Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
gagagggagagag.exe

Overview

General Information

Sample name:gagagggagagag.exe
Analysis ID:1574517
MD5:7f20b668a7680f502780742c8dc28e83
SHA1:8e49ea3b6586893ecd62e824819da9891cda1e1b
SHA256:9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2
Tags:AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • gagagggagagag.exe (PID: 1448 cmdline: "C:\Users\user\Desktop\gagagggagagag.exe" MD5: 7F20B668A7680F502780742C8DC28E83)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "185.16.38.41", "Ports": "2033,2034,2035,2022,2023,2024,20000,6666", "Version": "| Edit 3LOSH RAT", "Autorun": "false", "Install_Folder": "ak1ZQjZ2bEQ3VVlxMkRzMndYM21JNzlya1lzVVREMko=", "Install_File": "SrlfNI5vbH1HHl50MHFQyV+obaGXluc/Su4FpzcCma+0EbqU24JiGETuF+BSFfitNxYZi+Bz7SWKBKl1Q35bhCToFLRQxsLGdDHFoCTPXzY=", "AES_key": "jMYB6vlD7UYq2Ds2wX3mI79rkYsUTD2J", "Mutex": "dWCvce/wIsVF4TRzZqT2z/P7B7VLJ39rwNZkuWKw7M92ZKbUgjTiNXxsQS3JtaK3//y3pfHWO7qaySa31JbD26Vng17o7cNrmY3lDECw5j5xDNAKMMoc8hHrD2c9ORmKnlLwYWxfSsrxXvnsNY9dI1P3dMjAsxB7sMUqI1bDqYSvaSktvGwlSFKaLbJO38Ym5/R9JsFAzMDBCoyf6+E+xQAE94kSJ9thM5Brt8zmR0v+qHJ4iWhiFylIsXto8j4NBOU6a+2ypbzImKiuWkmDJtk4rxQETr7xqN2V1MX6iaY/ntfwS0fk/WRO51lzqMwBYCRFoSCY3wQBJEkJbOvptTEYTHacAz0fXsal6LsUrNt7+q3aTFVCpd0iAbNH4HAzdwnbQifOKfRrXVRO1N4L5u7kwCHy4b9A5m9Du1FwWYCmgubS+GFCjeGcv/3u2SvQS8RcgGneFrQqzTFzKwC9eOXxokaz94ydT/cP327Gvq6DNk+Ranw0b3htuBz0Gt4jobzGzDsW3BoRZg0s5Gs0WEuTdH87acnrv3WfaU9iuTEKibwnC0+cX0c+OALEG78xUPyp58oYrRbsblNxVjHj0ofNecMWCNvcitZt3S3MyF6rRHV0IYbDaemJFD+/LxJqer2Vz+NX7b+W/KrZgcYKkCCsi9uOyal0dR8Zn4WdRdY=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
gagagggagagag.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    gagagggagagag.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      gagagggagagag.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xcf94:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0xfc38:$a2: Stub.exe
      • 0xfcc8:$a2: Stub.exe
      • 0x9765:$a3: get_ActivatePong
      • 0xd1ac:$a4: vmware
      • 0xd024:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0xa6fc:$a6: get_SslClient
      gagagggagagag.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xd026:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0xcd94:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0x10238:$a2: Stub.exe
        • 0x102c8:$a2: Stub.exe
        • 0x9565:$a3: get_ActivatePong
        • 0xcfac:$a4: vmware
        • 0xce24:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0xa4fc:$a6: get_SslClient
        00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0xce26:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        00000000.00000002.3734026490.0000000003021000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: gagagggagagag.exe PID: 1448JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.gagagggagagag.exe.da0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.0.gagagggagagag.exe.da0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.0.gagagggagagag.exe.da0000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                • 0xcf94:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                • 0xfc38:$a2: Stub.exe
                • 0xfcc8:$a2: Stub.exe
                • 0x9765:$a3: get_ActivatePong
                • 0xd1ac:$a4: vmware
                • 0xd024:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                • 0xa6fc:$a6: get_SslClient
                0.0.gagagggagagag.exe.da0000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                • 0xd026:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-13T11:52:04.526309+010020355951Domain Observed Used for C2 Detected185.16.38.412024192.168.2.749705TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-13T11:52:04.526309+010020356071Domain Observed Used for C2 Detected185.16.38.412024192.168.2.749705TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-13T11:52:04.526309+010028424781Malware Command and Control Activity Detected185.16.38.412024192.168.2.749705TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: gagagggagagag.exeAvira: detected
                Found malware configuration
                Source: gagagggagagag.exeMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "185.16.38.41", "Ports": "2033,2034,2035,2022,2023,2024,20000,6666", "Version": "| Edit 3LOSH RAT", "Autorun": "false", "Install_Folder": "ak1ZQjZ2bEQ3VVlxMkRzMndYM21JNzlya1lzVVREMko=", "Install_File": "SrlfNI5vbH1HHl50MHFQyV+obaGXluc/Su4FpzcCma+0EbqU24JiGETuF+BSFfitNxYZi+Bz7SWKBKl1Q35bhCToFLRQxsLGdDHFoCTPXzY=", "AES_key": "jMYB6vlD7UYq2Ds2wX3mI79rkYsUTD2J", "Mutex": "dWCvce/wIsVF4TRzZqT2z/P7B7VLJ39rwNZkuWKw7M92ZKbUgjTiNXxsQS3JtaK3//y3pfHWO7qaySa31JbD26Vng17o7cNrmY3lDECw5j5xDNAKMMoc8hHrD2c9ORmKnlLwYWxfSsrxXvnsNY9dI1P3dMjAsxB7sMUqI1bDqYSvaSktvGwlSFKaLbJO38Ym5/R9JsFAzMDBCoyf6+E+xQAE94kSJ9thM5Brt8zmR0v+qHJ4iWhiFylIsXto8j4NBOU6a+2ypbzImKiuWkmDJtk4rxQETr7xqN2V1MX6iaY/ntfwS0fk/WRO51lzqMwBYCRFoSCY3wQBJEkJbOvptTEYTHacAz0fXsal6LsUrNt7+q3aTFVCpd0iAbNH4HAzdwnbQifOKfRrXVRO1N4L5u7kwCHy4b9A5m9Du1FwWYCmgubS+GFCjeGcv/3u2SvQS8RcgGneFrQqzTFzKwC9eOXxokaz94ydT/cP327Gvq6DNk+Ranw0b3htuBz0Gt4jobzGzDsW3BoRZg0s5Gs0WEuTdH87acnrv3WfaU9iuTEKibwnC0+cX0c+OALEG78xUPyp58oYrRbsblNxVjHj0ofNecMWCNvcitZt3S3MyF6rRHV0IYbDaemJFD+/LxJqer2Vz+NX7b+W/KrZgcYKkCCsi9uOyal0dR8Zn4WdRdY=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}
                Multi AV Scanner detection for submitted file
                Source: gagagggagagag.exeReversingLabs: Detection: 78%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: gagagggagagag.exeJoe Sandbox ML: detected
                Source: gagagggagagag.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: gagagggagagag.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 185.16.38.41:2024 -> 192.168.2.7:49705
                Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 185.16.38.41:2024 -> 192.168.2.7:49705
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 185.16.38.41:2024 -> 192.168.2.7:49705
                Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 185.16.38.41:2024 -> 192.168.2.7:49705
                Yara detected Generic Downloader
                Source: Yara matchFile source: gagagggagagag.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.gagagggagagag.exe.da0000.0.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.7:49705 -> 185.16.38.41:2024
                Source: Joe Sandbox ViewASN Name: PL-SKYTECH-ASPL PL-SKYTECH-ASPL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: unknownTCP traffic detected without corresponding DNS query: 185.16.38.41
