Edit tour

Windows Analysis Report
Syncing.exe

Overview

General Information

Sample name:	Syncing.exe
Analysis ID:	1578700
MD5:	6cf60ceb94a75a9fd3ef42ef53cecd12
SHA1:	21e27216f1cbc2f707e922e0238a21aecae5b0fd
SHA256:	71ad0a40822aa8637e09f788efb4b8c11a151497f624947af9da9cb03bd8bbd8
Tags:	AsyncRATexeuser-lontze7
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AsyncRAT

AI detected suspicious sample

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Machine Learning detection for dropped file

Machine Learning detection for sample

Protects its processes via BreakOnTermination flag

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected Generic Downloader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Yara signature match

Classification

Process Tree

System is w10x64

Syncing.exe (PID: 6636 cmdline: "C:\Users\user\Desktop\Syncing.exe" MD5: 6CF60CEB94A75A9FD3EF42EF53CECD12)

cmd.exe (PID: 1732 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 1136 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 5316 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3869.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 7072 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

sync.exe (PID: 2200 cmdline: "C:\Users\user\AppData\Roaming\sync.exe" MD5: 6CF60CEB94A75A9FD3EF42EF53CECD12)

sync.exe (PID: 1804 cmdline: C:\Users\user\AppData\Roaming\sync.exe MD5: 6CF60CEB94A75A9FD3EF42EF53CECD12)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "185.223.30.86", "Ports": "8808", "Version": "0.5.8", "Autorun": "true", "Install_Folder": "sync.exe", "Install_File": "MXJqU29ldW05YjhLOHFNZkw0alFDUHd5NzFCUnlJU08="}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Syncing.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Syncing.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Syncing.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2bb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Roaming\sync.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Roaming\sync.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Roaming\sync.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2bb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1678313446.0000000000B22000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1678313446.0000000000B22000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa0bb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xb296:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.1788872152.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1788872152.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x27256:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.1788872152.0000000002F33000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Syncing.exe PID: 6636	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: Syncing.exe PID: 6636	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x681f:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x22073:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x3fea3:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: sync.exe PID: 1804	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: sync.exe PID: 1804	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x259d5:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 6 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.Syncing.exe.b20000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.Syncing.exe.b20000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa2bb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Syncing.exe.2f33cc8.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Syncing.exe.2f33cc8.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x84bb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.Syncing.exe.2f33cc8.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.Syncing.exe.2f33cc8.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
Click to see the 1 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\Syncing.exe", ParentImage: C:\Users\user\Desktop\Syncing.exe, ParentProcessId: 6636, ParentProcessName: Syncing.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' & exit, ProcessId: 1732, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1732, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' , ProcessId: 1136, ProcessName: schtasks.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Syncing.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\sync.exe

Avira: detection malicious, Label: HEUR/AGEN.1305769

Found malware configuration

Source: Syncing.exe

Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "185.223.30.86", "Ports": "8808", "Version": "0.5.8", "Autorun": "true", "Install_Folder": "sync.exe", "Install_File": "MXJqU29ldW05YjhLOHFNZkw0alFDUHd5NzFCUnlJU08="}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\sync.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Roaming\sync.exe	Virustotal: Detection: 72%			Perma Link

Multi AV Scanner detection for submitted file

Source: Syncing.exe	ReversingLabs: Detection: 86%
Source: Syncing.exe	Virustotal: Detection: 72%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\sync.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Syncing.exe

Joe Sandbox ML: detected

Source: Syncing.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Syncing.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Yara detected Generic Downloader

Source: Yara match	File source: Syncing.exe, type: SAMPLE
Source: Yara match	File source: 0.2.Syncing.exe.2f33cc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sync.exe, type: DROPPED

Source: global traffic

TCP traffic: 192.168.2.4:49734 -> 185.223.30.86:8808

Source: Joe Sandbox View

ASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE

Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86
Source: unknown	TCP traffic detected without corresponding DNS query: 185.223.30.86

Source: Syncing.exe, 00000000.00000002.1788872152.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, sync.exe, 00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp

String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: Syncing.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Syncing.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Syncing.exe.2f33cc8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Syncing.exe.2f33cc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1678313446.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1788872152.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1788872152.0000000002F33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Syncing.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync.exe PID: 1804, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sync.exe, type: DROPPED

Operating System Destruction

Protects its processes via BreakOnTermination flag

Source: C:\Users\user\Desktop\Syncing.exe	Process information set: 00 00 00 00			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: 01 00 00 00			Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: Syncing.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.0.Syncing.exe.b20000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Syncing.exe.2f33cc8.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.1678313446.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.1788872152.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Syncing.exe PID: 6636, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: sync.exe PID: 1804, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\sync.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: C:\Users\user\Desktop\Syncing.exe	Code function: 0_2_02DB5B20	0_2_02DB5B20
Source: C:\Users\user\Desktop\Syncing.exe	Code function: 0_2_02DB4088	0_2_02DB4088
Source: C:\Users\user\Desktop\Syncing.exe	Code function: 0_2_02DB4958	0_2_02DB4958
Source: C:\Users\user\Desktop\Syncing.exe	Code function: 0_2_02DB2AB4	0_2_02DB2AB4
Source: C:\Users\user\Desktop\Syncing.exe	Code function: 0_2_02DB3D40	0_2_02DB3D40
Source: C:\Users\user\AppData\Roaming\sync.exe	Code function: 7_2_02C35B20	7_2_02C35B20
Source: C:\Users\user\AppData\Roaming\sync.exe	Code function: 7_2_02C34088	7_2_02C34088
Source: C:\Users\user\AppData\Roaming\sync.exe	Code function: 7_2_02C34958	7_2_02C34958
Source: C:\Users\user\AppData\Roaming\sync.exe	Code function: 7_2_02C33D40	7_2_02C33D40

Source: Syncing.exe, 00000000.00000002.1788872152.0000000002F33000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDownload ManagerB vs Syncing.exe
Source: Syncing.exe, 00000000.00000000.1678313446.0000000000B2E000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDownload ManagerB vs Syncing.exe
Source: Syncing.exe	Binary or memory string: OriginalFilenameDownload ManagerB vs Syncing.exe

