Edit tour

Windows Analysis Report
EiO4tqZ3o4.exe

Overview

General Information

Sample name:	EiO4tqZ3o4.exe renamed because original name is a hash value
Original sample name:	0731d232d0af12a5320238914de6bf4a.exe
Analysis ID:	1582052
MD5:	0731d232d0af12a5320238914de6bf4a
SHA1:	41b1d57292fa942352373e587a638011893649ab
SHA256:	adc6b85fbb55624cdd9a25d9634f08d3991ac60dce86c8f3ed520a88e36371fe
Tags:	AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected UAC Bypass using CMSTP

.NET source code contains potential unpacker

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Disables UAC (registry)

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for sample

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file does not import any functions

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Powershell Defender Exclusion

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

EiO4tqZ3o4.exe (PID: 6836 cmdline: "C:\Users\user\Desktop\EiO4tqZ3o4.exe" MD5: 0731D232D0AF12A5320238914DE6BF4A)

powershell.exe (PID: 6168 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WmiPrvSE.exe (PID: 2664 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

RegSvcs.exe (PID: 5936 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 3332 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 3740 cmdline: C:\Windows\system32\WerFault.exe -u -p 6836 -s 1512 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "5sdf23d2sdf.ddnss.eu", "Port": "6606,7707,8808", "Version": "AWS | RxR  ", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "false"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc3c6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0x277f4:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x37434:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x2a6f8:$a2: Stub.exe 0x2a788:$a2: Stub.exe 0x3a338:$a2: Stub.exe 0x3a3c8:$a2: Stub.exe 0x2429e:$a3: get_ActivatePong 0x33ede:$a3: get_ActivatePong 0x27a0c:$a4: vmware 0x3764c:$a4: vmware 0x27884:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x374c4:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x251a1:$a6: get_SslClient 0x34de1:$a6: get_SslClient
00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x27886:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x374c6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000003.00000002.4156348185.0000000002821000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: EiO4tqZ3o4.exe PID: 6836	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: EiO4tqZ3o4.exe PID: 6836	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: EiO4tqZ3o4.exe PID: 6836	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: EiO4tqZ3o4.exe PID: 6836	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2fc2c:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: RegSvcs.exe PID: 5936	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 5936	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2b4ef:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xc534:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xf438:$a2: Stub.exe 0xf4c8:$a2: Stub.exe 0x8fde:$a3: get_ActivatePong 0xc74c:$a4: vmware 0xc5c4:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9ee1:$a6: get_SslClient
3.2.RegSvcs.exe.400000.0.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x8fde:$str01: get_ActivatePong 0x9ee1:$str02: get_SslClient 0x9efd:$str03: get_TcpClient 0x841a:$str04: get_SendSync 0x84c8:$str05: get_IsConnected 0x8d44:$str06: set_UseShellExecute 0xc85a:$str07: Pastebin 0xdef2:$str08: Select * from AntivirusProduct 0xf438:$str09: Stub.exe 0xf4c8:$str09: Stub.exe 0xc644:$str10: timeout 3 > NUL 0xc534:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xc5c4:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc5c6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa734:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xd638:$a2: Stub.exe 0xd6c8:$a2: Stub.exe 0x71de:$a3: get_ActivatePong 0xa94c:$a4: vmware 0xa7c4:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x80e1:$a6: get_SslClient
0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x71de:$str01: get_ActivatePong 0x80e1:$str02: get_SslClient 0x80fd:$str03: get_TcpClient 0x661a:$str04: get_SendSync 0x66c8:$str05: get_IsConnected 0x6f44:$str06: set_UseShellExecute 0xaa5a:$str07: Pastebin 0xc0f2:$str08: Select * from AntivirusProduct 0xd638:$str09: Stub.exe 0xd6c8:$str09: Stub.exe 0xa844:$str10: timeout 3 > NUL 0xa734:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xa7c4:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa7c6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa734:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xd638:$a2: Stub.exe 0xd6c8:$a2: Stub.exe 0x71de:$a3: get_ActivatePong 0xa94c:$a4: vmware 0xa7c4:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x80e1:$a6: get_SslClient
0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x71de:$str01: get_ActivatePong 0x80e1:$str02: get_SslClient 0x80fd:$str03: get_TcpClient 0x661a:$str04: get_SendSync 0x66c8:$str05: get_IsConnected 0x6f44:$str06: set_UseShellExecute 0xaa5a:$str07: Pastebin 0xc0f2:$str08: Select * from AntivirusProduct 0xd638:$str09: Stub.exe 0xd6c8:$str09: Stub.exe 0xa844:$str10: timeout 3 > NUL 0xa734:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xa7c4:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa7c6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xc534:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x1c174:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xf438:$a2: Stub.exe 0xf4c8:$a2: Stub.exe 0x1f078:$a2: Stub.exe 0x1f108:$a2: Stub.exe 0x8fde:$a3: get_ActivatePong 0x18c1e:$a3: get_ActivatePong 0xc74c:$a4: vmware 0x1c38c:$a4: vmware 0xc5c4:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x1c204:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9ee1:$a6: get_SslClient 0x19b21:$a6: get_SslClient
0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x8fde:$str01: get_ActivatePong 0x18c1e:$str01: get_ActivatePong 0x9ee1:$str02: get_SslClient 0x19b21:$str02: get_SslClient 0x9efd:$str03: get_TcpClient 0x19b3d:$str03: get_TcpClient 0x841a:$str04: get_SendSync 0x1805a:$str04: get_SendSync 0x84c8:$str05: get_IsConnected 0x18108:$str05: get_IsConnected 0x8d44:$str06: set_UseShellExecute 0x18984:$str06: set_UseShellExecute 0xc85a:$str07: Pastebin 0x1c49a:$str07: Pastebin 0xdef2:$str08: Select * from AntivirusProduct 0x1db32:$str08: Select * from AntivirusProduct 0xf438:$str09: Stub.exe 0xf4c8:$str09: Stub.exe 0x1f078:$str09: Stub.exe 0x1f108:$str09: Stub.exe 0xc644:$str10: timeout 3 > NUL
0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc5c6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x1c206:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xc534:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xf438:$a2: Stub.exe 0xf4c8:$a2: Stub.exe 0x8fde:$a3: get_ActivatePong 0xc74c:$a4: vmware 0xc5c4:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9ee1:$a6: get_SslClient
0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack	rat_win_asyncrat	Detect AsyncRAT based on specific strings	Sekoia.io	0x8fde:$str01: get_ActivatePong 0x9ee1:$str02: get_SslClient 0x9efd:$str03: get_TcpClient 0x841a:$str04: get_SendSync 0x84c8:$str05: get_IsConnected 0x8d44:$str06: set_UseShellExecute 0xc85a:$str07: Pastebin 0xdef2:$str08: Select * from AntivirusProduct 0xf438:$str09: Stub.exe 0xf4c8:$str09: Stub.exe 0xc644:$str10: timeout 3 > NUL 0xc534:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn 0xc5c4:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc5c6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Click to see the 18 entries