                Source: gagagggagagag.exe, 00000000.00000002.3736258617.0000000005655000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                Source: gagagggagagag.exe, 00000000.00000002.3736258617.0000000005655000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: gagagggagagag.exe, 00000000.00000002.3734026490.0000000003021000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: gagagggagagag.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.gagagggagagag.exe.da0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3734026490.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: gagagggagagag.exe PID: 1448, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: gagagggagagag.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: gagagggagagag.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.0.gagagggagagag.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0.0.gagagggagagag.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: gagagggagagag.exe PID: 1448, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: C:\Users\user\Desktop\gagagggagagag.exeCode function: 0_2_02EEE0480_2_02EEE048
                Source: C:\Users\user\Desktop\gagagggagagag.exeCode function: 0_2_076117C00_2_076117C0
                Source: gagagggagagag.exe, 00000000.00000002.3736945735.0000000005939000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs gagagggagagag.exe
                Source: gagagggagagag.exe, 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs gagagggagagag.exe
                Source: gagagggagagag.exeBinary or memory string: OriginalFilenameStub.exe" vs gagagggagagag.exe
                Source: gagagggagagag.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: gagagggagagag.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: gagagggagagag.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.0.gagagggagagag.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0.0.gagagggagagag.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: gagagggagagag.exe PID: 1448, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: gagagggagagag.exe, PSUyOwdskSQDg.csBase64 encoded string: 'w70q7iVCZUBLrH36j5S+u4zs3rMxS3z+dxF1Nb66k6pQIfe6u4zLj0oOwqpw3Yy7wwst9UMmnJYhEJZSwdN6PBNMOnBzjQaR5S0J3VrRc9ZdxW/fTJ9Q0OZ947SQc9j5', 'imJ/H4r5QuFnaeCZiwMO/avsvvxJ+sKZTo97OWlHWoWSs0umkbF4NfJa7gaaS8rMuhquU4sSpsuWLw6PUi6FMAEAD21OaSCoX8NgcSbdeEU=', 'jCVMI+7PFiW/9n76x+shPVhOzUqUXky1KZBSX2TXQKS3QhZ4z0FocqBcaJ+bdUAF9tzpIjT/lN10cH40GvKQFA==', 'SrlfNI5vbH1HHl50MHFQyV+obaGXluc/Su4FpzcCma+0EbqU24JiGETuF+BSFfitNxYZi+Bz7SWKBKl1Q35bhCToFLRQxsLGdDHFoCTPXzY=', '/BXfjseeO9v+CmqflGZkTTef5500WnrrKuVHGMxCM5zmjyYmDvWYope2CujgGMxHxXBF9nXr1R9PB+gGKAo0ujKFDPLh2SaQUbPeFEhfa07ZilCMkkJMWaJlPCsVeTCO87aIvMh0Rk+vF5AVEWECFQOTJeEDzbPdk6T5zFZPfY8fflYmrT2urDH/+1aWujyWq824tNBnH5yMH11CNbts/p7xt5gb/Bv6jW93OSdN8CHfPAq7Q44Mwh5QW86wekuVQw61EQM8Kp4sr7aLPNHr2fQx7VF+/66HQB3BCbFNRCyt6i9KZ5sWNEFlM4diolYLUOHyM94oAuOfyd95oP+qmrrlmb54+LziaOoC6w104GNN/58Ul21h0H83XElWNc6bdmZxTZouhZt2RKJ1jUIOzA+wrweF2dBQZXCMLpVmA7WXbkktnb17RR7XzKc3+EusFu3kbcKjAI2KIHxK0E6nu+UEH/e4mOSHAR7PzagzYtT48XRgmEBSCYlQSU00CBj01WdcwdpiGYArbAuWw5v10UvM3HfTCShqIACVAlcWhsucGQ9oFYSbbDlsn2Znvt9TOtIE3/bNAJQFoZ5iPNvdqlMAE9ei+RXO8IXiatJlNaLyA8F+mGv0v5kPK9KrIrWhS2hg8LDJj/4/rZKrNzBJeMy6AIlOtKGhJK4hx+nDs0yRTZKDJMjzMQ6rXpAEzHZRUYghaWTryU595YwR19KTdXkB2+MRMnBuuysoGh6S1ZuXvPNg9pWvDKpv/bIb+hZUncDsyC/l/7jdluUdsCtplVZJVDXjsJhmvPORFi1lCCleWXVyFzF1CxwHlnn05ZayLAe0y7yR1fvJkKfehZhQrPM+Xkw3PJQa+cXgRS07KMOofk5MznquGNQQBzfIfsSIuvpUgbJpfGaxu7P+u3boIhmipfrcsg6AKW3dTuVyvUxgVXVh6bpWSJwzo68bSsALvYszXkBcEyvGXYDgdcaJZ1c3+ugra5iZQzVxv9/GE3/7VhKXMAWLuxgEa3r2mgE6cL43gq0Rl8DmPMM0hNTxeVbxCUckIaHbRIKU59XBPG6bjacLWBXV0yxUo6GPHI5qj+JWSjsRp1uWpMMAupSznGMt4WTAxta8KH6KGabuK7tH24gW9E84775pi4goVHd6JAlfZUfVjYzpBbnK+mXyjQl9aoRHHCCc3dIsrLgs6PPWfO8xeGde18Z93ATCgJK3rZQfWslXPsx/c7pFn7WjtwGKBqeMDyKjS7qv5aUgX/xUJa9m5KN9TLPCfyoQ3zk/WIf5XtvzFMvvPFTIsKroy3xsUIH2fh+4nkorwoggnVq3CB+Y0sfSvLFV/6fFRWVZLCMpd6UqTH3v8GaKN4B9wJI4JGeZ19Qxgv4O6VkgjpCu4E7JF2Cm+PYFIS0gQzv0Sfu/lMe2v75Vq4Okz2GGSqDH0zwp6wdUd8CzAm77coDt1XnBEwRpLLllaOT/W0cP4SfWnnaAXAqMFeETDe92Xaw4/dKM4qHJs/2S4EJ49vT2N6mLN6Seryvu13ucEmZ0/FYIPaZPJHS3enUJVIZ0CKmEIR0q2rpTH1tmtgTeL+wlxR3iSw+ITcw3vkQJnzS1aZNVRqWjMIEn6GeEX+MsiAs82iCCD8pJ28Ktf0VdVxwAy/fuSMXcLE8I8qqTfoL3Yzkasu75RjUqCjZbv6HdpVBqvECEGiR9Xy9642XkOObOiM4A78mZFNkqPFZ9lNJPLB9T9pLeAfbmmftPbyRC+VklrLwh5bovWmG29g6pTJBe1JzSBYKAXOIRYUDe3r1M0jDdd3ZhCETsbekN/xL0SXmZ00JHavb2Ko8Ht19S30b1yR5+3rekSAZKyajZJxZAszcHokcFk4afK0SYZFmSAuJ7U9J3kX2cXLkd2uFh5FPnmNzYDdPErqrFL60jfShjh/0atZf2xah3Rup2B/gUWvoHifZ6vBZ7J5CqO2ioLrnP3R4DnnlVP5cTRJqUFo4snVUEfTVtgyYoQhy7n95sjmSffKErVYKQ6E+1hYbHod3SRk/Vw6oG3zEBdxZpab0XlI/d79l2Zfs17+UMEqpo/kDvnNox/RzPlIz5g9EVQMKRLCRzyhjwroeX1+29477/6ZYwg3QVcUETcoM2kRhk7b8S5BDP7nWtn1EITLeq8YhZvTLqs4bvhnPoxpfCYBTOJL3lxx0lmnRdgzOgYxyw8zQ2syvpy3mf31WfNSygzYNRX7UUl+q+E35b45CrmKwmNsBcm55ucFlUO2dKXudOWPThWR7fM2CMjz+mrWSDXNwIll6jNPTGPlkI9ovnpPifOeIc9F6gyITbPp+LslrYm2e7nJio6xINz8gZE3ryHFA=', 'RoFI0m7pZEZDEi2ZefsVMl+A02PJeRlnFz6zvSoEfuPyPB4ExiHgyOUE0CFIU1LqoELe24KvGG+VFwRmsi31Tw==', 'xClbevw3WGaAq/kjPh8Z44fD++nPaWqf5EGGf697qWSoQow3pL/aufTMNnYGK1tQNsRuPNF475UWFsP906jrWw==', 'XWOazeJ8OZXg6Ep
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@0/1
                Source: C:\Users\user\Desktop\gagagggagagag.exeMutant created: NULL
                Source: C:\Users\user\Desktop\gagagggagagag.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_XXXX765643
                Source: gagagggagagag.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: gagagggagagag.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\gagagggagagag.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: gagagggagagag.exeReversingLabs: Detection: 78%
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: gagagggagagag.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: gagagggagagag.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: gagagggagagag.exe, TJMBCmpMBZPK.cs.Net Code: OuxstKXXnpsGI System.AppDomain.Load(byte[])
                Source: gagagggagagag.exe, xYtYlQiGWhdnNwo.csHigh entropy of concatenated method names: 'CaSREvqJAtSrGfWw', 'hKKDUCkiRlmVreW', 'LWzUKtKKraIK', 'gfolTTuBWus', 'uScvpCpwnPTL', 'anwBvilwiBkasj', 'lVnFTDVsHnAPl', 'qdqMUYMYNfNTdCq', 'QseaFdoPrHW', 'IKSERXgyAWC'
                Source: gagagggagagag.exe, soRrFYcvykZVC.csHigh entropy of concatenated method names: 'cTHlZAzWeJpJzTB', 'yjAworAxTsb', 'yMMDHibdFkXHC', 'PrfSuKihtfPs', 'rQqEZrzoTBc', 'uDbpRQZmkoGP', 'NCeRszSJdQBU', 'xxOvuLxUDuP', 'xkIOeawnzIFqIF', 'CvbIRZRPTkgv'