Source: Syncing.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Syncing.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.0.Syncing.exe.b20000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Syncing.exe.2f33cc8.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.1678313446.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.1788872152.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Syncing.exe PID: 6636, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: sync.exe PID: 1804, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: C:\Users\user\AppData\Roaming\sync.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: Syncing.exe, ZGHnfoXLsxbqln.cs	Base64 encoded string: 'q8wqXVt2Ap2mqYGpAZZNFYgR6+uaM1J0hlblg7zBt6qED6gtUJUzArfhpzQ1HEp4MHV0wRKRrYFRtALAekunhg==', 'phv9ZfXpwH0rgPW/vTk2gDnvkQyqjPyk4aVoLEFM4Dqm6jaf1X8dQ2UifLZxyJWOuvwpvtWAw91PPchQ6871vg==', 'TdgxxRJ4P43LswZU3qtgv2wMnb7y/pax3nlc3bECDbMzpG4xme0VQxvJdIKMZn1T4q7N6xhoSUWWN4lFbjMMYNPyLQrL8ol3rMRNUJtX8GgyKECVo84uF1bN7jlrUel5ZRc0Oxt9s+c00oL0xOapZkpxiDef1WLrZbowAbs4/A58LWgzBv23V2vEXmb36ZN/O62QfNnxd3IRtmmMcfoCvV7BVAuS0Bp3VD+G2EwOZ00/RAEYUuBaamZnaAYYUe33/ZfR+Zc1WTHs7Fs/e7XD0dr3PN5kBQC4UHDXo7ke2KNb/Ollc93qiSmaDDmWYLufDSIre1T6K7iinjqsS9QnbH+UeWuYUPHl9XZgxIloDnCsjnP5/eGpGOn9WDHHkglbtCQtq/Vo3vB/zMtS3YwmP38MrN2cYY3QankiYpDFCk6EzZ0sFV99WF+kHfuA2tXJBkr9WRw5MzpZusDrrtUVZ/ZQIyqtaXSfBzcG8CC44VyRo8QdR02s24MMTSagPVlscGulsQfFJtR2aP4V4sDr3yW8YQaw14eJUf+tDdewqkZ3NqpnpfuXzp9d/cuz0hEmzS0rC19zWBmwb3v6CF5chv6eJFfrHRHQFI4fXwes9rUixs803h7G3t4+D6GAE2AyG1e+CIE3+BfCcbaM/uFLb+bChGF2B09jUTgGx4+pl5XQlqXm56028B2rVM09um+brfC6Y5UMRgX9i9mSpn+eGvu8rhp2mli1pFsZ49xJgFqTWeQ5xD0I+NHj9BhL0o2yM+GRnqL/244uZ8LSY+LK9b5MvAhpdrTkNJHt73livoRYPyf0Ae+gvIR+v6XtxQC8tmUNVUi5j8xryVazYpXNMmeIjb28Ykewnqh1UBynUANJnrJHTLo76NoQgva0DARnLzJj3Gh+wn3lfSd6vjx6eAyQRyKxwmslreCLYKJFKTYSM6oDqFGYQL44xvVyFQN5+cg5pjX0HCmgLNoxm9XDBA==', '/ascAunRdcU6I39yK7KicfEEv6lskUVFdvJHFrMPQBND6gPGUN87fIrTPbdRk04fzoH+U2O98wMBZ0oSd7zEeQ==', 'YSDNCIShhxXsTasiLiglxLbwQfNeodkOrENTvWt+hzqPSZ5ISNHd5+MU4Wcdm5Ytlnx0zLwGBZ1B/r195SBjNw=='
Source: sync.exe.0.dr, ZGHnfoXLsxbqln.cs	Base64 encoded string: 'q8wqXVt2Ap2mqYGpAZZNFYgR6+uaM1J0hlblg7zBt6qED6gtUJUzArfhpzQ1HEp4MHV0wRKRrYFRtALAekunhg==', 'phv9ZfXpwH0rgPW/vTk2gDnvkQyqjPyk4aVoLEFM4Dqm6jaf1X8dQ2UifLZxyJWOuvwpvtWAw91PPchQ6871vg==', 'TdgxxRJ4P43LswZU3qtgv2wMnb7y/pax3nlc3bECDbMzpG4xme0VQxvJdIKMZn1T4q7N6xhoSUWWN4lFbjMMYNPyLQrL8ol3rMRNUJtX8GgyKECVo84uF1bN7jlrUel5ZRc0Oxt9s+c00oL0xOapZkpxiDef1WLrZbowAbs4/A58LWgzBv23V2vEXmb36ZN/O62QfNnxd3IRtmmMcfoCvV7BVAuS0Bp3VD+G2EwOZ00/RAEYUuBaamZnaAYYUe33/ZfR+Zc1WTHs7Fs/e7XD0dr3PN5kBQC4UHDXo7ke2KNb/Ollc93qiSmaDDmWYLufDSIre1T6K7iinjqsS9QnbH+UeWuYUPHl9XZgxIloDnCsjnP5/eGpGOn9WDHHkglbtCQtq/Vo3vB/zMtS3YwmP38MrN2cYY3QankiYpDFCk6EzZ0sFV99WF+kHfuA2tXJBkr9WRw5MzpZusDrrtUVZ/ZQIyqtaXSfBzcG8CC44VyRo8QdR02s24MMTSagPVlscGulsQfFJtR2aP4V4sDr3yW8YQaw14eJUf+tDdewqkZ3NqpnpfuXzp9d/cuz0hEmzS0rC19zWBmwb3v6CF5chv6eJFfrHRHQFI4fXwes9rUixs803h7G3t4+D6GAE2AyG1e+CIE3+BfCcbaM/uFLb+bChGF2B09jUTgGx4+pl5XQlqXm56028B2rVM09um+brfC6Y5UMRgX9i9mSpn+eGvu8rhp2mli1pFsZ49xJgFqTWeQ5xD0I+NHj9BhL0o2yM+GRnqL/244uZ8LSY+LK9b5MvAhpdrTkNJHt73livoRYPyf0Ae+gvIR+v6XtxQC8tmUNVUi5j8xryVazYpXNMmeIjb28Ykewnqh1UBynUANJnrJHTLo76NoQgva0DARnLzJj3Gh+wn3lfSd6vjx6eAyQRyKxwmslreCLYKJFKTYSM6oDqFGYQL44xvVyFQN5+cg5pjX0HCmgLNoxm9XDBA==', '/ascAunRdcU6I39yK7KicfEEv6lskUVFdvJHFrMPQBND6gPGUN87fIrTPbdRk04fzoH+U2O98wMBZ0oSd7zEeQ==', 'YSDNCIShhxXsTasiLiglxLbwQfNeodkOrENTvWt+hzqPSZ5ISNHd5+MU4Wcdm5Ytlnx0zLwGBZ1B/r195SBjNw=='
Source: 0.2.Syncing.exe.2f33cc8.0.raw.unpack, ZGHnfoXLsxbqln.cs	Base64 encoded string: 'q8wqXVt2Ap2mqYGpAZZNFYgR6+uaM1J0hlblg7zBt6qED6gtUJUzArfhpzQ1HEp4MHV0wRKRrYFRtALAekunhg==', 'phv9ZfXpwH0rgPW/vTk2gDnvkQyqjPyk4aVoLEFM4Dqm6jaf1X8dQ2UifLZxyJWOuvwpvtWAw91PPchQ6871vg==', 'TdgxxRJ4P43LswZU3qtgv2wMnb7y/pax3nlc3bECDbMzpG4xme0VQxvJdIKMZn1T4q7N6xhoSUWWN4lFbjMMYNPyLQrL8ol3rMRNUJtX8GgyKECVo84uF1bN7jlrUel5ZRc0Oxt9s+c00oL0xOapZkpxiDef1WLrZbowAbs4/A58LWgzBv23V2vEXmb36ZN/O62QfNnxd3IRtmmMcfoCvV7BVAuS0Bp3VD+G2EwOZ00/RAEYUuBaamZnaAYYUe33/ZfR+Zc1WTHs7Fs/e7XD0dr3PN5kBQC4UHDXo7ke2KNb/Ollc93qiSmaDDmWYLufDSIre1T6K7iinjqsS9QnbH+UeWuYUPHl9XZgxIloDnCsjnP5/eGpGOn9WDHHkglbtCQtq/Vo3vB/zMtS3YwmP38MrN2cYY3QankiYpDFCk6EzZ0sFV99WF+kHfuA2tXJBkr9WRw5MzpZusDrrtUVZ/ZQIyqtaXSfBzcG8CC44VyRo8QdR02s24MMTSagPVlscGulsQfFJtR2aP4V4sDr3yW8YQaw14eJUf+tDdewqkZ3NqpnpfuXzp9d/cuz0hEmzS0rC19zWBmwb3v6CF5chv6eJFfrHRHQFI4fXwes9rUixs803h7G3t4+D6GAE2AyG1e+CIE3+BfCcbaM/uFLb+bChGF2B09jUTgGx4+pl5XQlqXm56028B2rVM09um+brfC6Y5UMRgX9i9mSpn+eGvu8rhp2mli1pFsZ49xJgFqTWeQ5xD0I+NHj9BhL0o2yM+GRnqL/244uZ8LSY+LK9b5MvAhpdrTkNJHt73livoRYPyf0Ae+gvIR+v6XtxQC8tmUNVUi5j8xryVazYpXNMmeIjb28Ykewnqh1UBynUANJnrJHTLo76NoQgva0DARnLzJj3Gh+wn3lfSd6vjx6eAyQRyKxwmslreCLYKJFKTYSM6oDqFGYQL44xvVyFQN5+cg5pjX0HCmgLNoxm9XDBA==', '/ascAunRdcU6I39yK7KicfEEv6lskUVFdvJHFrMPQBND6gPGUN87fIrTPbdRk04fzoH+U2O98wMBZ0oSd7zEeQ==', 'YSDNCIShhxXsTasiLiglxLbwQfNeodkOrENTvWt+hzqPSZ5ISNHd5+MU4Wcdm5Ytlnx0zLwGBZ1B/r195SBjNw=='