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EiO4tqZ3o4.exe", ParentImage: C:\Users\user\Desktop\EiO4tqZ3o4.exe, ParentProcessId: 6836, ParentProcessName: EiO4tqZ3o4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force, ProcessId: 6168, ProcessName: powershell.exe

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force, CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\EiO4tqZ3o4.exe", ParentImage: C:\Users\user\Desktop\EiO4tqZ3o4.exe, ParentProcessId: 6836, ParentProcessName: EiO4tqZ3o4.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force, ProcessId: 6168, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T19:02:07.277772+0100	2035595	1	Domain Observed Used for C2 Detected	108.174.194.58	7707	192.168.2.4	49733	TCP

ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T19:02:07.277772+0100	2035607	1	Domain Observed Used for C2 Detected	108.174.194.58	7707	192.168.2.4	49733	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-12-29T19:02:07.277772+0100	2842478	1	Malware Command and Control Activity Detected	108.174.194.58	7707	192.168.2.4	49733	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: 5sdf23d2sdf.ddnss.eu

Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000003.00000002.4156348185.0000000002821000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: AsyncRAT {"Server": "5sdf23d2sdf.ddnss.eu", "Port": "6606,7707,8808", "Version": "AWS | RxR ", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "false", "Group": "false"}

Multi AV Scanner detection for submitted file

Source: EiO4tqZ3o4.exe	ReversingLabs: Detection: 63%
Source: EiO4tqZ3o4.exe	Virustotal: Detection: 63%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: EiO4tqZ3o4.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EiO4tqZ3o4.exe PID: 6836, type: MEMORYSTR

Source: EiO4tqZ3o4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.pdbLL source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb@}V source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERAC21.tmp.dmp.7.dr

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 108.174.194.58:7707 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 108.174.194.58:7707 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 108.174.194.58:7707 -> 192.168.2.4:49733
Source: Network traffic	Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 108.174.194.58:7707 -> 192.168.2.4:49733

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 5sdf23d2sdf.ddnss.eu

Yara detected Generic Downloader

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 108.174.194.58:7707

Source: Joe Sandbox View

ASN Name: HOSTWINDSUS HOSTWINDSUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: 5sdf23d2sdf.ddnss.eu

Source: 77EC63BDA74BD0D0E0426DC8F80085060.3.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegSvcs.exe, 00000003.00000002.4155724066.0000000000C24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enu
Source: RegSvcs.exe, 00000003.00000002.4156348185.0000000002821000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4156348185.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EiO4tqZ3o4.exe PID: 6836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5936, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, LimeLogger.cs	.Net Code: KeyboardLayout
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, LimeLogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: EiO4tqZ3o4.exe PID: 6836, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: RegSvcs.exe PID: 5936, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B800C48	0_2_00007FFD9B800C48
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B803988	0_2_00007FFD9B803988
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B813F67	0_2_00007FFD9B813F67
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B80AEA9	0_2_00007FFD9B80AEA9
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B80DEC7	0_2_00007FFD9B80DEC7
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B808650	0_2_00007FFD9B808650
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B80B47D	0_2_00007FFD9B80B47D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00E67038	3_2_00E67038
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00E67908	3_2_00E67908
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00E6D1F0	3_2_00E6D1F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00E66CF0	3_2_00E66CF0