                Boot Survival

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: gagagggagagag.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.gagagggagagag.exe.da0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3734026490.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: gagagggagagag.exe PID: 1448, type: MEMORYSTR
                Source: C:\Users\user\Desktop\gagagggagagag.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: gagagggagagag.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.gagagggagagag.exe.da0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3734026490.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: gagagggagagag.exe PID: 1448, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: gagagggagagag.exeBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\gagagggagagag.exeMemory allocated: 2EE0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeMemory allocated: 5020000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeWindow / User API: threadDelayed 9766Jump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exe TID: 4100Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exe TID: 3452Thread sleep count: 33 > 30Jump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exe TID: 3452Thread sleep time: -30437127721620741s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exe TID: 6912Thread sleep count: 9766 > 30Jump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exe TID: 6912Thread sleep count: 80 > 30Jump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: gagagggagagag.exeBinary or memory string: vmware
                Source: gagagggagagag.exe, 00000000.00000002.3733309526.0000000001447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWE
                Source: gagagggagagag.exe, 00000000.00000002.3738399840.00000000067E3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: gagagggagagag.exe, 00000000.00000002.3736258617.0000000005655000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeQueries volume information: C:\Users\user\Desktop\gagagggagagag.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\gagagggagagag.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: gagagggagagag.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.gagagggagagag.exe.da0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.3734026490.0000000003021000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: gagagggagagag.exe PID: 1448, type: MEMORYSTR
                Source: gagagggagagag.exe, 00000000.00000002.3733309526.0000000001447000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\gagagggagagag.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		OS Credential Dumping1
                Query Registry                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		31
                Virtualization/Sandbox Evasion                		LSASS Memory121
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Obfuscated Files or Information                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Software Packing                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                gagagggagagag.exe79%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
                gagagggagagag.exe100%AviraTR/Dropper.Gen
                gagagggagagag.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.210.172
                		truefalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namegagagggagagag.exe, 00000000.00000002.3734026490.0000000003021000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    185.16.38.41
                    		unknownPoland
                    		201814PL-SKYTECH-ASPLtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1574517
                    Start date and time:2024-12-13 11:51:01 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 18s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:8
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:gagagggagagag.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/2@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 15
                    • Number of non-executed functions: 2
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                    • Excluded IPs from analysis (whitelisted): 199.232.210.172, 13.107.246.63, 172.202.163.200
                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, time.windows.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    • VT rate limit hit for: gagagggagagag.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    05:52:05API Interceptor8172413x Sleep call for process: gagagggagagag.exe modified

                    Joe Sandbox View / Context

                    IPs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    185.16.38.41Nz5Uxxtwx2.ps1Get hashmaliciousAsyncRATBrowse
                      Stub.exeGet hashmaliciousAsyncRATBrowse

                        Domains

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        bg.microsoft.map.fastly.netLoader.exeGet hashmaliciousQuasarBrowse
                        • 199.232.214.172
                        1434orz.exeGet hashmaliciousQuasarBrowse
                        • 199.232.214.172
                        file.exeGet hashmaliciousStealcBrowse
                        • 199.232.214.172
                        3.exeGet hashmaliciousCobaltStrike, ReflectiveLoaderBrowse
                        • 199.232.210.172
                        3.exeGet hashmaliciousCobaltStrikeBrowse
                        • 199.232.210.172
                        Bilbao.dll.dllGet hashmaliciousUnknownBrowse
                        • 199.232.210.172
                        3181425fa7464801a03868a1adf86bc1.ps1Get hashmaliciousUnknownBrowse
                        • 199.232.214.172
                        job.ps1Get hashmaliciousDcRat, StormKitty, VenomRATBrowse
                        • 199.232.210.172
                        job.ps1Get hashmaliciousDcRat, StormKitty, VenomRATBrowse
                        • 199.232.210.172
                        Ni2ghr9eUJ.exeGet hashmaliciousSocks5SystemzBrowse
                        • 199.232.214.172

