYsF9sUxaCmgMeSNGWd3sAErMAsdtSr1EnVTn2axh7DNqlsyP8MyypGNUtv+mhTVBsXh5c2Wg9PMhapj3UqRUk61Ma+R/7PTZTQiggqY5r02dtrAypV/m7ghDZqieXJs6tiPh9d05qJfQtXFhbEJi//NGmojp4KBX9P2B4QwmhgegTRsDyiqZ6E9+NJnb890uFMgnqfsctyuXp0IL8gZcqh8aw08QSeWwNem5bWveMOXZX+O4Nkbw1Cd+9y1HnStIekc1hFuVtQwILcWckUkjbGrFmhT4fZ6kR5b/wvYhAaFsanIXXmDYBY12dVWlo3FGwZZx47wc8LKm7bAPhy2LmqJ12C99PLR/LI89UNw+q7YuIE5JqmfCRRAwD+UZ26JwuIo2EMv10kNrpuqyrSA+OT0rJgnfagTV6Q3zX6rGnDgwYd89qYrEauLMb4LyKlVdfE2b3iEgOujN/YPzd93Zq/Q==", "ServerSignature": "K8KuGCGi6GbaC+fhnxy0xzTLxVXLlaLrV7S1Ve5PG2X1/FVTeHsvjes53nn7E9dhFyg8SramiA5oj5eeFk0oJQRZWPr2/ZCVCk+VCUm03v7Zpk9hWPiVpjVFYgoWg+rU/V0+3voSPA1tBLiE8JM3QaimeMLRg/So3xPrlCqUBGN1ratFgZG9UELKijQzfOrgD2EMdzzkGXr6UyjopQ0oj4V8pSLgFr7iU2wYJxCOoEqmkQeEvwHT512ClQtFyeJvOAV1KtCreYR3sxv1V4cekfydaNkt24J7c8+7Z2BGf7VE5iU71KCKHHojItI3EEOroZ2C9ssPwXK2JoVq6EATjqANvOEbm1J/LkNAHmzfpEZqzzDHm46tcTqhRXrpRFLQRJ9W40UnQLeRiyx05trqK7q/vncbZcJMYvk/ntFxjg3B/welUF/nkz5+sGd3NDhufH0sP6dNRcQyc9yLh0fdpkOHhRm/TpYlAaE1WcIolJ6XWHmVb+bP23Q3FE2IYSUd1NGGFIItn6X2UZ55Cab+BYKR/JsFi0/7kC5hQZJyehv8NH9dX7J0MT55Det1FvlrAVub4VDyH6RAAbT8OrLM/RL0mdas7ujBMBnxlu1svxrppwh+Tz043gBiFtK7jBo26nAS2TH/iOjy6Hfn4U1FZtiOjXPwv2ujYrG0EQyxbYs=", "Group": "Default"}
                Source: QHLQyYBiH7.exeReversingLabs: Detection: 78%
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: QHLQyYBiH7.exeJoe Sandbox ML: detected
                Source: QHLQyYBiH7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: QHLQyYBiH7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 195.26.255.81:7777 -> 192.168.2.6:49708
                Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 195.26.255.81:7777 -> 192.168.2.6:49708
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 195.26.255.81:7777 -> 192.168.2.6:49708
                Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 195.26.255.81:7777 -> 192.168.2.6:49708
                Source: Yara matchFile source: QHLQyYBiH7.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.QHLQyYBiH7.exe.6a0000.0.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.6:49708 -> 195.26.255.81:7777
                Source: Joe Sandbox ViewASN Name: KCOM-SPNService-ProviderNetworkex-MistralGB KCOM-SPNService-ProviderNetworkex-MistralGB
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: unknownTCP traffic detected without corresponding DNS query: 195.26.255.81
                Source: QHLQyYBiH7.exe, 00000000.00000002.4535149787.0000000004F8B000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: QHLQyYBiH7.exe, 00000000.00000002.4535315737.0000000005027000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab82
                Source: QHLQyYBiH7.exe, 00000000.00000002.4535149787.0000000004F8B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?08d1d078f9e52
                Source: QHLQyYBiH7.exe, 00000000.00000002.4535149787.0000000004F6D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enS
                Source: QHLQyYBiH7.exe, 00000000.00000002.4534132615.0000000002A91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Source: Yara matchFile source: QHLQyYBiH7.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.QHLQyYBiH7.exe.6a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4534132615.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QHLQyYBiH7.exe PID: 4888, type: MEMORYSTR

                Operating System Destruction

                barindex
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: 01 00 00 00 Jump to behavior