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6836 -s 1512

Source: EiO4tqZ3o4.exe	Static PE information: Resource name: STRONGER type: DOS executable (COM)
Source: EiO4tqZ3o4.exe	Static PE information: Resource name: STRONGER type: DOS executable (COM)

Source: EiO4tqZ3o4.exe

Static PE information: No import functions for PE file found

Source: EiO4tqZ3o4.exe, 00000000.00000002.1945861818.0000016B49470000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameEsayijumara> vs EiO4tqZ3o4.exe
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs EiO4tqZ3o4.exe
Source: EiO4tqZ3o4.exe, 00000000.00000002.1947465890.0000016B635A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs EiO4tqZ3o4.exe
Source: EiO4tqZ3o4.exe, 00000000.00000002.1947465890.0000016B635A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePowerShell.EXEj% vs EiO4tqZ3o4.exe
Source: EiO4tqZ3o4.exe	Binary or memory string: OriginalFilename vs EiO4tqZ3o4.exe

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: EiO4tqZ3o4.exe PID: 6836, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: RegSvcs.exe PID: 5936, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: EiO4tqZ3o4.exe

Static PE information: Section: .rsrc ZLIB complexity 0.9975374690976514

Source: EiO4tqZ3o4.exe, ----.cs

Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'

Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, Settings.cs	Base64 encoded string: '/OA1+xnL34JP8pDH9tf3+7ngrZvQnkqlpJmsBN1AwQ19TFDZOj5nZ0pWiS8GTNySyHFAG7F1inWFanLmJW9PqUVpMSBlLcHZORCrh5SQh4c=', 'sW8y/CcitJtiYkbzdV7+p4yzpZi063PT9zXTzc9NTCP2lqO3ZWIN2ZNjfNsOJZ9t3iSj+i9kxVgf0XyU76ipRQ==', 'xRKl+cKpxUREKXcX34tDwFoxQc1k26Qxhb74fNuxGO2TeCScz+s972JaLvwRSwYPZdusrJuuJpjfrLWh2WxjS4CWQzwJikulyNBGJLa2yVvlWZta0ntNRpICWbEMilFO7wYtYzeSHiXLiDlawsgZ1lFaiYwKcXqJVdJ781nQ2PKASHGFxAgvDWp69/iHviBg6Jp6cZTTFnd4OzIl0BgePOVaOyUmUa1q7dJXhg1/PeuC9360LRVuMbpJKXPzRhUsV/r7rO577e/kBkLlggKWsPtvjsHDTu0zzv43R7vlV9QLFsxtPTNJYVDQO1pDZWskyIRq/SlHdOQK4Nvkz4zIEhGEgwwOj5Nb9t6eZoup7lxW4GgNikGxm6slgcXRimHfj1XzcWWa3Rgu4JBGy8zVWmavvhstw7UswYChfojmR0lhvTV4bb+MTiMBe2IbRnc5PgVto4niZXUg6flZHdQ9uLdWky0rp+4gp2uWf3ZDppHrNacEOGXJprpdDmohELzS/vUBlkA1/B/WS3L6WJMknI0hAvb0zeUBsg3q1uB8CA9ShJh8FuoprEUKR7l9/Q+Dloxb3uruM5HQzTVk8fKrqN8IY558F5hxItsnyGwE4AM1KB2SAA9WLAqnWNm/VIEiDIjVbX6A4HSDVKDxYNnX760JyL3fB2p8C60GoV80qfGiQzBDRL/ILoBplYr8XXF0eHDr54nYSQkuTJX2J4WCt8bSe5IM9sAjFx2/i3wSXhATS7N+dLg+szhog1OKihkAvpR/vqwvuPai51Q3iEmhBrlg4wgmKeKQUb7T1zNabtfVYoa4dAScpYnA39AgGPHbhmTs9F0m3P6FyOPphiB4aiLuWKO+V/HuQTWN9LZOhF