                        ASNs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        PL-SKYTECH-ASPLSH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                        • 149.86.226.5
                        Bestellung - 021224 - 901003637.exeGet hashmaliciousQuasarBrowse
                        • 193.34.212.17
                        Zam.exeGet hashmaliciousDiscord Token Stealer, PureLog StealerBrowse
                        • 193.34.212.17
                        KRcLFIz5PCQunB7.exeGet hashmaliciousQuasarBrowse
                        • 193.34.212.17
                        file.exeGet hashmaliciousWhiteSnake StealerBrowse
                        • 91.223.3.164
                        Payload 94.75 (3).225.exeGet hashmaliciousUnknownBrowse
                        • 95.214.53.96
                        4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dllGet hashmaliciousUnknownBrowse
                        • 193.34.212.14
                        4b7b5bc7b0d1f70adf6b80390f1273723c409b837c957.dllGet hashmaliciousUnknownBrowse
                        • 193.34.212.14
                        SH20240622902.scr.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                        • 193.34.212.15
                        arm7.elfGet hashmaliciousUnknownBrowse
                        • 95.214.52.167

                        JA3 Fingerprints

                        No context

                        Dropped Files

                        No context

                        Created / dropped Files

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Users\user\Desktop\gagagggagagag.exe
                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                        Category:dropped
                        Size (bytes):71954
                        Entropy (8bit):7.996617769952133
                        Encrypted:true
                        SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                        MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                        SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                        SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                        SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                        Malicious:false
                        Reputation:high, very likely benign file
                        Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                        Download File
                        Process:C:\Users\user\Desktop\gagagggagagag.exe
                        File Type:data
                        Category:dropped
                        Size (bytes):328
                        Entropy (8bit):3.2418003062782916
                        Encrypted:false
                        SSDEEP:6:kKQL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:4iDImsLNkPlE99SNxAhUe/3
                        MD5:3FB91772CC2A1AABE091ED14915DBEC0
                        SHA1:424F6B4396A56186DCA55581F34DF8FAF59C1803
                        SHA-256:346466E139E4524363B57C165AD2B32B5D73BCAE226CE0A12D241B13AAB4362A
                        SHA-512:D6B36D13591E2E1F14DAE3154A5B20A18B6B87BA6A7E64596A8FED12B45632D8F8AB9311A6B7B5F17F9282DD0EAFC4F94D1E9E9F3A23D212F85F2B9BA3BB1AB8
                        Malicious:false
                        Reputation:low
                        Preview:p...... .........v..MM..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                        Static File Info

                        General

                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                        Entropy (8bit):5.529468152180746
                        TrID:
                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                        • Win32 Executable (generic) a (10002005/4) 49.78%
                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                        • Generic Win/DOS Executable (2004/3) 0.01%
                        • DOS Executable Generic (2002/1) 0.01%
                        File name:gagagggagagag.exe
                        File size:66'560 bytes
                        MD5:7f20b668a7680f502780742c8dc28e83
                        SHA1:8e49ea3b6586893ecd62e824819da9891cda1e1b
                        SHA256:9334ce1ad264ddf49a2fe9d1a52d5dd1f16705bf076e2e589a6f85b6cd848bb2
                        SHA512:80a8b05f05523b1b69b6276eb105d3741ae94c844a481dce6bb66ee3256900fc25f466aa6bf55fe0242eb63613e8bd62848ba49cd362dbdd8ae0e165e9d5f01c
                        SSDEEP:1536:DWqxSnrykLcFlmeA6Zdt/HCiCPEsfnhOjyXbZQG17uMJYfvISLWcx:DWYSrykLBEsfnheyXbZZNuxtXx
                        TLSH:445308053BE9802AF3BF8F7469F2628506F5F5AF2D12D55D1C8410CE0532BC29A52BBB
                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d................................. ... ....@.. .......................`............`................................

                        File Icon

                        Icon Hash:00928e8e8686b000

                        Static PE Info

                        General

                        Entrypoint:0x41179e
                        Entrypoint Section:.text
                        Digitally signed:false
                        Imagebase:0x400000
                        Subsystem:windows gui
                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Time Stamp:0x6419E213 [Tue Mar 21 16:57:55 2023 UTC]
                        TLS Callbacks:
                        CLR (.Net) Version:
                        OS Version Major:4
                        OS Version Minor:0
                        File Version Major:4
                        File Version Minor:0
                        Subsystem Version Major:4
                        Subsystem Version Minor:0
                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                        Entrypoint Preview

                        Instruction
                        jmp dword ptr [00402000h]
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al
                        add byte ptr [eax], al

                        Data Directories

                        NameVirtual AddressVirtual Size Is in Section
                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IMPORT0x117440x57.text
                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x7ff.rsrc
                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                        Sections

                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                        .text0x20000xf7a40xf80002b07962d4380f06512aeebeb057833fFalse0.5002047631048387data5.569652990477762IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        .rsrc0x120000x7ff0x80033cdbc5c50f34a35b4f0e61582ac7f11False0.41650390625data4.884866150337139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                        .reloc0x140000xc0x200d6bfc2947a4e809d7fef143f35a58776False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                        Resources

                        NameRVASizeTypeLanguageCountryZLIB Complexity
                        RT_VERSION0x120a00x2ccdata0.43575418994413406
                        RT_MANIFEST0x1236c0x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277

                        Imports

                        DLLImport
                        mscoree.dll_CorExeMain

                        Network Behavior

                        Suricata IDS Alerts

                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                        2024-12-13T11:52:04.526309+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1185.16.38.412024192.168.2.749705TCP
                        2024-12-13T11:52:04.526309+01002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1185.16.38.412024192.168.2.749705TCP
                        2024-12-13T11:52:04.526309+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1185.16.38.412024192.168.2.749705TCP
                        2024-12-13T11:52:04.526309+01002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1185.16.38.412024192.168.2.749705TCP