                System Summary

                barindex
                Source: QHLQyYBiH7.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: QHLQyYBiH7.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.0.QHLQyYBiH7.exe.6a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0.0.QHLQyYBiH7.exe.6a0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: QHLQyYBiH7.exe PID: 4888, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_00D460C10_2_00D460C1
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_00D441580_2_00D44158
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_00D44A280_2_00D44A28
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_00D43E100_2_00D43E10
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_07061B100_2_07061B10
                Source: QHLQyYBiH7.exe, 00000000.00000002.4535670373.0000000005829000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs QHLQyYBiH7.exe
                Source: QHLQyYBiH7.exe, 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs QHLQyYBiH7.exe
                Source: QHLQyYBiH7.exeBinary or memory string: OriginalFilenameStub.exe" vs QHLQyYBiH7.exe
                Source: QHLQyYBiH7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: QHLQyYBiH7.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: QHLQyYBiH7.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.0.QHLQyYBiH7.exe.6a0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0.0.QHLQyYBiH7.exe.6a0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: QHLQyYBiH7.exe PID: 4888, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: QHLQyYBiH7.exe, OAIZfrObiiX.csBase64 encoded string: 'vYQPlde0UPe6gVdYAmHYgqZQ3du3H7um5bckqwj8RJFN9OGxgcpxX2fK2o9DWWsRCrvvWx41oEMSDjESYda8a7+kgeLWGiXni+kJGKbV//v5i0Hq8A9gIC6YSQwL0X8/', 'I5vk7WSD2/T6jn2zXIbpBlRPIQRGI+casWYMaAJAye6+gNZRGUd2Vn40HtOWl8/wU/Q7VdOHYdlt6ZmIvLWTrA==', 'yETXdKWfYdHgpP5DdST8Fusc3iWC/weRvIITufKOWnDJMRZzavu3a1ndUAjwTDD3MD4orU/nzO5BA9q3KAEz+t0zKfGZgf0M0y1Loh6Xxkw=', 'nDNqhUBloQ9Du/kzGgLJKch+1s5pn8hRmsrXSJ4TNJDsBJ4gYBduiGDCrtPgZk+Px7U3YfVtzOET5u/zuYh/f0mSISYmWyqXC+IluYc+dzEFts4EcT+CsjqXIr/igucUZ/pXJPZjvIAwnuI35xbgs0Ty+p3mmW9JtMNB4nSJ0BEdOV5HPkbvQS+S3TzzTN0YSQlfBa6UPmDs0yGoYi5aEuofpOJdeZ9H5BoUSkEc479Ln0rYssnJYJQjMFoN55G6MTt8DyCEd5DXRwO7jx8ef/ZDxxYJDRBw3DoYtS2y9Md0ZAWD7SFNvwlIjjvV4vRQDuyz/fGG3aJ0z0rX7EZfugJY1XcRT3Zk6ggwr9t/IQgV7ak15J+8dR9u6JsJMkRlECdy0TxcUu8ZWNlQreWjQBiNoUKL8zuxbnP7q/hqJbqwLW4wbFhrM8FSw+iVvdzIf8GdY8rmNtGg/59eL+qDBr+1sb5BXPuwUa52rWrNOcEZaHu0FkTgo6oDDMQ4qtp5SFeS9xUoOYDwLkPkqaBaAG+Qu6+7pNvlQ5DUHM2fJPKRKZC1O1ZdErHD+6uzIY2uvjcA3Ae/UnHgCqzpFKs4l/zCiYSXtqzL5h3hLrGmcX7s7NjIcJolzD+EOIPt2Ly+LntJa0IAifP/WDxCw1CqmqEDQW7TaxBT6yFyEZtpP2tFSkRLdEqgv2+9AZI6tJfjW7X2ix/0Ws2dkAzDVd0LSq9PABy1pIRsr6AXOvCj/6MAdyh0V8/5L10B5Qr/dYssbY6sA5Lwx5uCjJT2ukz6x/N2zv8eGyNU2bGejMvjrcFdHIdRjPvApHvWQt5QOJS6ZcSbmyPenmjWvTg84wn+e2PqaCD9lNbYzhWoxZX5Ix8/DCx2x3H/VuA4cw6Xgd5amvVecozTAfBmWcnnxro6oV3HMJ59S04a814YU3p2dvCWf9SqDvnG+ndmb1jL3XfE/HnGuBL9mAEhONtezQZcO/QLTqEu3kJCdtfjr+ajL+rGjG081A54bR0vspFrURJRDmJ1hMX4E/zWm2I6ZJgMSRlYcF7pHMwps5ZLvYA+l9eQHTjOuruE1CqGuL6nqyVMpWWt2q5Iz5qkfdTAxJ4EknmVWRUUcUPM91LxekonotOX1ho0KbpSS9K/jAUeNR/NwKd4SxNBxEC3GfeUOS81B0pDKwBakKl+z8tfeurwCyx3e6yC8OMZDQ7mDuwUZSfb6rC2t7yPdJS6o+eFL3pa48uKfZLNaT8Nj71QBgfIPvwpbeQREEM623L3YZJSmQDP/HLGjPkHFBuAbWKecGMFl0G9j3lkw76QROAoCMkrtUBKHnH2huvGsQHZjgWmgmwoh357jvAFnq0T1NYBA9fHkMgc4Ufq2oRp6re1IW0tW3ILX1HjhsfUS7udhE2GHfql5i+xQ+Es0khDUW0uwI6vyWQGEoZ92P/3uZWgOGhJLEhvsah0fVPmRrazEGscjAOaJ3vrmJ/sGlS3sRXngiH6KS3kzuB32tLaYXDCJ5O9Dg0XKAoebJ/ZG3oPKMETycF1ctElyZ2SxRQFdnBb/QGKqbiyen2V8A/iafpM4gyCe1JqX96Odn4QndG/FOvggCboqP7AUusCWqocNlumZO2XrmJeUuHfUTJwYSNaO9rBzMMfU0625CCNdBbm0mqntz55puyTwTJDMU1U8MRSMEeFcWa+PvFRjP0x2VRHznwrbomYFxFwRFbMgKCK5cDac9DozwfgRrSvPlKIKmrnFkdlgsp4XeQbZcu5LR7g9LOGLuCssd5lZ5tpQMTrjZLk7HgkshRnDY00jy9dE0O7lM7k+MIHFMbiNLx9kmtCkjKYMizF39IYI6a3bL2vnJdoWTMll0lnRZbVAmD9RtrgefC+udeXmNRjKm3/9l6OD6EwBnDxvR40pyQ0kMDRerk8cGYIKbPkZWZtqzTI/zHEQRcreb3Jg0+KdBc+hiyiH4tv/Srer0rC35yQ5ypi5JGRPqP2WuDb352TA2zn8scrKaSQMx8kGTJ7xpSCUoyPkXp+DU9EWIjmX+Jv2Wougls7F9z1eEoGLv1UKSpvoSaq3/k3XRdiKwwL+GZbgLNSrWroIukJ7wyXXuNK33+m7tb1YQOooGa/dV5mO68s8yydH6rUbuDK8uQ6cPlQB6UgxpxmWm3d4paO6HxkuQM9Zh+WtxdUMF5DGhx48LC5e+oCUuKcIFCsn8ilXHFdzAwLbQ5yjIbQd5GNfW3AwHHlNsIfxqhgAkMdTp9G2ene33efTKjfXTazCZLNzTtuNnt4fbN2djvDGm3icl4qUOCW9HODSxiuTND7Xm0N2oaYxHDhCFZjwQM2LG1YxbhBQ6xxjLyNz6k=', 'Ju42sd9yC0R++ie+7FwszOkHoZkI+hN+pJ0q5XEmFiwIkLi2T2jcgADOjkurtA/iFzJLPfKi+u0CCwKyC3avsw==', 'u26jCfq32NV6dU2iUe8gSJfFb9rfUzdACMJ5LY+LF22TuwIFdGuvtWorK2e/HJuUQO1mf0Gdx2SxiZ0lsQ2DQQ==', 'K4xLBzOdGXJl+1q7pyXLvk7pELs0GE1M1tiysqJXgOlPBU18gt7evVBqfLjJvVNQpDib+DbzgpYO9SMA0bsEoQ==', 'sMQWVujgYLt0YLhonO0oA5ULz71cv3X0S+T
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@0/1
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeMutant created: NULL
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                Source: QHLQyYBiH7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: QHLQyYBiH7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: QHLQyYBiH7.exeReversingLabs: Detection: 78%
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: QHLQyYBiH7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: QHLQyYBiH7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                Source: QHLQyYBiH7.exe, UeqpxmZCsQcdFXS.cs.Net Code: FpVTGbXzsH System.AppDomain.Load(byte[])
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_00D406AF push esp; retf 0000h0_2_00D406BA
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_00D40637 push edi; retf 0000h0_2_00D40652
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_00D40637 push ecx; retf 0000h0_2_00D406AA
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_00D45D97 push esp; retf 0000h0_2_00D45DA2
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_00D45D8D push esp; retf 0000h0_2_00D45D92
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_0706193A push esp; retf 0_2_07061941
                Source: QHLQyYBiH7.exe, UOLIAdNfJK.csHigh entropy of concatenated method names: 'lCtCxTPYSkA', 'IymLzaGndBxD', 'cMCDadTrwXJ', 'sDNyZFHvbusPWP', 'iHzQSJygPmLLYF', 'yriamNYzTTy', 'uQGzYlMExjqaKGg', 'BvZrweJdnSdJDHr', 'tbtPMmrwnjUzo', 'IdrUJzqwbWKLWnQ'