Source: Syncing.exe, TbRQQkosQKU.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Syncing.exe, TbRQQkosQKU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Syncing.exe.2f33cc8.0.raw.unpack, TbRQQkosQKU.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Syncing.exe.2f33cc8.0.raw.unpack, TbRQQkosQKU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: sync.exe.0.dr, TbRQQkosQKU.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: sync.exe.0.dr, TbRQQkosQKU.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.evad.winEXE@15/5@0/1

Source: C:\Users\user\Desktop\Syncing.exe

File created: C:\Users\user\AppData\Roaming\sync.exe

Jump to behavior

Source: C:\Users\user\AppData\Roaming\sync.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4948:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
Source: C:\Users\user\AppData\Roaming\sync.exe	Mutant created: \Sessions\1\BaseNamedObjects\GfuQDRCNZd5L

Source: C:\Users\user\Desktop\Syncing.exe

File created: C:\Users\user\AppData\Local\Temp\tmp3869.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3869.tmp.bat""

Source: Syncing.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Syncing.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Syncing.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Syncing.exe	ReversingLabs: Detection: 86%
Source: Syncing.exe	Virustotal: Detection: 72%

Source: C:\Users\user\Desktop\Syncing.exe

File read: C:\Users\user\Desktop\Syncing.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Syncing.exe "C:\Users\user\Desktop\Syncing.exe"
Source: C:\Users\user\Desktop\Syncing.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Syncing.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3869.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\sync.exe C:\Users\user\AppData\Roaming\sync.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\sync.exe "C:\Users\user\AppData\Roaming\sync.exe"
Source: C:\Users\user\Desktop\Syncing.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3869.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\sync.exe "C:\Users\user\AppData\Roaming\sync.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Section loaded: msasn1.dll	Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Syncing.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Syncing.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: Syncing.exe, DUCuzeDxmheejU.cs	High entropy of concatenated method names: 'QQGxoZCOOnSN', 'zOoKxGiKMMphox', 'EAkYuKwgIKUsWHZ', 'EQxqjCAoKPVuuil', 'YAAVbcXLIiC', 'USMZOJpflIF', 'QFsjYeaGPeXm', 'nvpgVMNaNYV', 'TBAAyzJfuLvroylVc', 'eaawCunacKO'
Source: sync.exe.0.dr, DUCuzeDxmheejU.cs	High entropy of concatenated method names: 'QQGxoZCOOnSN', 'zOoKxGiKMMphox', 'EAkYuKwgIKUsWHZ', 'EQxqjCAoKPVuuil', 'YAAVbcXLIiC', 'USMZOJpflIF', 'QFsjYeaGPeXm', 'nvpgVMNaNYV', 'TBAAyzJfuLvroylVc', 'eaawCunacKO'
Source: 0.2.Syncing.exe.2f33cc8.0.raw.unpack, DUCuzeDxmheejU.cs	High entropy of concatenated method names: 'QQGxoZCOOnSN', 'zOoKxGiKMMphox', 'EAkYuKwgIKUsWHZ', 'EQxqjCAoKPVuuil', 'YAAVbcXLIiC', 'USMZOJpflIF', 'QFsjYeaGPeXm', 'nvpgVMNaNYV', 'TBAAyzJfuLvroylVc', 'eaawCunacKO'