7mlQB7OxqbGMwfLpGN4+wmo51i6HpY+VQv9kLBjBQthRF27z9FWGwEjfJiBSEBuuCmRKLokkm/ysdjxoLve0Tmguqc7noWAmYFccjrUcLqBIuif/qwe1LAYnso1QmF2nNzLpc5mxp5tuapL98v7/d+1AM3yUcIIv3e/hJrnv9Z0RN/atwxW72BVK5NdWr/SZ6H28rubAiPmzPTychM9CorEORedTMLBj2Q6w5ICU7o259lYckrI1BHsXjrMlq4GMoe6t3a3M1VonkRPMd37dssszQuk0Y5TU7o/4Dt6M2ryD9eYeM+lzIjRsEiHLz+XNdKRFanXgpfWpKK5WyHFYqoBq1RJgKyXloKNTYltKzyn4mbrzhJhLUd3w5rVQjQRdeABJwbJ69o8uVcZV+ODblyJStMZ1WKx4k1kbRLdEbQx4g+I5gh7B7MNTsHnB+8SbqFZpYByLr0Jk3Pq3ZcIadlZ/glz2p5ymTwsbYZ6Deo0g+hYGwzH7xDXWc4mbnyrDnKQL18soG1R4QVwVhHq7doAG0wANkMqbe9pHywV0snU3cPyeUQfBB64EYVf8xng+9SzVOYLpAR2ozVTMSHNoNadKjVyabg+rRzQowqxRQ4KFLApZPXqtTNLQvjIPJ6kGWcVORJqehbHmBXbIy/n9kwLgTszsStfg1T2Ms7romOs6apONxQwlqsAn6KCHkvWymbEB0hZGd5wpBNSB5C3c42/XvUhBIiYKhTlrzYJ8xP25KYwj9HCzaWdlkctqwadDgWovL6E5L7thPnyzU0jqS0WO3nywKvpEDvW/8uLScAmchLCdPzmXVLcMJAt5bT0f5Ak1NvSnUlgIUmOCSC9Xj4gRYxxZ99A06EObPIy+rwbJ0Ph3SYjecasPJKuzFXB/91y5uzv8YFhGr1UogJIc6EF9ud7nOjyYznOK2mULMY77qRg34tviVgyEB/EI2M3qiQtc3ga3W+axJtNicf8gewBXuayGggV+YHy0ydt2baoPz9PdWNcA9yQkW6cPOIm6LJOJXtsFXmQ//N0tQ1XeTGiadK5cQZd4kvVEfLtgvlyFDlyQweNbgalcMpdQcB5EKivafDW3mHv5eu+W2L6EZmAirr4S1U++QNfwacOYtWhhEjliuG3N/es0a2GwqB2futzPavKm2Z4pfBEYoLo3IbUo8s4vtVTn40KaDLhlmcdp4PKETYaKYLf8nOnxVvjVO7mbw8ybik1hs4cW4I9qCFfyu9K+Sbqa43AQptjR/xbJrp7gpewSXxAvDBV9vP0U2fNgze+AraWG86j569wPb66j1Ij+diil8iTOXMWcFagLiKMGxCVPenQyanfIonYDHfG+ahI/4sOpqGMTCNUzIJ9KAmTSIhWGg4EB02mEKFJeGwFrvJXbFRbUK+pqlIfH/IS0QscCdNSiojNfSXeynSKUvbq3X7RIrnoGHG4EgDschNNGHWdFILkc7y93wHdC8=', 'jh63SA1yvdMukCaAdyuv7wSq0dOoVCSSDrotxhUCCc82UQ9Z/Y7auAfCOEfTGqQgAHxgipMm9As8hvrlt5DW5j8JZppIHT5prYHrcar6NN8SvBzdibU8lc31trVMmmER2Ftffo/Xk9RdqyDa3uCl7IP4v0tV9a2Gr63A6ydmWqrm2fZTi+MH+rEMlL+ok7pif1k2ZHDvgZl3eMbM4Dd0uWmz5g8B/YqHXEI9dNIyCkgZmynyWNDtki15XiOoLCVO2z9mJOEKCuXqrWjhJ+ChuzCI7aO0zPgygtrYL/zZrsFx3lWlKaF6Z8RfikaMnwlHAMI4HWCR8Q5RIviMEJSO5vqM569o8hQoNLDE0QxJyHP6RWfnczAe8D0Zc1Nh0LQWNeukvVrQBa7CLFFIxUkppAbBSmVL+JamF/HgXdEp7vx4xFfXea5eVDIG5HQ
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, Settings.cs	Base64 encoded string: '/OA1+xnL34JP8pDH9tf3+7ngrZvQnkqlpJmsBN1AwQ19TFDZOj5nZ0pWiS8GTNySyHFAG7F1inWFanLmJW9PqUVpMSBlLcHZORCrh5SQh4c=', 'sW8y/CcitJtiYkbzdV7+p4yzpZi063PT9zXTzc9NTCP2lqO3ZWIN2ZNjfNsOJZ9t3iSj+i9kxVgf0XyU76ipRQ==', 