                Boot Survival

                barindex
                Source: Yara matchFile source: QHLQyYBiH7.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.QHLQyYBiH7.exe.6a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4534132615.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QHLQyYBiH7.exe PID: 4888, type: MEMORYSTR
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: QHLQyYBiH7.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.QHLQyYBiH7.exe.6a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4534132615.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QHLQyYBiH7.exe PID: 4888, type: MEMORYSTR
                Source: QHLQyYBiH7.exeBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeMemory allocated: D40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeMemory allocated: 2A90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeMemory allocated: F60000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeWindow / User API: threadDelayed 1278Jump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeWindow / User API: threadDelayed 8504Jump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exe TID: 4900Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exe TID: 5692Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: QHLQyYBiH7.exeBinary or memory string: vmware
                Source: QHLQyYBiH7.exe, 00000000.00000002.4535149787.0000000004F8B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0u;
                Source: QHLQyYBiH7.exe, 00000000.00000002.4536184026.00000000063B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeCode function: 0_2_00D41CE8 CheckRemoteDebuggerPresent,0_2_00D41CE8
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeQueries volume information: C:\Users\user\Desktop\QHLQyYBiH7.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Source: Yara matchFile source: QHLQyYBiH7.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.QHLQyYBiH7.exe.6a0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4534132615.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: QHLQyYBiH7.exe PID: 4888, type: MEMORYSTR
                Source: QHLQyYBiH7.exe, 00000000.00000002.4535149787.0000000004F8B000.00000004.00000020.00020000.00000000.sdmp, QHLQyYBiH7.exe, 00000000.00000002.4533747302.0000000000D9F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\QHLQyYBiH7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Windows Management Instrumentation
                1
                Scheduled Task/Job
                1
                Scheduled Task/Job
                1
                Disable or Modify Tools
                OS Credential Dumping1
                Query Registry
                Remote Services1
                Archive Collected Data
                1
                Encrypted Channel
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job
                1
                DLL Side-Loading
                1
                DLL Side-Loading
                51
                Virtualization/Sandbox Evasion
                LSASS Memory241
                Security Software Discovery
                Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
                Obfuscated Files or Information
                Security Account Manager1
                Process Discovery
                SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Software Packing
                NTDS51
                Virtualization/Sandbox Evasion
                Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading
                LSA Secrets1
                Application Window Discovery
                SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials23
                System Information Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                QHLQyYBiH7.exe79%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat
                QHLQyYBiH7.exe100%AviraTR/Dropper.Gen
                QHLQyYBiH7.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                No contacted domains info
                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameQHLQyYBiH7.exe, 00000000.00000002.4534132615.0000000002A91000.00000004.00000800.00020000.00000000.sdmpfalse
                  high
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  195.26.255.81
                  unknownUnited Kingdom
                  8897KCOM-SPNService-ProviderNetworkex-MistralGBtrue
                  Joe Sandbox version:41.0.0 Charoite
                  Analysis ID:1569562
                  Start date and time:2024-12-05 21:01:04 +01:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 5m 55s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:6
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:QHLQyYBiH7.exe
                  renamed because original name is a hash value
                  Original Sample Name:5602b0e001ca58f3afa38ed2bebee63a.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@1/2@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 21
                  • Number of non-executed functions: 2
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Override analysis time to 240000 for current running targets taking high CPU consumption
                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
                  • Excluded IPs from analysis (whitelisted): 2.22.50.131, 2.22.50.144
                  • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, a767.dspw65.akamai.net, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                  • VT rate limit hit for: QHLQyYBiH7.exe
                  TimeTypeDescription
                  15:02:00API Interceptor9413355x Sleep call for process: QHLQyYBiH7.exe modified
                  No context
                  No context
                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  KCOM-SPNService-ProviderNetworkex-MistralGBsparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                  • 212.56.42.100
                  arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                  • 212.32.119.233
                  sora.arm.elfGet hashmaliciousMiraiBrowse
                  • 159.15.212.211
                  loligang.sh4.elfGet hashmaliciousMiraiBrowse
                  • 159.15.236.49
                  nabspc.elfGet hashmaliciousUnknownBrowse
                  • 217.154.244.153
                  m68k.elfGet hashmaliciousUnknownBrowse
                  • 194.62.44.61
                  mipsel.nn.elfGet hashmaliciousMirai, OkiruBrowse
                  • 213.254.176.44
                  owari.arm7.elfGet hashmaliciousMiraiBrowse
                  • 158.179.210.2
                  xd.x86.elfGet hashmaliciousMiraiBrowse
                  • 159.15.172.114
                  specifications and technical requirements.pdfGet hashmaliciousHTMLPhisherBrowse
                  • 194.164.76.123
                  No context
                  No context
                  Process:C:\Users\user\Desktop\QHLQyYBiH7.exe
                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                  Category:dropped
                  Size (bytes):71954
                  Entropy (8bit):7.996617769952133
                  Encrypted:true
                  SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                  MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                  SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                  SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                  SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...
                  Process:C:\Users\user\Desktop\QHLQyYBiH7.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):328
                  Entropy (8bit):3.144086598890895
                  Encrypted:false
                  SSDEEP:6:kKukNlD9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:2ElaDnLNkPlE99SNxAhUe/3
                  MD5:47F2F0DCBCAFBD5A3CFF588D41753F1D
                  SHA1:74E9580C9FB8471DAE3344E034EE879B3E4AF63C
                  SHA-256:8E67625B44CF0D3EA54F36752CF24CF0F8F73CE2F617AD16D78A3D560A7CEFC4
                  SHA-512:783330FD085EB020C12053DBE009C256AEEF318D79CF20D2DDDDB4BEF7A932AF3F1ACDFB02EFCBA1B439B407B73BD6E8758A42C8DEDD0C7E2BAB2D9F60F8F4DB
                  Malicious:false
                  Reputation:low
                  Preview:p...... ...........PG..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...
                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.515091461303841
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:QHLQyYBiH7.exe
                  File size:67'584 bytes
                  MD5:5602b0e001ca58f3afa38ed2bebee63a
                  SHA1:684042eb078191c1ae776491aed3ae302315224c
                  SHA256:d03990be37a53cf1ecb8189def43022ed7f04886b043c9640a32ea48fea1f1d4
                  SHA512:f0a0198b9dc44f106b4e4b0ff5100a4dfe389ffddf5def718efdd639a4bd4573fe82d8d41549210c02cebd6587c25746405d1bd68ca88857bbd4a9012772e655
                  SSDEEP:1536:XKh5Bk58k/GWZOKuvUYFs2un/HuTZbFHgJkMAcZWO7KHS1Uzr+TGlx:XK/Bk58kAKuvUYFQvkbFHgKM7ZWJS6zx
                  TLSH:D063F7053BE99019F3BECF7469F2668446FAF5AF2D12D90D1C8510DE0632B829941BFB
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d................................. ... ....@.. .......................`............`................................
                  Icon Hash:00928e8e8686b000
                  Entrypoint:0x411abe
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x64A6F687 [Thu Jul 6 17:14:47 2023 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x11a680x53.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x7ff.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xfac40xfc00fc00794a973d4144c15987988eb91275False0.4963107638888889data5.554372380284745IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x120000x7ff0x80033cdbc5c50f34a35b4f0e61582ac7f11False0.41650390625data4.884866150337139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x140000xc0x200afd0ad1ae585a6077b299a3e7f3a1dd1False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0x120a00x2ccdata0.43575418994413406
                  RT_MANIFEST0x1236c0x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277
                  DLLImport
                  mscoree.dll_CorExeMain
                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                  2024-12-05T21:01:59.087278+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1195.26.255.817777192.168.2.649708TCP
                  2024-12-05T21:01:59.087278+01002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1195.26.255.817777192.168.2.649708TCP
                  2024-12-05T21:01:59.087278+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1195.26.255.817777192.168.2.649708TCP
                  2024-12-05T21:01:59.087278+01002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1195.26.255.817777192.168.2.649708TCP
                  TimestampSource PortDest PortSource IPDest IP
                  Dec 5, 2024 21:01:57.680845976 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:01:57.800904036 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:01:57.801039934 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:01:57.814014912 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:01:57.933729887 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:01:58.962038040 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:01:58.962208033 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:01:58.962260008 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:01:58.967458010 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:01:59.087277889 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:01:59.308942080 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:01:59.348579884 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:01.577548027 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:01.699846029 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:01.699922085 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:01.819631100 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:07.178138971 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:07.298580885 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:07.298654079 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:07.418639898 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:08.605051041 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:08.645488024 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:08.796912909 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:08.807884932 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:08.927568913 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:08.927676916 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:09.047514915 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:12.788834095 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:12.908518076 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:12.908572912 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:13.028297901 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:14.716715097 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:14.770601988 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:15.877456903 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:15.879437923 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:15.999578953 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:15.999650002 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:16.120050907 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:18.396177053 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:18.515873909 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:18.516064882 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:18.636193037 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:19.369589090 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:19.412798882 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:19.572165966 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:19.574287891 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:19.694780111 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:19.694868088 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:19.814595938 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:24.005378962 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:24.125109911 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:24.125161886 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:24.250222921 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:25.081026077 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:25.129909992 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:25.272866964 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:25.274811029 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:25.394610882 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:25.394678116 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:25.514478922 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:29.615021944 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:29.735651016 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:29.735744953 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:29.855499983 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:30.532176971 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:30.583038092 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:30.723807096 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:30.725784063 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:30.845669985 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:30.845923901 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:30.969383001 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:35.224368095 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:35.344352961 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:35.344427109 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:35.465928078 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:36.136672974 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:36.176837921 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:36.328315020 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:36.330291033 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:36.450205088 