Source: C:\Users\user\Desktop\Syncing.exe

File created: C:\Users\user\AppData\Roaming\sync.exe

Jump to dropped file

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: Syncing.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Syncing.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Syncing.exe.2f33cc8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Syncing.exe.2f33cc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1678313446.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1788872152.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1788872152.0000000002F33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Syncing.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync.exe PID: 1804, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sync.exe, type: DROPPED

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"'

Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: Syncing.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Syncing.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Syncing.exe.2f33cc8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Syncing.exe.2f33cc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1678313446.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1788872152.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1788872152.0000000002F33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Syncing.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync.exe PID: 1804, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sync.exe, type: DROPPED

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Syncing.exe, sync.exe.0.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Syncing.exe	Memory allocated: 2D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Memory allocated: 2DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Memory allocated: 4DF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Memory allocated: 2C30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Memory allocated: 2C70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Memory allocated: C00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Memory allocated: 28C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Memory allocated: 26F0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\AppData\Roaming\sync.exe

Window / User API: threadDelayed 786

Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe TID: 6572	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe TID: 6760	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Source: C:\Users\user\AppData\Roaming\sync.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\sync.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Syncing.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: sync.exe.0.dr	Binary or memory string: vmware
Source: sync.exe, 00000007.00000002.2923560400.0000000000F56000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\Syncing.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\Syncing.exe

Code function: 0_2_02DB2D4C CheckRemoteDebuggerPresent,

0_2_02DB2D4C

Source: C:\Users\user\Desktop\Syncing.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3869.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\sync.exe "C:\Users\user\AppData\Roaming\sync.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe	Queries volume information: C:\Users\user\Desktop\Syncing.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Syncing.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Queries volume information: C:\Users\user\AppData\Roaming\sync.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\sync.exe	Queries volume information: C:\Users\user\AppData\Roaming\sync.exe VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Syncing.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: Syncing.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Syncing.exe.b20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Syncing.exe.2f33cc8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Syncing.exe.2f33cc8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1678313446.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1788872152.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1788872152.0000000002F33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Syncing.exe PID: 6636, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: sync.exe PID: 1804, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\sync.exe, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	2 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	321 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Scheduled Task/Job	1 Scripting	2 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 DLL Side-Loading	51 Virtualization/Sandbox Evasion	Security Account Manager	51 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Syncing.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
Syncing.exe	72%	Virustotal		Browse
Syncing.exe	100%	Avira	HEUR/AGEN.1305769
Syncing.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\sync.exe	100%	Avira	HEUR/AGEN.1305769
C:\Users\user\AppData\Roaming\sync.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\sync.exe	87%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
C:\Users\user\AppData\Roaming\sync.exe	72%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Syncing.exe, 00000000.00000002.1788872152.0000000002F29000.00000004.00000800.00020000.00000000.sdmp, sync.exe, 00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.223.30.86	unknown	Germany		30823	COMBAHTONcombahtonGmbHDE	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1578700
Start date and time:	2024-12-20 07:00:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Syncing.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@15/5@0/1
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 28 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target sync.exe, PID 2200 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
06:01:10	Task Scheduler	Run new task: sync path: "C:\Users\user\AppData\Roaming\sync.exe"

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
COMBAHTONcombahtonGmbHDE	l4.exe	Get hash	malicious	Unknown	Browse	194.59.30.220
	l4.exe	Get hash	malicious	Unknown	Browse	194.59.30.220
	client.exe	Get hash	malicious	Unknown	Browse	194.59.30.220
	client.exe	Get hash	malicious	Unknown	Browse	194.59.30.220
	Shipping Bill No6239999Dt09122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	194.59.30.164
	Shipping Bill No6239999Dt09122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	194.59.30.164
	Shipping Bill6239999 dated 13122024.PDF.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	194.59.30.164
	Support.ClientSetup.exe	Get hash	malicious	ScreenConnect Tool	Browse	194.59.31.27
	Counseling_Services_Overview.docm	Get hash	malicious	Unknown	Browse	45.147.231.195
	Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exe	Get hash	malicious	Quasar	Browse	194.59.31.75

Process:	C:\Users\user\Desktop\Syncing.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	739
Entropy (8bit):	5.348505694476449
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaWzAbDLI4MNldKZat92n4M6:ML9E4KlKDE4KhKiKhBsXE4qdK284j
MD5:	A65F13C4355387C4645D260206AE915F
SHA1:	F8857636BB3B50E634E96E7B0ECE6AD77656BA5F
SHA-256:	DB8CA2E253F03395ABECD812505666B3BD5CE699B798E3F624D22EE605FB290E
SHA-512:	0584E8911FD08CC0BB833C6373AE5D161D00CF40FB4533B5DD0D31F38CF1783BB25E34084995A2D116AFB01ABAD14005D62EE51A1D9B79E262EF28775B878AB6
Malicious:	true
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sync.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\sync.exe
File Type:	Unknown
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp3869.tmp.bat

Download File

Process:	C:\Users\user\Desktop\Syncing.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	148
Entropy (8bit):	5.0713616596571525
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5ot+kiEaKC5ZEymqRDt+kiE2J5xAInTRI8dQLazVZPy:hWKqTtT6wknaZ5Wymq1wkn23fTd6Laze
MD5:	F637EF12DA9C10D79F7B8E13F84C2AF0
SHA1:	45B7903F128A97A8FE98A2A67F8910466E1FC291
SHA-256:	1B335A01FD69713D537D6B81450F44690723A5C521F4786409AE152200B2D2A7
SHA-512:	4701AD308A402A0A6EA492E4F80AA1C7532765EA7537E2F00DB5A3E6237192D81E2FEC9F381001A3E0EBA6880EE9E9159B46726B4A3716602A7CA647BF7133CC
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\sync.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp3869.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\sync.exe

Download File

Process:	C:\Users\user\Desktop\Syncing.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	5.561548387804963
Encrypted:	false
SSDEEP:	768:qu6XdTvER+SWUk6P4mo2qbUiZtX1uSK7PIk+BeNJN6U0br+UZToANniLlU09kDTU:qu6XdTv2S2K1yEk+yJCbr+mBipU09Wd0
MD5:	6CF60CEB94A75A9FD3EF42EF53CECD12
SHA1:	21E27216F1CBC2F707E922E0238A21AECAE5B0FD
SHA-256:	71AD0A40822AA8637E09F788EFB4B8C11A151497F624947AF9DA9CB03BD8BBD8
SHA-512:	9A2C23A7BCD6DF0E44CCD1B4F43C9FF64640143974FF00381979F80101270C66B386C55709F4392638E51ABEF47DEBD40E1605E78B213BEF0BA59B4D49B22236
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\sync.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\sync.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\sync.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 87% Antivirus: Virustotal, Detection: 72%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-e................................. ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...$.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y...u.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...VrH%.p~....(o....#....s...