'xRKl+cKpxUREKXcX34tDwFoxQc1k26Qxhb74fNuxGO2TeCScz+s972JaLvwRSwYPZdusrJuuJpjfrLWh2WxjS4CWQzwJikulyNBGJLa2yVvlWZta0ntNRpICWbEMilFO7wYtYzeSHiXLiDlawsgZ1lFaiYwKcXqJVdJ781nQ2PKASHGFxAgvDWp69/iHviBg6Jp6cZTTFnd4OzIl0BgePOVaOyUmUa1q7dJXhg1/PeuC9360LRVuMbpJKXPzRhUsV/r7rO577e/kBkLlggKWsPtvjsHDTu0zzv43R7vlV9QLFsxtPTNJYVDQO1pDZWskyIRq/SlHdOQK4Nvkz4zIEhGEgwwOj5Nb9t6eZoup7lxW4GgNikGxm6slgcXRimHfj1XzcWWa3Rgu4JBGy8zVWmavvhstw7UswYChfojmR0lhvTV4bb+MTiMBe2IbRnc5PgVto4niZXUg6flZHdQ9uLdWky0rp+4gp2uWf3ZDppHrNacEOGXJprpdDmohELzS/vUBlkA1/B/WS3L6WJMknI0hAvb0zeUBsg3q1uB8CA9ShJh8FuoprEUKR7l9/Q+Dloxb3uruM5HQzTVk8fKrqN8IY558F5hxItsnyGwE4AM1KB2SAA9WLAqnWNm/VIEiDIjVbX6A4HSDVKDxYNnX760JyL3fB2p8C60GoV80qfGiQzBDRL/ILoBplYr8XXF0eHDr54nYSQkuTJX2J4WCt8bSe5IM9sAjFx2/i3wSXhATS7N+dLg+szhog1OKihkAvpR/vqwvuPai51Q3iEmhBrlg4wgmKeKQUb7T1zNabtfVYoa4dAScpYnA39AgGPHbhmTs9F0m3P6FyOPphiB4aiLuWKO+V/HuQTWN9LZOhF7mlQB7OxqbGMwfLpGN4+wmo51i6HpY+VQv9kLBjBQthRF27z9FWGwEjfJiBSEBuuCmRKLokkm/ysdjxoLve0Tmguqc7noWAmYFccjrUcLqBIuif/qwe1LAYnso1QmF2nNzLpc5mxp5tuapL98v7/d+1AM3yUcIIv3e/hJrnv9Z0RN/atwxW72BVK5NdWr/SZ6H28rubAiPmzPTychM9CorEORedTMLBj2Q6w5ICU7o259lYckrI1BHsXjrMlq4GMoe6t3a3M1VonkRPMd37dssszQuk0Y5TU7o/4Dt6M2ryD9eYeM+lzIjRsEiHLz+XNdKRFanXgpfWpKK5WyHFYqoBq1RJgKyXloKNTYltKzyn4mbrzhJhLUd3w5rVQjQRdeABJwbJ69o8uVcZV+ODblyJStMZ1WKx4k1kbRLdEbQx4g+I5gh7B7MNTsHnB+8SbqFZpYByLr0Jk3Pq3ZcIadlZ/glz2p5ymTwsbYZ6Deo0g+hYGwzH7xDXWc4mbnyrDnKQL18soG1R4QVwVhHq7doAG0wANkMqbe9pHywV0snU3cPyeUQfBB64EYVf8xng+9SzVOYLpAR2ozVTMSHNoNadKjVyabg+rRzQowqxRQ4KFLApZPXqtTNLQvjIPJ6kGWcVORJqehbHmBXbIy/n9kwLgTszsStfg1T2Ms7romOs6apONxQwlqsAn6KCHkvWymbEB0hZGd5wpBNSB5C3c42/XvUhBIiYKhTlrzYJ8xP25KYwj9HCzaWdlkctqwadDgWovL6E5L7thPnyzU0jqS0WO3nywKvpEDvW/8uLScAmchLCdPzmXVLcMJAt5bT0f5Ak1NvSnUlgIUmOCSC9Xj4gRYxxZ99A06EObPIy+rwbJ0Ph3SYjecasPJKuzFXB/91y5uzv8YFhGr1UogJIc6EF9ud7nOjyYznOK2mULMY77qRg34tviVgyEB/EI2M3qiQtc3ga3W+axJtNicf8gewBXuayGggV+YHy0ydt2baoPz9PdWNcA9yQkW6cPOIm6LJOJXtsFXmQ//N0tQ1XeTGiadK5cQZd4kvVEfLtgvlyFDlyQweNbgalcMpdQcB5EKivafDW3mHv5eu+W2L6EZmAirr4S1U++QNfwacOYtWhhEjliuG3N/es0a2GwqB2futzPavKm2Z4pfBEYoLo3IbUo8s4vtVTn40KaDLhlmcdp4PKETYaKYLf8nOnxVvjVO7mbw8ybik1hs4cW4I9qCFfyu9K+Sbqa43AQptjR/xbJrp7gpewSXxAvDBV9vP0U2fNgze+AraWG86j569wPb66j1Ij+diil8iTOXMWcFagLiKMGxCVPenQyanfIonYDHfG+ahI/4sOpqGMTCNUzIJ9KAmTSIhWGg4EB02mEKFJeGwFrvJXbFRbUK+pqlIfH/IS0QscCdNSiojNfSXeynSKUvbq3X7RIrnoGHG4EgDschNNGHWdFILkc7y93wHdC8=', 'jh63SA1yvdMukCaAdyuv7wSq0dOoVCSSDrotxhUCCc82UQ9Z/Y7auAfCOEfTGqQgAHxgipMm9As8hvrlt5DW5j8JZppIHT5prYHrcar6NN8SvBzdibU8lc31trVMmmER2Ftffo/Xk9RdqyDa3uCl7IP4v0tV9a2Gr63A6ydmWqrm2fZTi+MH+rEMlL+ok7pif1k2ZHDvgZl3eMbM4Dd0uWmz5g8B/YqHXEI9dNIyCkgZmynyWNDtki15XiOoLCVO2z9mJOEKCuXqrWjhJ+ChuzCI7aO0zPgygtrYL/zZrsFx3lWlKaF6Z8RfikaMnwlHAMI4HWCR8Q5RIviMEJSO5vqM569o8hQoNLDE0QxJyHP6RWfnczAe8D0Zc1Nh0LQWNeukvVrQBa7CLFFIxUkppAbBSmVL+JamF/HgXdEp7vx4xFfXea5eVDIG5HQ

Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/12@2/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: NULL
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6836
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:796:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnnumejd.jg0.ps1

Jump to behavior

Source: EiO4tqZ3o4.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EiO4tqZ3o4.exe	ReversingLabs: Detection: 63%
Source: EiO4tqZ3o4.exe	Virustotal: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\EiO4tqZ3o4.exe "C:\Users\user\Desktop\EiO4tqZ3o4.exe"
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6836 -s 1512
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: EiO4tqZ3o4.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: EiO4tqZ3o4.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: System.Windows.Forms.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: mscorlib.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdbRSDS source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.pdbLL source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdbRSDS source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Core.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: mscorlib.ni.pdbRSDS7^3l source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Windows.Forms.pdb@}V source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Drawing.ni.pdbRSDS source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdbRSDS source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: System.Core.ni.pdb source: WERAC21.tmp.dmp.7.dr
Source:	Binary string: Microsoft.VisualBasic.pdb source: WERAC21.tmp.dmp.7.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, Packet.cs	.Net Code: Plugins System.AppDomain.Load(byte[])
Source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, Packet.cs	.Net Code: Plugins System.AppDomain.Load(byte[])

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B808164 push ebx; ret	0_2_00007FFD9B80816A
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B80786E pushad ; retf	0_2_00007FFD9B80789D
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B80789E push eax; retf	0_2_00007FFD9B8078AD
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B8000AD pushad ; iretd	0_2_00007FFD9B8000C1
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B817845 push eax; iretd	0_2_00007FFD9B81786D
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Code function: 0_2_00007FFD9B8D026B push esp; retf 4810h	0_2_00007FFD9B8D0312
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00E6196A push eax; retn 0070h	3_2_00E61972
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00E61957 push eax; retn 0070h	3_2_00E61962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_00E61917 push eax; retn 0070h	3_2_00E61952

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4156348185.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EiO4tqZ3o4.exe PID: 6836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5936, type: MEMORYSTR

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: EiO4tqZ3o4.exe PID: 6836, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4156348185.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EiO4tqZ3o4.exe PID: 6836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5936, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp, EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Memory allocated: 16B493F0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Memory allocated: 16B62E80000 memory reserve \| memory write watch			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6202	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3621	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 9146	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 708	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4908

Thread sleep time: -6456360425798339s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000003.00000002.4157890737.0000000004D16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegSvcs.exe, 00000003.00000002.4158267831.0000000004D94000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4155824691.0000000000C87000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: RegSvcs.exe, 00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: vmware
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: EiO4tqZ3o4.exe, 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 414000	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 646008	Jump to behavior

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.4158704612.0000000005639000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe	Queries volume information: C:\Users\user\Desktop\EiO4tqZ3o4.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af3d2c0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EiO4tqZ3o4.exe.16b4af4cf00.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.4156348185.0000000002821000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: EiO4tqZ3o4.exe PID: 6836, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 5936, type: MEMORYSTR

Disables UAC (registry)