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:36.450339079 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:36.572931051 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:40.833515882 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:40.953253984 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:40.956887007 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:41.076669931 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:41.790385008 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:41.833086014 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:41.982189894 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:41.983834028 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:42.103857994 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:42.103935003 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:42.223843098 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:46.443101883 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:46.562958002 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:46.563318014 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:46.683454037 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:47.069699049 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:47.114370108 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:47.249376059 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:47.251285076 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:47.371057987 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:47.371153116 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:47.490890026 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:52.052277088 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:52.172117949 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:52.172183990 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:52.291961908 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:53.619349003 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:53.661309004 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:53.811256886 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:53.817150116 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:53.937069893 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:53.937139988 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:54.056951046 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:57.661684036 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:57.781457901 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:57.781548977 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:57.901443958 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:59.002417088 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:59.051930904 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:59.194336891 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:59.196048975 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:59.315840960 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:02:59.315907955 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:02:59.436685085 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:03.298259020 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:03.418315887 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:03.418363094 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:03.538306952 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:04.237421989 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:04.286269903 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:04.429270029 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:04.431632996 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:04.551498890 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:04.551574945 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:04.671472073 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:08.911794901 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:09.031514883 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:09.031565905 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:09.155147076 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:09.585930109 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:09.630054951 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:09.777806044 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:09.779711962 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:09.899552107 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:09.899626970 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:10.019733906 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:14.521166086 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:14.640937090 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:14.641021013 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:14.760839939 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:15.499118090 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:15.548001051 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:15.690993071 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:15.692754984 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:15.812583923 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:15.812690020 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:15.932929993 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:20.132975101 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:20.252974033 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:20.256345034 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:20.376244068 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:21.147795916 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:21.192593098 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:21.344963074 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:21.347162008 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:21.470721006 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:21.470985889 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:21.594943047 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:23.833604097 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:23.953532934 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:23.953644991 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:24.073441982 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:24.318140984 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:24.439204931 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:24.439330101 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:24.499619007 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:24.552989960 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:24.559181929 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:24.635128975 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:24.639708042 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:24.759506941 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:24.759586096 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:24.861649036 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:24.879400015 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:24.911465883 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:24.951530933 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:24.954536915 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:25.074523926 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:25.074579000 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:25.194405079 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:29.927526951 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:30.047609091 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:30.053006887 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:30.172749996 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:30.615238905 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:30.661393881 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:30.807821035 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:30.810158968 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:30.934322119 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:30.934415102 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:31.056898117 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:35.536863089 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:35.657327890 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:35.657383919 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:35.777452946 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:35.786703110 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:35.906788111 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:35.906961918 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:36.026802063 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:36.407089949 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:36.458271980 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:36.599129915 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:36.606559038 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:36.726531029 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:36.726720095 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:36.846497059 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:38.040406942 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:38.085024118 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:38.829360962 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:38.881020069 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:41.396508932 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:41.516588926 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:41.516638994 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:41.636481047 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:41.636538982 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:41.756303072 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:42.341017962 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:42.395761013 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:42.534584045 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:42.536763906 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:42.656692028 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:42.657438040 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:42.777245045 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:47.196049929 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:47.315870047 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:47.316116095 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:47.435916901 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:47.887873888 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:47.942641020 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:48.081329107 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:48.085748911 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:48.205600023 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:48.205794096 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:48.325808048 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:50.052447081 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:50.172327042 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:50.177150965 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:50.297161102 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:50.751019001 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:50.802021980 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:50.943088055 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:50.946319103 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:51.066009998 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:51.066055059 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:51.185966969 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:51.443212032 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:51.562963963 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:51.563035965 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:51.683435917 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:52.001202106 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:52.053081036 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:52.193308115 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:52.195600033 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:52.315473080 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:52.315566063 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:52.435697079 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:57.055016994 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:57.174813032 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:57.174860954 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:57.294760942 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:57.554167986 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:57.598932028 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:57.745743036 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:57.747476101 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:57.867352009 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:03:57.867439032 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:03:57.987221956 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:02.661860943 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:02.781994104 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:02.782063007 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:02.901803017 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:03.378787994 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:03.427103996 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:03.570664883 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:03.572402954 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:03.692394972 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:03.692547083 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:03.812443018 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:05.178010941 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:05.297916889 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:05.297966003 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:05.418023109 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:05.769640923 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:05.813364029 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:05.961654902 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:05.967407942 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:06.087234974 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:06.093121052 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:06.212913036 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:10.787087917 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:10.907169104 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:10.907258987 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:11.027162075 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:11.753684998 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:11.802139997 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:11.945532084 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:11.947302103 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:12.067231894 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:12.069224119 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:12.189101934 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:16.396473885 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:16.516479015 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:16.516634941 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:16.636677980 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:17.985280991 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:18.036528111 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:18.177187920 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:18.186757088 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:18.307004929 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:18.309217930 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:18.429060936 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:22.005790949 