\Device\Null

Download File

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.561548387804963
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Syncing.exe
File size:	49'152 bytes
MD5:	6cf60ceb94a75a9fd3ef42ef53cecd12
SHA1:	21e27216f1cbc2f707e922e0238a21aecae5b0fd
SHA256:	71ad0a40822aa8637e09f788efb4b8c11a151497f624947af9da9cb03bd8bbd8
SHA512:	9a2c23a7bcd6df0e44ccd1b4f43c9ff64640143974ff00381979f80101270c66b386c55709f4392638e51abef47debd40e1605e78b213bef0ba59b4d49b22236
SSDEEP:	768:qu6XdTvER+SWUk6P4mo2qbUiZtX1uSK7PIk+BeNJN6U0br+UZToANniLlU09kDTU:qu6XdTv2S2K1yEk+yJCbr+mBipU09Wd0
TLSH:	F1232C003BE9812BF27E4F78ADF26145867BB6633603D58E1CC451D75623FC68A426FA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x40d01e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xcfc4	0x57	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x880	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb024	0xb200	548091185e4f4e650a00997bdea6b79a	False	0.539940308988764	data	5.606077398158453	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x880	0xa00	313d53224ef917197475e2770c0b9f42	False	0.3515625	data	5.099912156790086	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	0ab1987f7b2aee33082464174b9f71ea	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0xe0a0	0x34c	data			0.3862559241706161
RT_MANIFEST	0xe3ec	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 20, 2024 07:01:21.589097023 CET	49734	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:21.708687067 CET	8808	49734	185.223.30.86	192.168.2.4
Dec 20, 2024 07:01:21.708791971 CET	49734	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:21.721199036 CET	49734	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:21.840858936 CET	8808	49734	185.223.30.86	192.168.2.4
Dec 20, 2024 07:01:22.779968023 CET	8808	49734	185.223.30.86	192.168.2.4
Dec 20, 2024 07:01:22.780081034 CET	49734	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:27.823035955 CET	49734	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:27.823491096 CET	49737	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:27.943192959 CET	8808	49734	185.223.30.86	192.168.2.4
Dec 20, 2024 07:01:27.943399906 CET	8808	49737	185.223.30.86	192.168.2.4
Dec 20, 2024 07:01:27.943474054 CET	49737	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:27.944165945 CET	49737	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:28.063720942 CET	8808	49737	185.223.30.86	192.168.2.4
Dec 20, 2024 07:01:49.861293077 CET	8808	49737	185.223.30.86	192.168.2.4
Dec 20, 2024 07:01:49.861479998 CET	49737	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:54.869790077 CET	49737	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:54.870201111 CET	49738	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:54.989507914 CET	8808	49737	185.223.30.86	192.168.2.4
Dec 20, 2024 07:01:54.989866018 CET	8808	49738	185.223.30.86	192.168.2.4
Dec 20, 2024 07:01:54.989989042 CET	49738	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:54.990386963 CET	49738	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:01:55.110081911 CET	8808	49738	185.223.30.86	192.168.2.4
Dec 20, 2024 07:02:16.906511068 CET	8808	49738	185.223.30.86	192.168.2.4
Dec 20, 2024 07:02:16.906650066 CET	49738	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:02:21.916738987 CET	49738	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:02:21.917222977 CET	49791	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:02:22.036731005 CET	8808	49738	185.223.30.86	192.168.2.4
Dec 20, 2024 07:02:22.036984921 CET	8808	49791	185.223.30.86	192.168.2.4
Dec 20, 2024 07:02:22.037096977 CET	49791	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:02:22.037522078 CET	49791	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:02:22.157321930 CET	8808	49791	185.223.30.86	192.168.2.4
Dec 20, 2024 07:02:32.134787083 CET	8808	49791	185.223.30.86	192.168.2.4
Dec 20, 2024 07:02:32.135380030 CET	49791	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:02:37.152481079 CET	49791	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:02:37.153512955 CET	49826	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:02:37.271996975 CET	8808	49791	185.223.30.86	192.168.2.4
Dec 20, 2024 07:02:37.273056030 CET	8808	49826	185.223.30.86	192.168.2.4
Dec 20, 2024 07:02:37.273155928 CET	49826	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:02:37.273488045 CET	49826	8808	192.168.2.4	185.223.30.86
Dec 20, 2024 07:02:37.395276070 CET	8808	49826	185.223.30.86	192.168.2.4
Dec 20, 2024 07:02:59.225522041 CET	8808	49826	185.223.30.86	192.168.2.4
Dec 20, 2024 07:02:59.225595951 CET	49826	8808	192.168.2.4	185.223.30.86

Target ID:	0
Start time:	01:00:58
Start date:	20/12/2024
Path:	C:\Users\user\Desktop\Syncing.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Syncing.exe"
Imagebase:	0xb20000
File size:	49'152 bytes
MD5 hash:	6CF60CEB94A75A9FD3EF42EF53CECD12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1678313446.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1678313446.0000000000B22000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1788872152.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1788872152.0000000002DF1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1788872152.0000000002F33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	01:01:09
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"' & exit
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	01:01:09
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	01:01:09
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp3869.tmp.bat""
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	01:01:09
Start date:	20/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	01:01:09
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "sync" /tr '"C:\Users\user\AppData\Roaming\sync.exe"'
Imagebase:	0xd10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	01:01:09
Start date:	20/12/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x820000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	01:01:10
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\sync.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\sync.exe
Imagebase:	0xb20000
File size:	49'152 bytes
MD5 hash:	6CF60CEB94A75A9FD3EF42EF53CECD12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.2924589921.0000000002E8D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\sync.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\sync.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\sync.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 87%, ReversingLabs Detection: 72%, Virustotal, Browse
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	01:01:12
Start date:	20/12/2024
Path:	C:\Users\user\AppData\Roaming\sync.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\sync.exe"
Imagebase:	0x150000
File size:	49'152 bytes
MD5 hash:	6CF60CEB94A75A9FD3EF42EF53CECD12
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	15.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	16.7%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Executed Functions

Function 02DB5B20 Relevance: 2.8, Strings: 2, Instructions: 331
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$kq, xrefs: 02DB5C0E
Xoq, xrefs: 02DB5C27

Memory Dump Source

Source File: 00000000.00000002.1788788580.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_Syncing.jbxd