                        Network Port Distribution

                        TCP Packets

                        TimestampSource PortDest PortSource IPDest IP
                        Dec 13, 2024 11:52:02.951854944 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:03.071796894 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:03.075972080 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:03.086978912 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:03.206928968 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:04.363774061 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:04.363812923 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:04.363877058 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:04.406512022 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:04.526309013 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:04.824539900 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:04.877438068 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:06.903177977 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:07.024821043 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:07.024893045 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:07.144573927 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:15.409986973 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:15.529926062 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:15.530097008 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:15.649998903 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:18.104298115 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:18.158761978 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:18.298177004 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:18.308212996 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:18.427942991 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:18.428011894 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:18.548166990 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:19.540826082 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:19.580610991 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:19.733108044 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:19.783775091 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:23.925200939 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:24.045217991 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:24.045286894 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:24.165095091 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:27.306358099 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:27.346312046 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:27.498621941 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:27.500564098 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:27.620354891 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:27.620488882 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:27.741383076 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:32.440624952 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:32.560437918 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:32.560672998 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:32.680500984 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:40.956579924 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:41.076498032 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:41.076644897 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:41.196496010 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:49.471999884 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:49.591705084 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:49.591804981 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:49.711539030 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:56.264118910 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:56.315169096 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:56.456135035 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:56.458422899 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:56.578236103 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:56.578336000 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:56.648407936 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:56.690215111 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:56.698154926 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:56.770567894 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:56.815159082 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:56.890527010 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:56.892656088 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:57.013951063 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:57.014038086 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:57.133935928 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:57.987720966 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:58.107577085 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:58.107947111 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:58.227871895 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:58.548481941 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:58.596395016 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:58.740919113 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:58.742700100 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:58.862895966 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:52:58.863004923 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:52:58.983064890 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:06.584830046 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:06.704649925 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:06.704704046 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:06.824651957 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:15.098074913 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:15.167114973 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:15.170231104 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:15.217859030 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:15.290842056 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:15.359020948 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:15.365287066 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:15.485193968 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:15.486148119 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:15.606034040 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:19.960376024 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:20.002738953 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:20.151762009 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:20.154155016 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:20.273894072 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:20.273962021 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:20.393867016 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:20.555973053 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:20.675812960 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:20.682001114 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:20.802975893 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:21.050535917 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:21.171849966 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:21.171982050 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:21.292239904 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:29.565675020 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:29.685360909 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:29.685415983 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:29.805257082 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:38.082027912 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:38.210851908 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:38.210908890 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:38.330776930 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:39.224004984 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:39.343868971 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:39.344183922 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:39.463862896 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:47.737904072 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:47.857753992 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:47.857819080 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:47.978213072 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:56.253251076 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:56.373986006 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:56.374058008 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:56.494113922 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:59.476016998 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:59.518512964 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:53:59.668204069 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:53:59.722677946 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:00.330996990 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:00.377888918 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:00.523245096 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:00.582163095 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:02.262130022 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:02.315455914 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:02.459355116 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:02.461014032 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:02.581568956 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:02.581787109 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:02.660567999 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:02.701685905 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:02.706017971 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:02.789901972 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:02.791821003 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:02.911775112 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:02.911851883 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:03.031929970 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:03.534729958 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:03.654700041 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:03.654800892 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:03.774676085 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:05.064047098 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:05.112318993 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:05.268587112 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:05.315407038 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:05.447011948 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:05.568077087 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:05.568155050 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:05.688036919 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:05.793742895 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:05.880575895 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:05.880637884 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:05.884517908 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:06.004163980 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:06.004223108 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:06.083800077 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:06.125565052 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:06.237289906 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:06.287457943 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:06.289170980 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:06.409153938 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:06.409270048 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:06.529366970 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:09.008251905 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:09.204819918 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:09.204977036 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:09.206960917 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:09.326709032 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:09.326786995 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:09.446598053 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:12.050484896 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:12.170377016 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:12.170444012 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:12.290251017 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:20.565888882 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:20.685925961 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:20.686002970 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:20.805903912 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:29.140587091 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:29.261324883 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:29.262552023 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:29.382637978 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:37.612803936 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:37.732666016 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:37.732770920 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:37.852607012 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:46.172281027 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:46.293467045 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:46.293540001 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:46.413691044 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:54.644273043 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:55.035353899 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:55.074212074 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:55.076025963 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:54:55.155219078 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:54:55.195749998 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:03.161207914 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:03.281151056 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:03.281251907 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:03.401068926 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:06.290354967 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:06.425013065 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:06.481823921 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:06.483643055 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:06.603544950 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:06.603658915 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:06.673913002 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:06.674002886 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:06.724148035 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:07.848963976 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:07.925395966 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:08.041647911 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:08.112765074 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:11.676105022 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:11.876279116 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:11.884273052 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:12.117763042 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:20.223242998 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:20.342947006 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:20.343169928 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:20.463814020 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:21.933593035 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:22.112579107 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:22.125437975 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:22.127221107 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:22.247095108 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:22.248318911 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:22.368192911 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:23.173639059 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:23.221983910 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:23.365865946 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:23.391761065 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:23.511562109 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:23.512191057 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:23.633507013 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:24.550626040 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:24.670504093 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:24.670598984 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:24.790647030 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:25.217417002 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:25.344153881 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:25.409562111 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:25.411458969 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:25.531333923 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:25.531403065 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:25.651411057 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:25.707974911 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:25.843792915 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:25.843857050 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:25.845798016 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:25.965636015 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:25.965679884 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:26.085758924 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:27.296802998 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:27.425108910 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:27.488874912 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:27.494995117 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:27.614702940 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:27.614859104 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:27.734643936 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:27.819288015 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:27.932971001 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:27.933183908 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:27.940179110 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:28.060080051 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:28.060198069 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:28.180408001 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:28.664911985 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:28.815717936 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:28.857126951 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:28.925196886 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:29.005137920 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:29.048991919 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:29.049637079 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:29.125039101 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:29.126182079 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:29.169733047 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:29.246073008 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:33.066200972 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:33.186033010 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:33.186096907 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:33.305881977 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:33.649864912 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:33.722011089 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:33.841826916 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:33.843847036 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:33.963623047 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:33.963745117 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:34.083596945 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:38.019337893 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:38.139554024 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:38.139617920 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:38.259290934 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:38.591732979 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:38.722054958 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:38.783644915 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:38.785526991 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:38.905383110 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:38.905438900 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:39.025340080 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:46.519331932 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:46.639337063 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:46.639516115 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:46.759438992 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:47.080064058 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:47.222115993 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:47.272129059 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:47.274151087 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:47.394300938 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:47.394418955 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:47.514230967 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:49.533431053 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:49.650156021 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:49.726003885 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:49.769804955 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:52.597537041 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:52.717716932 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:52.717797041 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:52.838222027 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:53.158521891 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:53.222104073 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:53.350452900 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:53.352497101 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:53.472331047 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:55:53.472389936 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:55:53.592235088 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:01.113116980 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:56:01.233398914 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:01.233449936 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:56:01.353291988 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:01.688539028 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:01.880337000 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:01.880393982 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:56:01.881993055 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:56:02.001730919 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:02.001805067 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:56:02.181077957 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:04.441118956 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:56:04.560883999 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:04.562614918 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:56:04.682935953 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:05.004354954 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:05.196415901 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:05.196536064 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:56:05.197222948 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:56:05.317074060 CET202449705185.16.38.41192.168.2.7
                        Dec 13, 2024 11:56:05.317241907 CET497052024192.168.2.7185.16.38.41
                        Dec 13, 2024 11:56:05.437113047 CET202449705185.16.38.41192.168.2.7

                        DNS Answers

                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                        Dec 13, 2024 11:52:05.059849977 CET1.1.1.1192.168.2.70x1906No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                        Dec 13, 2024 11:52:05.059849977 CET1.1.1.1192.168.2.70x1906No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                        Statistics

                        CPU Usage

                        Click to jump to process

                        Memory Usage

                        Click to jump to process

                        High Level Behavior Distribution

                        Click to dive into process behavior distribution

                        System Behavior

                        General

                        Target ID:0
                        Start time:05:51:57
                        Start date:13/12/2024
                        Path:C:\Users\user\Desktop\gagagggagagag.exe
                        Wow64 process (32bit):true
                        Commandline:"C:\Users\user\Desktop\gagagggagagag.exe"
                        Imagebase:0xda0000
                        File size:66'560 bytes
                        MD5 hash:7F20B668A7680F502780742C8DC28E83
                        Has elevated privileges:true
                        Has administrator privileges:true
                        Programmed in:C, C++ or other language
                        Yara matches:
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                        • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                        • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1282985227.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                        • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.3734026490.0000000003021000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                        Reputation:low
                        Has exited:false