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:22.126112938 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:22.126199007 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:22.247488022 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:22.915297031 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:22.958692074 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:23.107184887 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:23.109344959 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:23.229224920 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:23.229283094 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:23.349163055 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:23.537329912 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:23.657286882 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:23.657341003 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:23.777348995 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:24.334908009 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:24.380254030 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:24.527004004 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:24.529156923 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:24.649117947 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:24.649193048 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:24.769215107 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:29.146264076 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:29.266190052 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:29.266264915 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:29.386888981 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:30.050858021 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:30.099040031 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:30.242724895 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:30.244503975 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:30.364320993 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:30.364387989 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:30.486624002 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:34.757190943 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:34.877211094 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:34.877367973 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:34.998857975 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:35.624648094 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:35.677191019 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:35.816133976 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:35.819716930 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:35.939704895 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:35.939764023 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:36.059644938 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:40.364988089 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:40.485065937 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:40.485260963 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:40.606105089 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:41.824579954 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:41.880304098 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:42.016805887 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:42.018359900 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:42.138437033 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:42.145229101 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:42.271989107 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:45.974509001 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:46.094750881 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:46.094866991 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:46.215106010 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:46.659441948 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:46.709220886 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:46.851438999 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:46.854641914 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:46.974596977 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:46.974677086 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:47.043087959 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:47.083513021 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:47.094733953 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:51.583806038 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:51.704366922 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:51.704536915 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:51.824636936 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:52.640672922 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:52.693237066 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:52.832746983 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:52.835478067 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:52.955507994 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:52.957353115 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:53.077245951 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:53.302963972 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:53.422844887 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:53.422898054 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:53.542850971 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:53.971940994 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:54.020932913 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:54.181607962 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:54.190567970 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:54.310483932 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:54.313335896 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:54.433113098 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:58.912051916 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:59.032536030 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:04:59.032639980 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:04:59.153004885 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:00.065677881 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:00.114708900 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:00.884149075 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:00.890659094 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:01.010693073 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:01.013365030 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:01.133482933 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:04.521439075 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:04.641278982 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:04.641457081 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:04.761327028 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:05.306876898 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:05.349091053 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:05.506428003 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:05.508028030 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:05.628181934 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:05.628238916 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:05.748049021 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:10.130863905 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:10.250783920 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:10.250977993 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:10.370738983 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:10.667145967 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:10.708494902 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:10.858988047 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:10.862654924 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:10.982783079 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:10.982878923 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:11.102968931 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:15.740200043 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:15.860213995 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:15.860276937 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:15.980304003 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:16.706239939 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:16.756071091 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:16.898113012 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:16.900094986 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:17.020322084 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:17.020395994 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:17.140657902 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:21.349519968 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:21.469535112 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:21.469610929 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:21.589410067 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:22.277028084 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:22.333534002 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:22.468812943 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:22.475016117 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:22.596971035 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:22.597369909 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:22.717144966 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:26.985328913 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:27.105379105 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:27.105506897 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:27.229567051 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:27.720133066 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:27.771162033 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:27.922334909 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:27.923926115 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:28.043699980 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:28.043756962 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:28.163474083 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:32.584497929 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:32.704253912 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:32.705459118 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:32.825311899 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:33.157694101 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:33.302474976 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:33.349669933 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:33.351733923 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:33.471550941 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:33.471596956 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:33.591367960 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:36.005814075 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:36.126085997 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:36.126161098 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:36.246184111 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:36.783243895 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:36.883357048 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:36.975374937 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:36.982160091 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:37.102313042 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:37.103387117 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:37.225030899 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:41.613957882 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:41.733747959 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:41.733798027 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:41.853645086 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:42.193025112 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:42.380440950 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:42.385277033 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:42.386739969 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:42.506966114 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:42.507177114 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:42.626926899 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:45.263612986 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:45.383876085 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:45.383932114 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:45.503859997 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:46.079152107 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:46.119771004 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:46.278232098 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:46.280875921 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:46.401992083 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:46.402095079 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:46.521828890 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:47.850012064 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:47.971730947 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:47.971786976 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:48.092489004 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:48.502266884 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:48.555380106 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:48.693975925 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:48.695702076 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:48.815603018 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:48.816759109 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:48.937413931 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:53.460495949 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:53.581470013 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:53.581517935 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:53.701354027 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:54.226083040 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:54.271106005 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:54.417927027 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:54.430656910 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:54.550674915 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:54.553575039 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:54.673834085 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:55.146445990 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:55.266308069 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:55.266355991 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:55.386176109 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:56.096194029 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:56.146094084 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:56.284825087 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:56.289402008 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:56.410073042 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:56.413583040 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:56.533381939 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:58.102792978 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:58.222587109 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:58.222637892 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:58.342919111 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:58.717483044 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:58.771112919 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:58.909282923 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:58.909899950 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:59.029650927 CET777749708195.26.255.81192.168.2.6
                  Dec 5, 2024 21:05:59.029709101 CET497087777192.168.2.6195.26.255.81
                  Dec 5, 2024 21:05:59.149904966 CET777749708195.26.255.81192.168.2.6