Similarity

API ID:
String ID: Xoq$$kq
API String ID: 0-227003152
Opcode ID: cb1f6c9b82c57da8a3b2073adeb6049dcbce08128ecf0939c19b09f194d2eaa6
Instruction ID: 3ff12929c16a39ef28d3100948f8ec9ec0aca22db1ca48362b359f1f62bbe74d
Opcode Fuzzy Hash: cb1f6c9b82c57da8a3b2073adeb6049dcbce08128ecf0939c19b09f194d2eaa6
Instruction Fuzzy Hash: B5B1B374B04214CBDB19AB79A5642BEBBB7BFC8700B54882ED547D7398DE34CC028791

Function 02DB2D4C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 02DB532F

Memory Dump Source

Source File: 00000000.00000002.1788788580.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_Syncing.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 10279815130b64570e0a96aa2ed159d2826ea010907e7065890168c567f505fc
Instruction ID: b3b7443478e60be8d3f8a1a8fb29a6dc908e204a79356c81eab9ef563acd16f1
Opcode Fuzzy Hash: 10279815130b64570e0a96aa2ed159d2826ea010907e7065890168c567f505fc
Instruction Fuzzy Hash: 652136B1901259CFCB10CF9AD444BEEBBF4EF49320F14846AE899A7350D778A944CFA1

Function 02DB4088 Relevance: 1.5, Strings: 1, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vkm, xrefs: 02DB433F

Memory Dump Source

Source File: 00000000.00000002.1788788580.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_Syncing.jbxd

Similarity

API ID:
String ID: \Vkm
API String ID: 0-2107937421
Opcode ID: 6e88e1d94f5d20f7c2d4d3f57e69a46c7bad43bdee7c83a26285c3df98150152
Instruction ID: 16fadd5cd671b9e5ea8bd0d5138a17794021647932fe141daf3b95c59b2d9316
Opcode Fuzzy Hash: 6e88e1d94f5d20f7c2d4d3f57e69a46c7bad43bdee7c83a26285c3df98150152
Instruction Fuzzy Hash: 2BB16B70E00209DFDB11CFA9D9A57EEBBF2AF88304F148129D856A7395EB749841CF81

Function 02DB4958 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788788580.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_Syncing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3809fb7b806d8932b982f406811a482aec0d93327d3f541e839ba9d221865e5
Instruction ID: a5b7ec48632dbbb96c99eeba55b36ba062748d2881a0d0afd74ca6b24ef4f61d
Opcode Fuzzy Hash: b3809fb7b806d8932b982f406811a482aec0d93327d3f541e839ba9d221865e5
Instruction Fuzzy Hash: D4B17C70E00209CFDB11CFA9C9A57EDBBF2AF88718F148129D416A7395EB349C45CB95

Function 02DB52B0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 02DB532F

Memory Dump Source

Source File: 00000000.00000002.1788788580.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_Syncing.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 7f20dbfb5d323cf032552f979f305e964e882a1e2f1626e7e4898bd176263db0
Instruction ID: 58d475b261be51a4a73a90f97a4b8dc0ce070ecf2329521a03507bfea240d255
Opcode Fuzzy Hash: 7f20dbfb5d323cf032552f979f305e964e882a1e2f1626e7e4898bd176263db0
Instruction Fuzzy Hash: 592136B1900259CFCB10CF9AD884BEEBBF4EF48320F14846AE455A3350D778A944CF61

Function 02DB6A19 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 02DB6A85

Memory Dump Source

Source File: 00000000.00000002.1788788580.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_Syncing.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: c763ac69762cdb051afb04c58357477240ed3a5b5eec7523c455a964f70b151c
Instruction ID: 637da0d539bc8d8344e78e2cda201d2effbb5644cc68b9d26029022280150083
Opcode Fuzzy Hash: c763ac69762cdb051afb04c58357477240ed3a5b5eec7523c455a964f70b151c
Instruction Fuzzy Hash: 331125B5900249CFCB20DF9AC984BDEBFF4EB88314F208019D559A7350C334A944CFA5

Function 02DB6A20 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 02DB6A85

Memory Dump Source

Source File: 00000000.00000002.1788788580.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_Syncing.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 15eb3b2b3a083b1742d8e22ee72a674c5ebea8456e56a23c64585984ed359f6f
Instruction ID: 8a780482235e83cf2f8d0615e5ac4c8b266697119227384c7d80a5db755174f0
Opcode Fuzzy Hash: 15eb3b2b3a083b1742d8e22ee72a674c5ebea8456e56a23c64585984ed359f6f
Instruction Fuzzy Hash: 8C11F2B5904249CFCB20DF9AC984BDEBFF8EB49324F208429D559A7350C774A984CFA5

Non-executed Functions

Function 02DB3D40 Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

\Vkm, xrefs: 02DB3F8B

Memory Dump Source

Source File: 00000000.00000002.1788788580.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_Syncing.jbxd

Similarity

API ID:
String ID: \Vkm
API String ID: 0-2107937421
Opcode ID: 2e3b1be191828fea98cc075f60009a9e34deabc7e3f1b9599274004c2a95d213
Instruction ID: c20e26413b29522d02a1824639adae46f260f00fdc63c73753a789312b4fbedd
Opcode Fuzzy Hash: 2e3b1be191828fea98cc075f60009a9e34deabc7e3f1b9599274004c2a95d213
Instruction Fuzzy Hash: 05916C70E00209DFDB51CFA9C9A57DEBBF2AF48314F248129E416A7394EB349C45DB91

Function 02DB2AB4 Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1788788580.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_Syncing.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94acb6414bce58d30fdd4030008ec9256af4364b724f85ad02a0e3e96fbbd300
Instruction ID: 4889a6ae32335018e11724a980bd5929b9be32ec542be284f296638d4a9898e0
Opcode Fuzzy Hash: 94acb6414bce58d30fdd4030008ec9256af4364b724f85ad02a0e3e96fbbd300
Instruction Fuzzy Hash: 0651015244EBD25FD3039BB899B41C07F70AE032A476A40E7C8C1CB1A7E9594D4BD7B6

Analysis Process: sync.exePID: 1804, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	18
Total number of Limit Nodes:	0

Executed Functions

Function 02C352B0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 02C3532F

Memory Dump Source

Source File: 00000007.00000002.2924483431.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c30000_sync.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 5645bf3fd08477a7153a7209adb445dcf78762c7d94193db20fe34d69a3cd690
Instruction ID: 18f95bc757704a0a3020b0dd3b6277a8792c9b68973fe8f7ccf644e5582ec84b
Opcode Fuzzy Hash: 5645bf3fd08477a7153a7209adb445dcf78762c7d94193db20fe34d69a3cd690
Instruction Fuzzy Hash: FB2148B1900259CFCB10CF9AD484BEEBBF4EF48320F14846AE459B3250D778AA44CF65