Source: C:\Users\user\Desktop\EiO4tqZ3o4.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: RegSvcs.exe, 00000003.00000002.4155782039.0000000000C66000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.4158181496.0000000004D68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	312 Process Injection	21 Disable or Modify Tools	1 Input Capture	131 Security Software Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 DLL Side-Loading	1 Scheduled Task/Job	41 Virtualization/Sandbox Evasion	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	11 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	312 Process Injection	Security Account Manager	41 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	111 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EiO4tqZ3o4.exe	63%	ReversingLabs	ByteCode-MSIL.Trojan.InjectorNetT
EiO4tqZ3o4.exe	64%	Virustotal		Browse
EiO4tqZ3o4.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
5sdf23d2sdf.ddnss.eu	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
5sdf23d2sdf.ddnss.eu	108.174.194.58	true	true		unknown
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	217.20.58.100	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
5sdf23d2sdf.ddnss.eu	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://upx.sf.net	Amcache.hve.7.dr	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.4156348185.0000000002821000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.174.194.58	5sdf23d2sdf.ddnss.eu	United States		54290	HOSTWINDSUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1582052
Start date and time:	2024-12-29 19:01:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EiO4tqZ3o4.exe renamed because original name is a hash value
Original Sample Name:	0731d232d0af12a5320238914de6bf4a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/12@2/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 89% Number of executed functions: 77 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 217.20.58.100, 13.89.179.12, 20.190.147.12, 52.149.20.212, 13.107.246.63
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, onedsblobprdcus17.centralus.cloudapp.azure.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 5936 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:02:00	API Interceptor	18x Sleep call for process: powershell.exe modified
13:02:08	API Interceptor	9466593x Sleep call for process: RegSvcs.exe modified
13:02:23	API Interceptor	1x Sleep call for process: WerFault.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	wce.exe	Get hash	malicious	Unknown	Browse	217.20.58.98
	nXNMsYXFFc.exe	Get hash	malicious	Unknown	Browse	217.20.58.100
	5RaYXoKFn9.exe	Get hash	malicious	PureCrypter, PureLog Stealer	Browse	217.20.58.98
	msgde.exe	Get hash	malicious	Quasar	Browse	217.20.58.99
	atw3.dll	Get hash	malicious	Gozi, Ursnif	Browse	217.20.58.100
	WRD1792.docx.doc	Get hash	malicious	Dynamer	Browse	217.20.58.99
	GtEVo1eO2p.exe	Get hash	malicious	LummaC	Browse	217.20.58.98
	0442.pdf.exe	Get hash	malicious	Unknown	Browse	217.20.58.100
	#U5b89#U88c5#U7a0b#U5e8f_1.1.0.exe	Get hash	malicious	Unknown	Browse	217.20.58.100
	wUSt04rfJ0.exe	Get hash	malicious	Quasar	Browse	217.20.58.101

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HOSTWINDSUS	Titan.exe	Get hash	malicious	Unknown	Browse	104.168.136.235
	Titan.exe	Get hash	malicious	Unknown	Browse	104.168.136.235
	Support.Client.exe	Get hash	malicious	ScreenConnect Tool	Browse	104.168.134.232
	arm5.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	192.236.219.113
	lFxGd66yDa.exe	Get hash	malicious	NetSupport RAT	Browse	23.254.224.41
	Jjv9ha2GKn.exe	Get hash	malicious	NetSupport RAT, DarkTortilla	Browse	23.254.224.41
	5q1Wm5VlqL.exe	Get hash	malicious	NetSupport RAT	Browse	23.254.224.41
	xd.mpsl.elf	Get hash	malicious	Mirai	Browse	142.11.240.128
	loligang.arm.elf	Get hash	malicious	Mirai	Browse	192.119.104.64
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	142.11.240.155

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EiO4tqZ3o4.exe_fa4ae2d8aac167bf5165e198cddc7330b01b64_a0e0fc51_ebff8189-50d7-4c69-bf97-7260af2683d7\Report.wer

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1477043493072316
Encrypted:	false
SSDEEP:	192:ZbIE+er50UnUdaWB2WSlibdzuiFqZ24lO83:2E+emUnUdam2SZzuiFqY4lO83
MD5:	FBB2C83BE2B5342DBC4A450D68E47481
SHA1:	AD58F7051F8652BCBC5317048AB088951E4BF791
SHA-256:	EF1675DF3B8CCB64A9CA1DEFB484D00676AAE728CA6427F2BD9C0437036365B4
SHA-512:	7D8BE5BEF4150909A2D9DD700B6FD62E9F4E8B11AEB58ECCD8B6CB36ABB9E48776CD816FA51C19B0A08658A734469E423EE9FE431B6111208BC25889940B44B4
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.9.9.6.8.9.2.0.1.3.7.1.5.2.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.9.9.6.8.9.2.0.8.7.1.5.2.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.f.f.8.1.8.9.-.5.0.d.7.-.4.c.6.9.-.b.f.9.7.-.7.2.6.0.a.f.2.6.8.3.d.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.b.7.c.b.e.c.0.-.6.d.c.f.-.4.b.6.4.-.8.1.6.b.-.3.2.6.5.c.6.e.4.5.d.7.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.E.i.O.4.t.q.Z.3.o.4...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=..\q\..e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.b.4.-.0.0.0.1.-.0.0.1.4.-.3.8.8.f.-.0.8.c.0.1.b.5.a.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.d.8.c.e.a.c.d.e.a.0.a.9.0.e.0.b.7.9.e.4.e.6.c.6.1.2.e.0.8.c.8.8.0.0.0.0.0.0.0.0.!.0.0.0.0.4.1.b.1.d.5.7.2.9.2.f.a.9.4.2.3.5.2.3.7.3.e.5.8.7.a.6.3.8.0.1.1.8.9.3.6.4.9.a.b.!.E.i.O.4.t.q.Z.3.o.4...e.x.e.....