                        Disassembly

                        Reset < >

                          Execution Graph

                          Execution Coverage:6.4%
                          Dynamic/Decrypted Code Coverage:100%
                          Signature Coverage:0%
                          Total number of Nodes:44
                          Total number of Limit Nodes:5
                          execution_graph 16991 2ee29c8 16992 2ee2a0c SetWindowsHookExW 16991->16992 16994 2ee2a52 16992->16994 16995 2ee7ec8 DuplicateHandle 16996 2ee7f5e 16995->16996 16997 2ee84e0 16998 2ee850e 16997->16998 17001 2ee7aac 16998->17001 17000 2ee852e 17000->17000 17002 2ee7ab7 17001->17002 17003 2ee9054 17002->17003 17005 2eea8e0 17002->17005 17003->17000 17007 2eea901 17005->17007 17006 2eea925 17006->17003 17007->17006 17009 2eeaa90 17007->17009 17010 2eeaa9d 17009->17010 17011 2eeaad6 17010->17011 17013 2ee8cf4 17010->17013 17011->17006 17014 2ee8cff 17013->17014 17016 2eeab48 17014->17016 17017 2ee8d28 17014->17017 17016->17016 17018 2ee8d33 17017->17018 17021 2ee8d38 17018->17021 17020 2eeabb7 17020->17016 17022 2ee8d43 17021->17022 17027 2eebb5c 17022->17027 17024 2eec138 17024->17020 17025 2eebf10 17025->17024 17026 2eea8e0 KiUserCallbackDispatcher 17025->17026 17026->17024 17028 2eebb67 17027->17028 17029 2eed31a 17028->17029 17031 2eed368 17028->17031 17029->17025 17032 2eed3bb 17031->17032 17033 2eed3c6 KiUserCallbackDispatcher 17032->17033 17034 2eed3f0 17032->17034 17033->17034 17034->17029 17035 2ee7c80 17036 2ee7cc6 GetCurrentProcess 17035->17036 17038 2ee7d18 GetCurrentThread 17036->17038 17039 2ee7d11 17036->17039 17040 2ee7d4e 17038->17040 17041 2ee7d55 GetCurrentProcess 17038->17041 17039->17038 17040->17041 17044 2ee7d8b 17041->17044 17042 2ee7db3 GetCurrentThreadId 17043 2ee7de4 17042->17043 17044->17042

                          Executed Functions

                          Function 02EE7C7A Relevance: 6.1, APIs: 4, Instructions: 129threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 02EE7CFE
                          • GetCurrentThread.KERNEL32 ref: 02EE7D3B
                          • GetCurrentProcess.KERNEL32 ref: 02EE7D78
                          • GetCurrentThreadId.KERNEL32 ref: 02EE7DD1
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733949164.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2ee0000_gagagggagagag.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: 371af6f330fdf9ebe77476d312d483ca0672897ca9c6454b96a4f1102c47cd61
                          • Instruction ID: d7d5f2df832d3041442cf9d9963750fb896453bb1663029537f41b5b8223cfa1
                          • Opcode Fuzzy Hash: 371af6f330fdf9ebe77476d312d483ca0672897ca9c6454b96a4f1102c47cd61
                          • Instruction Fuzzy Hash: D55187B09003498FDB18CFAAD549BAEBBF1EF49314F20D459E409A7390CB356944CF65
                          Function 02EE7C80 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                          Download Yara Rule

                          Control-flow Graph

                          APIs
                          • GetCurrentProcess.KERNEL32 ref: 02EE7CFE
                          • GetCurrentThread.KERNEL32 ref: 02EE7D3B
                          • GetCurrentProcess.KERNEL32 ref: 02EE7D78
                          • GetCurrentThreadId.KERNEL32 ref: 02EE7DD1
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733949164.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2ee0000_gagagggagagag.jbxd
                          Similarity
                          • API ID: Current$ProcessThread
                          • String ID:
                          • API String ID: 2063062207-0
                          • Opcode ID: d935e97e95dfc6e741aea43ccae1de8decd96a5f8ac045defef8394769ea7a30
                          • Instruction ID: a851cdb839aaec936eace96ee99003eb4a58832ad32ad08a47f1612efcb82f0d
                          • Opcode Fuzzy Hash: d935e97e95dfc6e741aea43ccae1de8decd96a5f8ac045defef8394769ea7a30
                          • Instruction Fuzzy Hash: ED5175B09003098FDB18DFAAD549BAEBBF2EF49314F20D459E409A73A0DB356944CF65
                          Function 02EE29C0 Relevance: 1.6, APIs: 1, Instructions: 90COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 361 2ee29c0-2ee29c1 362 2ee295c-2ee298d 361->362 363 2ee29c3-2ee2a12 361->363 370 2ee298f-2ee2995 362->370 371 2ee2996-2ee29b3 362->371 368 2ee2a1e-2ee2a50 SetWindowsHookExW 363->368 369 2ee2a14 363->369 372 2ee2a59-2ee2a7e 368->372 373 2ee2a52-2ee2a58 368->373 376 2ee2a1c 369->376 370->371 373->372 376->368
                          APIs
                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02EE2A43
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733949164.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2ee0000_gagagggagagag.jbxd
                          Similarity
                          • API ID: HookWindows
                          • String ID:
                          • API String ID: 2559412058-0
                          • Opcode ID: 9b0ad8e5191c327bd03b35574e7c81114e47f680662e5a04b6333c390d36a36e
                          • Instruction ID: 69f7c42fcd2d9141aaf659a310b59aec9f6c2107ff771d163b418d87dcc395b3
                          • Opcode Fuzzy Hash: 9b0ad8e5191c327bd03b35574e7c81114e47f680662e5a04b6333c390d36a36e
                          • Instruction Fuzzy Hash: F83136B5D002098FDB24DF9AD844BDEFBF4FB48324F14841AE919A7250C779A945CFA1
                          Function 02EE7EC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 380 2ee7ec0-2ee7f5c DuplicateHandle 381 2ee7f5e-2ee7f64 380->381 382 2ee7f65-2ee7f82 380->382 381->382
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EE7F4F
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733949164.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2ee0000_gagagggagagag.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 248a2f99bf21569618158210c56c70bd07bd2e82cffaafeece9e4a426468a095
                          • Instruction ID: 858ece56ff9c3cbd03a67d9d5d442151b06a6be344ebe42da17c5b46e9b06ff0
                          • Opcode Fuzzy Hash: 248a2f99bf21569618158210c56c70bd07bd2e82cffaafeece9e4a426468a095
                          • Instruction Fuzzy Hash: 6021E2B5D002499FDB10CFAAD985AEEFBF5FB48314F14801AE918A3350D378A955CFA1
                          Function 02EE7EC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 385 2ee7ec8-2ee7f5c DuplicateHandle 386 2ee7f5e-2ee7f64 385->386 387 2ee7f65-2ee7f82 385->387 386->387
                          APIs
                          • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02EE7F4F
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733949164.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2ee0000_gagagggagagag.jbxd
                          Similarity
                          • API ID: DuplicateHandle
                          • String ID:
                          • API String ID: 3793708945-0
                          • Opcode ID: 1d6845e5daab4c4400c9588dec4b9acb720009ac8ed37f45e5c6f9fc5472dbb9
                          • Instruction ID: fb51c80e6bb8fa791dd07bb4f39c451aaf70ad822ed25fbd53425e1cdb58109f
                          • Opcode Fuzzy Hash: 1d6845e5daab4c4400c9588dec4b9acb720009ac8ed37f45e5c6f9fc5472dbb9
                          • Instruction Fuzzy Hash: 6E21E4B5D002499FDB10CFAAD985ADEFBF9FB48310F14801AE918A3350D378A944CFA1
                          Function 02EE29C8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 390 2ee29c8-2ee2a12 392 2ee2a1e-2ee2a50 SetWindowsHookExW 390->392 393 2ee2a14 390->393 394 2ee2a59-2ee2a7e 392->394 395 2ee2a52-2ee2a58 392->395 396 2ee2a1c 393->396 395->394 396->392
                          APIs
                          • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 02EE2A43
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733949164.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2ee0000_gagagggagagag.jbxd
                          Similarity
                          • API ID: HookWindows
                          • String ID:
                          • API String ID: 2559412058-0
                          • Opcode ID: af23f9dbad9c069df74fda5c046332f9aea9a75d10c09250359746ffbcccec38
                          • Instruction ID: e8fd0d0c9af0aeaff2ed7f3305aebe4e6ce771c72a1b3d22651598674e7270d3
                          • Opcode Fuzzy Hash: af23f9dbad9c069df74fda5c046332f9aea9a75d10c09250359746ffbcccec38
                          • Instruction Fuzzy Hash: 632127B5D002098FDB24DFAAC844BDEFBF5FB88314F10842AD919A7250CB74A945CFA0
                          Function 02EED368 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 400 2eed368-2eed3c4 402 2eed3c6-2eed3ee KiUserCallbackDispatcher 400->402 403 2eed412-2eed42b 400->403 404 2eed3f7-2eed40b 402->404 405 2eed3f0-2eed3f6 402->405 404->403 405->404
                          APIs
                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 02EED3DD
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733949164.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2ee0000_gagagggagagag.jbxd
                          Similarity
                          • API ID: CallbackDispatcherUser
                          • String ID:
                          • API String ID: 2492992576-0
                          • Opcode ID: 84cc3db5a293c1eb4e56fdd6ce8012deac081c793635171995d2c3f99fe93a2e
                          • Instruction ID: 821364a6c685ea4a799a2aa162047e3386d7a7b8c8b78960c6695973a87e2ffd
                          • Opcode Fuzzy Hash: 84cc3db5a293c1eb4e56fdd6ce8012deac081c793635171995d2c3f99fe93a2e
                          • Instruction Fuzzy Hash: 1B11AFB18043498FDB10DF96D9467EEBFF8EB14314F18806AE595A3B81C7399604CFA5
                          Function 07610040 Relevance: 1.4, Instructions: 1375COMMON
                          Download Yara Rule