                  Click to jump to process

                  Click to jump to process

                  Click to dive into process behavior distribution

                  Target ID:0
                  Start time:15:01:52
                  Start date:05/12/2024
                  Path:C:\Users\user\Desktop\QHLQyYBiH7.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\QHLQyYBiH7.exe"
                  Imagebase:0x6a0000
                  File size:67'584 bytes
                  MD5 hash:5602B0E001CA58F3AFA38ED2BEBEE63A
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.2083755341.00000000006A2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.4534132615.0000000002A91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  Reputation:low
                  Has exited:false

                  Reset < >

                    Execution Graph

                    Execution Coverage:5.7%
                    Dynamic/Decrypted Code Coverage:100%
                    Signature Coverage:9.1%
                    Total number of Nodes:33
                    Total number of Limit Nodes:1
                    execution_graph 17471 d4c390 17472 d4c3d6 17471->17472 17476 d4c570 17472->17476 17479 d4c560 17472->17479 17473 d4c4c3 17484 d4c154 17476->17484 17480 d4c53a 17479->17480 17481 d4c56a 17479->17481 17480->17473 17482 d4c154 DuplicateHandle 17481->17482 17483 d4c59e 17482->17483 17483->17473 17485 d4c5d8 DuplicateHandle 17484->17485 17487 d4c59e 17485->17487 17487->17473 17488 d474d8 17489 d4751c SetWindowsHookExW 17488->17489 17491 d47562 17489->17491 17492 d464f8 17493 d4653b RtlSetProcessIsCritical 17492->17493 17494 d4656c 17493->17494 17495 d409b8 17496 d409db 17495->17496 17497 d40a38 17496->17497 17499 d41681 17496->17499 17503 d41699 17499->17503 17500 d416a3 17500->17497 17503->17500 17504 d45327 17503->17504 17508 d45328 17503->17508 17505 d45347 17504->17505 17512 d41ce8 17505->17512 17509 d45347 17508->17509 17510 d41ce8 CheckRemoteDebuggerPresent 17509->17510 17511 d4535a 17510->17511 17511->17500 17513 d45788 CheckRemoteDebuggerPresent 17512->17513 17515 d4535a 17513->17515 17515->17500

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 704 d41ce8-d4580c CheckRemoteDebuggerPresent 707 d45815-d45850 704->707 708 d4580e-d45814 704->708 708->707
                    APIs
                    • CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 00D457FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID: CheckDebuggerPresentRemote
                    • String ID:
                    • API String ID: 3662101638-0
                    • Opcode ID: a5fffe3d1051821dabfe64417fa5939eabf571b67c0e013777385303a1248e76
                    • Instruction ID: a09896e3d0096760496893d185771ffa9a393f5608d26a4fb0734718f6fdd566
                    • Opcode Fuzzy Hash: a5fffe3d1051821dabfe64417fa5939eabf571b67c0e013777385303a1248e76
                    • Instruction Fuzzy Hash: AF2148B1800659CFCB10CF9AD884BEEBBF4BF48324F14846AE559A3341D778A944CFA0

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 756 d44158-d441be 758 d441c0-d441cb 756->758 759 d44208-d4420a 756->759 758->759 761 d441cd-d441d9 758->761 760 d4420c-d44225 759->760 767 d44227-d44233 760->767 768 d44271-d44273 760->768 762 d441fc-d44206 761->762 763 d441db-d441e5 761->763 762->760 765 d441e7 763->765 766 d441e9-d441f8 763->766 765->766 766->766 769 d441fa 766->769 767->768 770 d44235-d44241 767->770 771 d44275-d442cd 768->771 769->762 772 d44264-d4426f 770->772 773 d44243-d4424d 770->773 780 d44317-d44319 771->780 781 d442cf-d442da 771->781 772->771 774 d44251-d44260 773->774 775 d4424f 773->775 774->774 777 d44262 774->777 775->774 777->772 783 d4431b-d44333 780->783 781->780 782 d442dc-d442e8 781->782 784 d442ea-d442f4 782->784 785 d4430b-d44315 782->785 790 d44335-d44340 783->790 791 d4437d-d4437f 783->791 786 d442f6 784->786 787 d442f8-d44307 784->787 785->783 786->787 787->787 789 d44309 787->789 789->785 790->791 792 d44342-d4434e 790->792 793 d44381-d443d2 791->793 794 d44350-d4435a 792->794 795 d44371-d4437b 792->795 801 d443d8-d443e6 793->801 796 d4435c 794->796 797 d4435e-d4436d 794->797 795->793 796->797 797->797 799 d4436f 797->799 799->795 802 d443ef-d4444f 801->802 803 d443e8-d443ee 801->803 810 d44451-d44455 802->810 811 d4445f-d44463 802->811 803->802 810->811 812 d44457 810->812 813 d44465-d44469 811->813 814 d44473-d44477 811->814 812->811 813->814 815 d4446b 813->815 816 d44487-d4448b 814->816 817 d44479-d4447d 814->817 815->814 819 d4448d-d44491 816->819 820 d4449b-d4449f 816->820 817->816 818 d4447f-d44482 call d40418 817->818 818->816 819->820 822 d44493-d44496 call d40418 819->822 823 d444a1-d444a5 820->823 824 d444af-d444b3 820->824 822->820 823->824 826 d444a7-d444aa call d40418 823->826 827 d444b5-d444b9 824->827 828 d444c3-d444c7 824->828 826->824 827->828 829 d444bb 827->829 830 d444d7 828->830 831 d444c9-d444cd 828->831 829->828 834 d444d8 830->834 831->830 833 d444cf 831->833 833->830 834->834
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID: \V[n
                    • API String ID: 0-1005319620
                    • Opcode ID: 4fd826287f4913ef18e0c5e49649db85a2b992280284da35f89b529e3008a9cb
                    • Instruction ID: 820075f1313f422d97d55b29857ba70f23bf4f1804aecfa73b7431676ac77214
                    • Opcode Fuzzy Hash: 4fd826287f4913ef18e0c5e49649db85a2b992280284da35f89b529e3008a9cb
                    • Instruction Fuzzy Hash: 51B15170E00649CFDF14CFA9C88579DBBF2BF88714F188129E819A7254EB749885CFA5
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c97f05b2feb79e88fc06c17dec9a706d73b60969c9eff5483aae18855e30af82
                    • Instruction ID: 8c23869886eb9779c94b771917bade2d98d05c8a35d84a4fb55a127b1b338463
                    • Opcode Fuzzy Hash: c97f05b2feb79e88fc06c17dec9a706d73b60969c9eff5483aae18855e30af82
                    • Instruction Fuzzy Hash: C3B15F70E006098FDF10CFA9C89579DBBF2FF88715F188129D815E7254EB749885CB91
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3764c19b6141353f7d5ed824ca6f80b796bfa62adc826c9b3fd0c0de0a4ab7cd
                    • Instruction ID: dce391cb1e9631bcd6ae3f9a5e322667fcfb54554681fa0456ec23d3bee49cea
                    • Opcode Fuzzy Hash: 3764c19b6141353f7d5ed824ca6f80b796bfa62adc826c9b3fd0c0de0a4ab7cd
                    • Instruction Fuzzy Hash: 8B818C34B042589BDB08AF74985837F7BB3AFC9751B18852ED447E7298CE34DC0297A2