Function 02C32D4C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 02C3532F

Memory Dump Source

Source File: 00000007.00000002.2924483431.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c30000_sync.jbxd

Similarity

API ID: CheckDebuggerPresentRemote
String ID:
API String ID: 3662101638-0
Opcode ID: 9db3d9bd29c2b54569d820232df018b64e3134ca849a7ad31958a233a110feb5
Instruction ID: d4c2aeef9faa3aa4f5b3275c75bc82427e978cbf4cf62b631ac29e4d5cbf47d3
Opcode Fuzzy Hash: 9db3d9bd29c2b54569d820232df018b64e3134ca849a7ad31958a233a110feb5
Instruction Fuzzy Hash: 782136B19012598FCB10DF9AC444BEEBBF4AF49320F14846AE859B7250D778AA44CFA5

Function 02C369C0 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 02C36A2D

Memory Dump Source

Source File: 00000007.00000002.2924483431.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c30000_sync.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: f4c0db59b536d703fbb271c229126c817f661dd38e248669b1ec40a10aba5264
Instruction ID: 1be959870bdcecd881b35af8e52b9bb3ac79f041df4a7e7a6634864f5c05208c
Opcode Fuzzy Hash: f4c0db59b536d703fbb271c229126c817f661dd38e248669b1ec40a10aba5264
Instruction Fuzzy Hash: 5A1125B1900248DFCB20DF9AC844BDEBFF4FB88314F208429D559A7210C335AA40CFA5

Function 02C369C8 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 02C36A2D

Memory Dump Source

Source File: 00000007.00000002.2924483431.0000000002C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2c30000_sync.jbxd

Similarity

API ID: CriticalProcess
String ID:
API String ID: 2695349919-0
Opcode ID: 09f8dc7087bc52db83345e2921954ba623fd416438c969f6148a174a813b62e8
Instruction ID: 3fdc356e8b8a38acce613b5935d2ab472af421909447eca7ee19a5531dfa17b9
Opcode Fuzzy Hash: 09f8dc7087bc52db83345e2921954ba623fd416438c969f6148a174a813b62e8
Instruction Fuzzy Hash: FE1103B5900248DFCB20DF9AC984BDEBFF4EB88324F208429D559A7250C775A944CFA5

Function 011DD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2924159436.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11dd000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d264f4ce7a92bb44ab3aeeaed6174d1cf1bb808b5c3382261a36952fa3a2091
Instruction ID: 2e08b3d4776c5c336d3eb3e52b5b96fb77e0eccfd370703f301113b10d77ffd4
Opcode Fuzzy Hash: 6d264f4ce7a92bb44ab3aeeaed6174d1cf1bb808b5c3382261a36952fa3a2091
Instruction Fuzzy Hash: 41210671544200DFDF09DF98E9C0B26BF75FB84318F60C169E9094A296C336D455C7A2

Function 011ED0EC Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2924217563.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11ed000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 022d7f6149607f15d2426cdedbb30a67ae2ca8b89ba2a0902a7f8666a6cfdc39
Instruction ID: 8448706ff71dd5cac57c54d34122ac3891cc88d95a43953dc777ffd001041ea9
Opcode Fuzzy Hash: 022d7f6149607f15d2426cdedbb30a67ae2ca8b89ba2a0902a7f8666a6cfdc39
Instruction Fuzzy Hash: 82210475644600EFDF09DF98E9C8B26BBE5FB84314F24C56DD8094B256C336D446CBA2

Function 011DD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2924159436.00000000011DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011DD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11dd000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: 833f3ff886c67a71dd2d23a638e64791b636eac013d62135bee0cb5bfaf6518b
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 6F11AF76504240DFDF16CF58D9C4B16BF71FB84324F24C5A9D9094B256C336D45ACBA2

Function 011ED0E7 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2924217563.00000000011ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 011ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_11ed000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction ID: f474b90b67111d244df5fd1565c62f60450b64a8e4c21d4b7fcf522b1975a1f7
Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
Instruction Fuzzy Hash: 37119075504640DFDB0ACF94D9C8B15FFB1FB44314F24C6A9D8494B656C33AD44ACB91

Analysis Process: sync.exePID: 2200, Parent PID: 5316COMMON

Executed Functions

Function 00C00EBA Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

(oq, xrefs: 00C01192
Tekq, xrefs: 00C00EED

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID: (oq$Tekq
API String ID: 0-1772506348
Opcode ID: 8fa508af334242dfbc20c60d0fee27a222e7095c73a5706a0712392029c91626
Instruction ID: fd67d3da281dc6bffc209f0844ce08ee2a86730ecf5f8586ec687a452ee7928c
Opcode Fuzzy Hash: 8fa508af334242dfbc20c60d0fee27a222e7095c73a5706a0712392029c91626
Instruction Fuzzy Hash: 2A516935B001148FCB54DF69C458B6EBBF6EF89700F2581A9E906EB3A5CA71ED01CB90

Function 00C00D20 Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

Hoq, xrefs: 00C00E40
dLqq, xrefs: 00C00D5B

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID: Hoq$dLqq
API String ID: 0-1323869633
Opcode ID: 6868b7a856faca56a22f8e300bf180d7d1614700817636c089e722706954edc3
Instruction ID: 614852670b693aed027fd8e7ccf73bf79fe5c8b44c9a70219ae9a3e5654bd9f7
Opcode Fuzzy Hash: 6868b7a856faca56a22f8e300bf180d7d1614700817636c089e722706954edc3
Instruction Fuzzy Hash: BF41E331B042048FCB14DF69D454BAEBBF6BF88300F2545AAE505EB3A2CA75DD05CB90

Function 00C01339 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

LRkq, xrefs: 00C0138B

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID: LRkq
API String ID: 0-1052062081
Opcode ID: b9f3ba168037a27e479d62743a73a79aee3f803a682d6a2a075a7d56c274547c
Instruction ID: 7de56d9160f23e4a96f01afae6ef548b8ed8ffef05d4f3279bbaad160188ec58
Opcode Fuzzy Hash: b9f3ba168037a27e479d62743a73a79aee3f803a682d6a2a075a7d56c274547c
Instruction Fuzzy Hash: 5631E174F002168FCB14AB7C9591A6EBBF6EFC9310B18416EE906DB3A9DE308D01C791