                          Control-flow Graph

                          • Executed
                          • Not Executed
                          control_flow_graph 447 7610040-76100a5 932 76100a7 call 76115e8 447->932 933 76100a7 call 76115f8 447->933 453 76100ad-76100d6 457 76100dc-76100e1 453->457 458 761017e-7610183 453->458 459 76100e3-76100e8 457->459 460 761012b-7610130 457->460 461 7610185-761018a 458->461 462 76101d8-76101dd 458->462 467 7610105-761010a 459->467 468 76100ea-76100ef 459->468 463 7610132-7610137 460->463 464 7610158-761015d 460->464 469 76101b2-76101b7 461->469 470 761018c-7610191 461->470 465 7610205-761020a 462->465 466 76101df-76101e4 462->466 477 7610433-7610442 463->477 478 761013d-7610142 463->478 481 7610163-7610168 464->481 482 7610315-7610324 464->482 483 76102e1-76102f0 465->483 484 7610210-7610215 465->484 479 76101ea-76101ef 466->479 480 761037d-761038c 466->480 473 7610110-7610115 467->473 474 7610245-7610254 467->474 485 76100f5-76100fa 468->485 486 76102ad-76102bc 468->486 475 7610349-7610358 469->475 476 76101bd-76101c2 469->476 471 7610197-761019c 470->471 472 7610279-7610288 470->472 493 76101a2-76101a7 471->493 494 76102c7-76102d6 471->494 531 76106d2-7610734 472->531 532 761028e 472->532 487 761011b-7610120 473->487 488 761044d-761045c 473->488 528 761025a 474->528 529 76104fd-7610521 474->529 544 7610c18-7610cba 475->544 545 761035e 475->545 495 76103e5-76103f4 476->495 496 76101c8-76101cd 476->496 533 7611302-76113db 477->533 534 7610448 477->534 489 76103b1-76103c0 478->489 490 7610148-761014d 478->490 497 7610363-7610372 479->497 498 76101f5-76101fa 479->498 547 7610392 480->547 548 7610d74-7610e90 480->548 491 7610467-7610476 481->491 492 761016e-7610173 481->492 542 7610abb-7610b66 482->542 543 761032a 482->543 540 76102f6 483->540 541 761094b-7610a0f 483->541 499 761021b-7610220 484->499 500 76103ff-761040e 484->500 501 7610100 485->501 502 76103cb-76103da 485->502 536 76107b3-761087a 486->536 537 76102c2 486->537 504 7610126 487->504 505 761025f-761026e 487->505 560 76113e0-76114ab 488->560 561 7610462 488->561 571 76103c6 489->571 572 7610f6d-7610fa7 489->572 508 7610153 490->508 509 7610419-7610428 490->509 562 76114b0-7611589 491->562 563 761047c 491->563 510 7610397-76103a6 492->510 511 7610179 492->511 514 761022b-761023a 493->514 515 76101ad 493->515 564 76102dc 494->564 565 761087f-7610946 494->565 553 761104b-76110f9 495->553 554 76103fa 495->554 517 76101d3 496->517 518 761032f-761033e 496->518 568 7610378 497->568 569 7610cbf-7610d6f 497->569 521 7610200 498->521 522 7610293-76102a2 498->522 524 7610226 499->524 525 76102fb-761030a 499->525 556 7610414 500->556 557 76110fe-7611241 500->557 503 76115a8-76115af 501->503 551 76103e0 502->551 552 7610fb8-7611046 502->552 504->503 575 76105e0-761064b 505->575 576 7610274 505->576 508->503 577 7611246-76112fd 509->577 578 761042e 509->578 593 7610e95-7610f5c 510->593 594 76103ac 510->594 511->503 573 7610481-76104e9 514->573 574 7610240 514->574 515->503 517->503 588 7610344 518->588 589 7610b6b-7610c13 518->589 521->503 579 7610745-761074f 522->579 580 76102a8 522->580 524->503 585 7610310 525->585 586 7610a14-7610ab6 525->586 528->503 652 76105b0-76105b9 529->652 653 7610527-76105ab 529->653 531->503 532->503 533->503 534->503 536->503 537->503 540->503 541->503 542->503 543->503 544->503 545->503 547->503 548->503 551->503 552->503 553->503 554->503 556->503 557->503 560->503 561->503 562->503 563->503 564->503 565->503 568->503 569->503 571->503 572->503 774 76104f0-76104f8 573->774 574->503 786 76106ba-76106cf 575->786 787 761064d-7610690 575->787 576->503 577->503 578->503 596 7610751-761077b 579->596 597 761077e-76107ae 579->597 580->503 585->503 586->503 588->503 589->503 869 7610f6a 593->869 870 7610f5e 593->870 594->503 596->597 597->503 652->503 653->503 774->503 786->531 889 7610692-76106a2 787->889 890 76106a9-76106b8 787->890 869->572 870->869 889->890 890->786 890->787 932->453 933->453
                          Memory Dump Source
                          • Source File: 00000000.00000002.3740586298.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7610000_gagagggagagag.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6ab14ee8bb56c65ba6a863d9845eb0cb087a8e9a2135ce9891427e2636b29abd
                          • Instruction ID: 8e841a3a53a170717592539f6b1c070b2356c0b4091a219d8b5868d2ad698aaa
                          • Opcode Fuzzy Hash: 6ab14ee8bb56c65ba6a863d9845eb0cb087a8e9a2135ce9891427e2636b29abd
                          • Instruction Fuzzy Hash: A2C219B47103058FDB59BB34D6A897D3BE3ABC9201B54496DD40BAB394EF399C428B41
                          Function 076115E8 Relevance: 1.3, Strings: 1, Instructions: 52COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3740586298.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7610000_gagagggagagag.jbxd
                          Similarity
                          • API ID:
                          • String ID: Teq
                          • API String ID: 0-1098410595
                          • Opcode ID: a17a791c4474b4ef4305aef865d16efaad28a8339f3e50d8f0f8bd8678088d27
                          • Instruction ID: e94700e97b5def5d3a74f68e76a9af23c3a9174b7add47347603d4b452d8f6fa
                          • Opcode Fuzzy Hash: a17a791c4474b4ef4305aef865d16efaad28a8339f3e50d8f0f8bd8678088d27
                          • Instruction Fuzzy Hash: BC11E175B101159FCB049B28CA5AB6E7AF6AF8C710F280059F102E73A0CF718C028FD0
                          Function 076115F8 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                          Download Yara Rule
                          Strings
                          Memory Dump Source
                          • Source File: 00000000.00000002.3740586298.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7610000_gagagggagagag.jbxd