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 134 d474d0-d474d1 135 d474d3-d47522 134->135 136 d4745a-d4746a 134->136 142 d47524-d4752c 135->142 143 d4752e-d47560 SetWindowsHookExW 135->143 140 d47472-d4749d 136->140 141 d4746c-d4746f 136->141 148 d474a6-d474c3 140->148 149 d4749f-d474a5 140->149 141->140 142->143 144 d47562-d47568 143->144 145 d47569-d4758e 143->145 144->145 149->148
                    APIs
                    • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00D47553
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID: HookWindows
                    • String ID:
                    • API String ID: 2559412058-0
                    • Opcode ID: 3f38e2f57f13109237e66e1b48cd06fc7d9b58c1497cd53dec3e2c3d0c4c2589
                    • Instruction ID: a4e400f0239c4369fd0438b1fde1a72e1163f6003c643240fdd9ac08833bb778
                    • Opcode Fuzzy Hash: 3f38e2f57f13109237e66e1b48cd06fc7d9b58c1497cd53dec3e2c3d0c4c2589
                    • Instruction Fuzzy Hash: C34126B5D0421A8FDB14CFA9D844BEEBBF4BF88320F14851AE519A7250C774A944CFA1
                    Memory Dump Source
                    • Source File: 00000000.00000002.4536480566.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7060000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 3832387649e78e2b7a8dd050da132470ca53fed0640144bd54ffcdcde4bf6a21
                    • Instruction ID: ee0785fefa136791f3a7a90b5c711ea18fee6821336e0f9cc397e7b1a423f81b
                    • Opcode Fuzzy Hash: 3832387649e78e2b7a8dd050da132470ca53fed0640144bd54ffcdcde4bf6a21
                    • Instruction Fuzzy Hash: 51D24670B112588FDB58BB74D4A863D77B3EBCA740B604A6CD4068B394DF36AC42DB81

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 711 d45782-d4580c CheckRemoteDebuggerPresent 713 d45815-d45850 711->713 714 d4580e-d45814 711->714 714->713
                    APIs
                    • CheckRemoteDebuggerPresent.KERNEL32(00000000,?), ref: 00D457FF
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID: CheckDebuggerPresentRemote
                    • String ID:
                    • API String ID: 3662101638-0
                    • Opcode ID: 3d81b25b1b1cabd9ad76ecd07c782ab22f4f54c231ee1fe8daf3df6e42e38cb8
                    • Instruction ID: a473adad7d904d5d04612c214d3c246241161fca5dc56b1944fde1e687ec7ccc
                    • Opcode Fuzzy Hash: 3d81b25b1b1cabd9ad76ecd07c782ab22f4f54c231ee1fe8daf3df6e42e38cb8
                    • Instruction Fuzzy Hash: A42148B2800659CFCB14CF9AD884BEEFBF4BF48324F14846AE558A3251D778A944CF60

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 717 d4c154-d4c66c DuplicateHandle 720 d4c675-d4c692 717->720 721 d4c66e-d4c674 717->721 721->720
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D4C59E,?,?,?,?,?), ref: 00D4C65F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 9ca4aa1d3725fc9d956d89ec98d6ae866f33b255680610dde7c8b3439488337d
                    • Instruction ID: 5e0f63785175a15d2665890034e8fecfee542a3547e80be8acf9a629f843919b
                    • Opcode Fuzzy Hash: 9ca4aa1d3725fc9d956d89ec98d6ae866f33b255680610dde7c8b3439488337d
                    • Instruction Fuzzy Hash: 3421E4B5901349EFDB10CFAAD984ADEBBF4FB48320F14845AE914A7310D374A950CFA4

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 724 d4c5d7-d4c614 725 d4c617-d4c66c DuplicateHandle 724->725 726 d4c675-d4c692 725->726 727 d4c66e-d4c674 725->727 727->726
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D4C59E,?,?,?,?,?), ref: 00D4C65F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: a7ca6698155edc2ff80ded0e388bc4f079c712587cb53808d424d9740bbeab10
                    • Instruction ID: 3d0d139618f420b5bd71c7eb6fb72cb656b2f7c23653f4c9d3140128c6d83a7f
                    • Opcode Fuzzy Hash: a7ca6698155edc2ff80ded0e388bc4f079c712587cb53808d424d9740bbeab10
                    • Instruction Fuzzy Hash: 1C21C2B5901249DFDB10CFA9D984ADEBBF5FB48320F14841AE918A3350D378A954CF64

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 730 d474d8-d47522 732 d47524-d4752c 730->732 733 d4752e-d47560 SetWindowsHookExW 730->733 732->733 734 d47562-d47568 733->734 735 d47569-d4758e 733->735 734->735
                    APIs
                    • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00D47553
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID: HookWindows
                    • String ID:
                    • API String ID: 2559412058-0
                    • Opcode ID: a8c1486461bdea847683f9532745e0e214a3cdcd9426d598e144cfbb6529316c
                    • Instruction ID: e2f093683e8aab001588f7871cf7ce476bb01437f0e78c948a10e0bee1b573fa
                    • Opcode Fuzzy Hash: a8c1486461bdea847683f9532745e0e214a3cdcd9426d598e144cfbb6529316c
                    • Instruction Fuzzy Hash: BC2127B5D002498FDB14CFAAC844BDEFBF5BF88310F148419E519A7250C774A940CFA1

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 740 d464f5-d46533 741 d4653b-d4656a RtlSetProcessIsCritical 740->741 742 d46571-d4658a 741->742 743 d4656c 741->743 743->742
                    APIs
                    • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 00D4655D
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID: CriticalProcess
                    • String ID:
                    • API String ID: 2695349919-0
                    • Opcode ID: 7ffadb74b4dfa0ddb51d1052c49d0dec0c732c20aa77f902afac98945c8f6172
                    • Instruction ID: 315201be1379bef08c234e0a86942a896fba44d60c39a06f11e614c9a4e7b47f
                    • Opcode Fuzzy Hash: 7ffadb74b4dfa0ddb51d1052c49d0dec0c732c20aa77f902afac98945c8f6172
                    • Instruction Fuzzy Hash: DD1122B58042498FDB20DF9AD884BDEBFF0AF88310F208119D629A3250D3B4A944CFA1

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 745 d464f8-d4656a RtlSetProcessIsCritical 747 d46571-d4658a 745->747 748 d4656c 745->748 748->747
                    APIs
                    • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 00D4655D
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID: CriticalProcess
                    • String ID:
                    • API String ID: 2695349919-0
                    • Opcode ID: 0df4c4725eeb3eea5178cac891d7e467d66f2fe058342dd482f2b86df8b020aa
                    • Instruction ID: 2957cb3b02129d76b40c26e554a1ac4134996acea164649b8de5a06b10519d33
                    • Opcode Fuzzy Hash: 0df4c4725eeb3eea5178cac891d7e467d66f2fe058342dd482f2b86df8b020aa
                    • Instruction Fuzzy Hash: E111F2B58002498FDB20DF9AC884BDEBBF4EB88320F208019D619A7250D7B4A944CFA5