Function 00C00D10 Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

dLqq, xrefs: 00C00D5B

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID: dLqq
API String ID: 0-4255564529
Opcode ID: b30514ae57c455347d846ab717506aad19c8122702fd04b906f049c1d2d8918a
Instruction ID: 67915d0ac6d8330a93805ef9bddba70edcdb7e13e27cdff23cc18f084b4c9b78
Opcode Fuzzy Hash: b30514ae57c455347d846ab717506aad19c8122702fd04b906f049c1d2d8918a
Instruction Fuzzy Hash: DE318575A04204CFCB14DF69C598B9EBBF2BF48300F25856AE501AB3A1CB75ED44CB91

Function 00C00E3F Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

Hoq, xrefs: 00C00E40

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID: Hoq
API String ID: 0-3049094369
Opcode ID: abfcae1737a5502d0e14de7eb73a80ba7239eca427d124b4c4c7a3ef957f5941
Instruction ID: 6420ac670beb4875b51fa3bc8d19485a9987f748df122eae7c1a2ebf334f927d
Opcode Fuzzy Hash: abfcae1737a5502d0e14de7eb73a80ba7239eca427d124b4c4c7a3ef957f5941
Instruction Fuzzy Hash: C7F0F6717086904FC395A73DB464B6E2FD7AFD925072A08BEE149CB3A7DD288C068351

Function 00C00AA0 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f5b0c1fab7ed514880fea479506fde96ffb6498fd8a7d3e1dab50ceb6ecda58
Instruction ID: 0f3453d6d9206cb8c8cf5818db54f7906612f6346c9334624ca178639d918575
Opcode Fuzzy Hash: 0f5b0c1fab7ed514880fea479506fde96ffb6498fd8a7d3e1dab50ceb6ecda58
Instruction Fuzzy Hash: 0151C278660A01CFC726FF24E984A597762FF84306710C6A9D4018B36EDBB9A947CF81

Function 00C011D0 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d8a144f1b655f87cf9dba8d515d65c48a9db8a9c32db54eb426266e70e784f
Instruction ID: 8b807ac546aa70a141673ce5ff4e861978dd24846af6a0e081147abe075a757d
Opcode Fuzzy Hash: a3d8a144f1b655f87cf9dba8d515d65c48a9db8a9c32db54eb426266e70e784f
Instruction Fuzzy Hash: 4A41C270A04208AFCB04EFB9854426EFBFAFF88700F24856AD849E7345DA34ED418790

Function 00C01030 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4532a0a6df953ebbe79571162348a6111eddbd18f980ec605ffebb6005d8c0f
Instruction ID: 84867cc620641afaee4ac96284544e2a789d058f531d59038ae77d534b086c63
Opcode Fuzzy Hash: f4532a0a6df953ebbe79571162348a6111eddbd18f980ec605ffebb6005d8c0f
Instruction Fuzzy Hash: 72212B34B001049FD714DF69C955BAEBBF2BF89724F258095F902AB3E5CA719D40CB40

Function 00C00998 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eff58b235421b56c9d2705c9618b4ef5fe6e80ef6be131e3c7d3205680bbed0a
Instruction ID: 3091c95b33738733ebbff2da2022afad5b534fb0cf4e008136c1a15352f82899
Opcode Fuzzy Hash: eff58b235421b56c9d2705c9618b4ef5fe6e80ef6be131e3c7d3205680bbed0a
Instruction Fuzzy Hash: B4219F30715B429FDB65AB75A95833E3BA4AF14341F22852DD417C21D2EFB08A01EB62

Function 00C009A8 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 266ee5f2bd45fd9c47b0c7a84990698a410f1aeb3b5a47c076626365eebae023
Instruction ID: a5fcd870903cdbb39c049d3d3ee2ad7eb507a3095b7f7eef69cfc6d981b4b1cd
Opcode Fuzzy Hash: 266ee5f2bd45fd9c47b0c7a84990698a410f1aeb3b5a47c076626365eebae023
Instruction Fuzzy Hash: F8216D30711B029FDB65BB75A91836E3AA8AB04341F22852DD417C21D5EFB4CA01EB62

Function 00C01431 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec474c93ee2d3710bc377f982c53626dd6e12474068321a33878bcbebf0e6808
Instruction ID: 99c00389675679e2ab4ad8b26742c7b1063a30ba2a1dffe96047b55d31128e85
Opcode Fuzzy Hash: ec474c93ee2d3710bc377f982c53626dd6e12474068321a33878bcbebf0e6808
Instruction Fuzzy Hash: 9511E174A10700CFCB54EBB9D844A6EBBF2AF8830472544B9C806DB369EA34CC02CB90

Function 00C01440 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30df9f5d2c3321d626fea771ddbe687709f561fbe2dd6bd1d2674e7c6229355d
Instruction ID: af53fb292ce428d1979daa8c1948d83d70c3fd006f54bc3083784bc8e4669187
Opcode Fuzzy Hash: 30df9f5d2c3321d626fea771ddbe687709f561fbe2dd6bd1d2674e7c6229355d
Instruction Fuzzy Hash: 18116170B00205DFCB54EBB9D50466E77F6AF8831472444B9D805DB369EA35DD42CB90

Function 00C00E80 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1923081351.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_c00000_sync.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95369a81d2dd277448513c632ec64618c53a7e3151e16a35d08b0ced4a4f5f9b
Instruction ID: 82eda527097c576cb8bb157ca87d85dca24e53f5815165aeed52f658abdab491
Opcode Fuzzy Hash: 95369a81d2dd277448513c632ec64618c53a7e3151e16a35d08b0ced4a4f5f9b
Instruction Fuzzy Hash: 21E08C313006005FC358963EA88495AB7DAEFC81213240479E109C7325CD64CC014290

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Syncing.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Operating System Destruction

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Syncing.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sync.exe.log

C:\Users\user\AppData\Local\Temp\tmp3869.tmp.bat

C:\Users\user\AppData\Roaming\sync.exe

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Windows Analysis Report
Syncing.exe

Function 02DB5B20 Relevance: 2.8, Strings: 2, Instructions: 331
COMMON

Function 02DB2D4C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 02DB4088 Relevance: 1.5, Strings: 1, Instructions: 281
COMMON

Function 02DB52B0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 02DB6A19 Relevance: 1.5, APIs: 1, Instructions: 47
COMMON

Function 02DB6A20 Relevance: 1.5, APIs: 1, Instructions: 45
COMMON

Function 02C352B0 Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 02C32D4C Relevance: 1.6, APIs: 1, Instructions: 68
COMMON

Function 02C369C0 Relevance: 1.5, APIs: 1, Instructions: 48
COMMON