                          Similarity
                          • API ID:
                          • String ID: Teq
                          • API String ID: 0-1098410595
                          • Opcode ID: 53c00c1b4eeb5799dc49f74704b6caac54ddf149c61e5694b7f00c0fec20ff0b
                          • Instruction ID: 337bcff806269be4878581bb72544c0610c8ea5e164b7b6ca213ddd5acaa9839
                          • Opcode Fuzzy Hash: 53c00c1b4eeb5799dc49f74704b6caac54ddf149c61e5694b7f00c0fec20ff0b
                          • Instruction Fuzzy Hash: B9016D717102199FDB189B28C969B6EBAE6AB8D710F250069F502E73A0CFB59D018BD1
                          Function 07610006 Relevance: .1, Instructions: 88COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3740586298.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7610000_gagagggagagag.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 6e1979590a01b6e24049b2cc686b7f52b315dcaac74fb9137b37636d8a2d1838
                          • Instruction ID: d06c62862c89203c1d528ab3b40961bf28c7e5de69c9cc80374e0ed01b481e2b
                          • Opcode Fuzzy Hash: 6e1979590a01b6e24049b2cc686b7f52b315dcaac74fb9137b37636d8a2d1838
                          • Instruction Fuzzy Hash: F32177726043414FCB226BB8984519D7FB2EF87230B7900EAD547DB352DA399D8BC762
                          Function 0181D3B4 Relevance: .1, Instructions: 75COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733681255.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_181d000_gagagggagagag.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5abea8de19d9c4638ef6bfbb272626c2fdeb4e93fa0b289a3a6438ea46f521ee
                          • Instruction ID: 107135163d78560e08d4ddac5ede827995f35786e7790b366218a4f21d8d928d
                          • Opcode Fuzzy Hash: 5abea8de19d9c4638ef6bfbb272626c2fdeb4e93fa0b289a3a6438ea46f521ee
                          • Instruction Fuzzy Hash: 61214872544304DFDB05DF54D8C8B56BF69FB84324F20C269E8098B24BC336E556CBA2
                          Function 0182D0FC Relevance: .1, Instructions: 72COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733716511.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_182d000_gagagggagagag.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: a0ce683b76f04df69c5c6f975a9e3ed5e94787e0989078a312a1c34b38f8f2c2
                          • Instruction ID: 2ca8499a5f2d63540da9c1c5a366af80e2733e9721ba98baec1e4d9a93c6fb6d
                          • Opcode Fuzzy Hash: a0ce683b76f04df69c5c6f975a9e3ed5e94787e0989078a312a1c34b38f8f2c2
                          • Instruction Fuzzy Hash: F7212571604604DFEB06DF54D9C4B26FF65EB84314F30C66DD8098B686C336D586CA61
                          Function 0181D3AF Relevance: .1, Instructions: 56COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733681255.000000000181D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0181D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_181d000_gagagggagagag.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction ID: a02060ef77b46cf629ee7137e942c7adc3245591291e706598b026e5c99cca76
                          • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                          • Instruction Fuzzy Hash: CE1133B6500280CFCB06CF44D5C4B56BF72FB84324F24C2A9D8094B25BC336E556CBA1
                          Function 0182D0F7 Relevance: .1, Instructions: 53COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733716511.000000000182D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0182D000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_182d000_gagagggagagag.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction ID: fa17f387720c975e52232eb9ee138560dfe1676682616a5bab8ed221ef35f305
                          • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                          • Instruction Fuzzy Hash: 9211BB75504680CFDB06CF54D9C4B15FFA2FB84324F24C6A9DC498B696C33AD58ACB62

                          Non-executed Functions

                          Function 076117C0 Relevance: 1.0, Instructions: 1022COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3740586298.0000000007610000.00000040.00000800.00020000.00000000.sdmp, Offset: 07610000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_7610000_gagagggagagag.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: e4e672c56b86ddd4fc82768e73663a93cbf4f64fb6ce664eb68f5482a3cf5881
                          • Instruction ID: ed71e9f122218fa13601af978e0019d00b1fbcac995a0f2fcc9ebb5c95a5b83e
                          • Opcode Fuzzy Hash: e4e672c56b86ddd4fc82768e73663a93cbf4f64fb6ce664eb68f5482a3cf5881
                          • Instruction Fuzzy Hash: C3826E70B002058FEB14EF69C898B2EBBE2BF85301F54857CD5069F3A5CB75AD4A8B51
                          Function 02EEE048 Relevance: .7, Instructions: 655COMMON
                          Download Yara Rule
                          Memory Dump Source
                          • Source File: 00000000.00000002.3733949164.0000000002EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02EE0000, based on PE: false
                          Joe Sandbox IDA Plugin
                          • Snapshot File: hcaresult_0_2_2ee0000_gagagggagagag.jbxd
                          Similarity
                          • API ID:
                          • String ID:
                          • API String ID:
                          • Opcode ID: 5db526b3508ecaffdf5e954a431509ad4d697e805f29747d1391d28b73f2087c
                          • Instruction ID: e02893f2559527b19906cf6fd8c54f018aa43ee0b1b72a81ab2e322e58626dfa
                          • Opcode Fuzzy Hash: 5db526b3508ecaffdf5e954a431509ad4d697e805f29747d1391d28b73f2087c
                          • Instruction Fuzzy Hash: AB526A31A0061A8FDF14CF64C880BAEB7B6FF44314F5998A9E90AAB251D771FD85CB50