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 750 d4c5d0-d4c5d5 751 d4c617-d4c66c DuplicateHandle 750->751 752 d4c675-d4c692 751->752 753 d4c66e-d4c674 751->753 753->752
                    APIs
                    • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00D4C59E,?,?,?,?,?), ref: 00D4C65F
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID: DuplicateHandle
                    • String ID:
                    • API String ID: 3793708945-0
                    • Opcode ID: 0658b376bcb09d3b1623ea1109e1a8d18661693cf380f832f364bd55edc542e5
                    • Instruction ID: 75fd04fe776477d8cce59dc8c60afe3a48a8e4ceb85018ac683b9009752f3280
                    • Opcode Fuzzy Hash: 0658b376bcb09d3b1623ea1109e1a8d18661693cf380f832f364bd55edc542e5
                    • Instruction Fuzzy Hash: B81135B69002099FDB00CFA9D844BEEBBF4EF48314F14804AE918A7220C3789950CF61
                    Memory Dump Source
                    • Source File: 00000000.00000002.4536480566.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7060000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ab0174cd9c0ee134f87ec52e3a297a7b8437eb049cc5a28db8354026dfc2ca5b
                    • Instruction ID: a98c414d107b14fbcd19db98ba7d1882cff6e506d2d3d032bf646d99291956eb
                    • Opcode Fuzzy Hash: ab0174cd9c0ee134f87ec52e3a297a7b8437eb049cc5a28db8354026dfc2ca5b
                    • Instruction Fuzzy Hash: F731CE706453458FC7269738D8656AE7FF2DF86320B0409EAD149DB342DB348C46C7A2
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533491672.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c8d000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bfdd41792b40c786f9ef62eb3df7de35adbf6330a36c77cbdd4ab83725bb8e5c
                    • Instruction ID: d6bd654b090ffdc22ea704c691ba0afc795988f9274572795b6e6d5b4d78ddd8
                    • Opcode Fuzzy Hash: bfdd41792b40c786f9ef62eb3df7de35adbf6330a36c77cbdd4ab83725bb8e5c
                    • Instruction Fuzzy Hash: E02106B2504244DFDB05EF54D9C0B26BF65FB94328F20C16DE90A0B296C376D955CBA2
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533554715.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_cad000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 81ae7f0b086412d311f2d1bc4721ba11510d6342c4b8b68a17ee8f805ff12c17
                    • Instruction ID: 85de16f4428f0020df52f309d64ec53e590b958962a8e87f75fbb2934d4f8edd
                    • Opcode Fuzzy Hash: 81ae7f0b086412d311f2d1bc4721ba11510d6342c4b8b68a17ee8f805ff12c17
                    • Instruction Fuzzy Hash: 472126B5504305EFDB04DF14D9C0B2ABBA5FB85328F20C56DEA0B4B692C776D846CBA1
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533554715.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_cad000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ceddf6eebcea7118b0f3e53be91c9cc2e93628543dd69abef5fe7d34f127c5a8
                    • Instruction ID: 3d02d99392690166b43593d8627a0be81b8c8d45a46c9618974d54dc00226e48
                    • Opcode Fuzzy Hash: ceddf6eebcea7118b0f3e53be91c9cc2e93628543dd69abef5fe7d34f127c5a8
                    • Instruction Fuzzy Hash: E82134B5504205EFDF04DF10D9C0B2ABBB1FB85328F20C56DE90B4B662C77AD846CA62
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533491672.0000000000C8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C8D000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_c8d000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                    • Instruction ID: 2b4025c34e6c201a80dfa16e741e2aea93321b5769142f3943718c4fe65fc751
                    • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                    • Instruction Fuzzy Hash: E311E9B6504240CFCF16DF14D5C4B16BF71FB94318F24C5AAD9060B256C336D956CB91
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533554715.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_cad000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                    • Instruction ID: 3faa8579e1519d7974d9ee282b9bc69945808252f41b2831e92765738852af57
                    • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                    • Instruction Fuzzy Hash: A011DD75504680CFCB01CF10D5C4B19BBB1FB85328F28C6A9D84A4B662C33AD94ACFA2
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533554715.0000000000CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CAD000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_cad000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                    • Instruction ID: b3e97156a92e9e952aadfb99eaf0b41f4fddeea7bac2666be8f7bfacea6047a6
                    • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                    • Instruction Fuzzy Hash: F711D075504284DFDB01CF10D9C4B19BBB1FB45328F24C6A9D90A4B666C33AD94ACF91
                    Memory Dump Source
                    • Source File: 00000000.00000002.4536480566.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7060000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4f4a318a6df64b0de08a8d40ec979063799f8ff9377d149c1e4ecd73cba4a033
                    • Instruction ID: 0d1cf5db03579b58831cb03b8d44c24d4b28727d139cd0c287beb694e54bfa59
                    • Opcode Fuzzy Hash: 4f4a318a6df64b0de08a8d40ec979063799f8ff9377d149c1e4ecd73cba4a033
                    • Instruction Fuzzy Hash: E511C471B101089FD7049B29C859B6EBBF6AF8C710F204059E502E73A0CF719D01CBA0
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.4533708091.0000000000D40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D40000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_d40000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID: \V[n
                    • API String ID: 0-1005319620
                    • Opcode ID: d611a9fb926d0ca884701dc23511823ec28bec3e6db87d9f61e50912bcc58343
                    • Instruction ID: c374dd4decbfd20dfcef7c2c848e53f37a5309c961af6e2b6943447b6482d3ac
                    • Opcode Fuzzy Hash: d611a9fb926d0ca884701dc23511823ec28bec3e6db87d9f61e50912bcc58343
                    • Instruction Fuzzy Hash: 99919E70E002498FDF10CFA8C98179EBBF2BF88714F188129E405A7294EB749995CFA1
                    Memory Dump Source
                    • Source File: 00000000.00000002.4536480566.0000000007060000.00000040.00000800.00020000.00000000.sdmp, Offset: 07060000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7060000_QHLQyYBiH7.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: baafe94d384da2f348e9a2ecb915194fc77dbcb213dfe27b89ec2c82c7c0a49e
                    • Instruction ID: 27fedb30f9fbaf7f58fd6a683e04a95bb4f374d9c2d780f9b97b5d265c5ae43a
                    • Opcode Fuzzy Hash: baafe94d384da2f348e9a2ecb915194fc77dbcb213dfe27b89ec2c82c7c0a49e
                    • Instruction Fuzzy Hash: AC825B707002058FEB54EF69C898B2EBBE2BFC4704F60952DE5069B3A6CE759D06CB51