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC21.tmp.dmp

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	Mini DuMP crash report, 16 streams, Sun Dec 29 18:02:00 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	469365
Entropy (8bit):	3.219154018689513
Encrypted:	false
SSDEEP:	3072:h0gY/Fz3+vS8TBK4lNCkXnaLTXoKG1cSmTQ1CCqEFfLSuQc:hU/Fz3QS80hkYe5qc
MD5:	FF1C37B312B29027D3E7B367976429B7
SHA1:	9F228FA627250DDF57B59C6A7779052E6753AAAB
SHA-256:	1CC3A1A31BF91A92093BF009D2E087B81EEEA87CDD5D01F9EADA2783B664E505
SHA-512:	4093889F460AA654B506B1BA40279008B3323B6B7428EB534703C165B1A32DAAA80F9B9236EE1723E7B2F17FF7AAA525F1FD225EA329D8C81061608635DDF3BB
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........qg............t...........p...........$....%......d...(%.......J.............l.......8...........T............8..u............A..........xC..............................................................................eJ.......D......Lw......................T.............qg.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE54.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8794
Entropy (8bit):	3.713189653904693
Encrypted:	false
SSDEEP:	192:R6l7wVeJIPfDi6Y9wyOgmfS6J6pr189blScSfoIOXm:R6lXJInG6YayOgmfSitlS5ffv
MD5:	21D39FDC708B600B5593E20B881EDE13
SHA1:	082C1D4C5AC1D0D0A3462958F0DE61BA37F3CB67
SHA-256:	4C3D85CE2E22C6C7AE0D1D3D9B8D9F698D4E9FDBFDDE6A76E2A5DE2B6564AA9E
SHA-512:	B6242953057DE71591252CD237AB9E536B341778FEFEFC127A855BEC635AB0F253B3288F88959062B3B9FAEB5DD60136DA0DD7E947ACAE4ED96B73A18D7C1666
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.8.3.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE84.tmp.xml

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-8 text, with CRLF line terminators
Category:	dropped
Size (bytes):	4754
Entropy (8bit):	4.5216135829365784
Encrypted:	false
SSDEEP:	48:cvIwWl8zsDJg771I9bYWpW8VYVYm8M4JKLAFOyq854sxa2tW2d:uIjfdI70R7VpJKzr0a2tW2d
MD5:	F2BC1669D9E6F0AEEF55FBB67DC6E9A0
SHA1:	950A6698AB211C02F7BB7E2C8A7E3D770CA68CD0
SHA-256:	CD9E15519B6A12A62DC85F0DA999C6B5645C3CD57EB1B6BEA3BE27684DC8924F
SHA-512:	D85214E49EB62052330F74C99C7FFF62F40B323FE07C2CCB68D69389ED3B1A334314FF4122E11DD8A0B95CCB29E449D796EE6C2EB7BCB2AF9966FF26D62741DD
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="652864" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.150184159866505
Encrypted:	false
SSDEEP:	6:kKBK/9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:wODnLNkPlE99SNxAhUe/3
MD5:	9DCFA8F9F340CC70483623FAAB65CC87
SHA1:	431F33730828750963450D4145E82C8B7FE1CE14
SHA-256:	E279388D1A08DC5E3D527A834BBCF0F37E6377D037EEE04231D1321672D1048C
SHA-512:	3900E3367BCD579847BC39081A8D8D435EB82256AE447BC7D8CF2A7985E223444B364696743F7169D6D8C6F8DDE1DE2C10B311A8B4B8CD2BA00776DE1EEDA99D
Malicious:	false
Preview:	p...... ........N.!..Z..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	1.1940658735648508
Encrypted:	false
SSDEEP:	3:Nlllulbnolz:NllUc
MD5:	F23953D4A58E404FCB67ADD0C45EB27A
SHA1:	2D75B5CACF2916C66E440F19F6B3B21DFD289340
SHA-256:	16F994BFB26D529E4C28ED21C6EE36D4AFEAE01CEEB1601E85E0E7FDFF4EFA8B
SHA-512:	B90BFEC26910A590A367E8356A20F32A65DB41C6C62D79CA0DDCC8D95C14EB48138DEC6B992A6E5C7B35CFF643063012462DA3E747B2AA15721FE2ECCE02C044
Malicious:	false
Preview:	@...e................................................@..........

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljs32xwr.5zz.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oi0lhqc0.omy.psm1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnnumejd.jg0.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xb0d0vwe.0xc.ps1

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\System32\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465585699851131
Encrypted:	false
SSDEEP:	6144:OIXfpi67eLPU9skLmb0b4AWSPKaJG8nAgejZMMhA2gX4WABl0uN4dwBCswSbr:DXD94AWlLZMM6YFH++r
MD5:	D9C283D8D32C136BE99835D9EA01F70E
SHA1:	05A1B7A40867A3ABB6ABB986551C751E59ACEDC4
SHA-256:	2ECBAD69D5647EDA5B62FFFE7BFDF4EE8CD755FDC0FB9F4031AB69E647357958
SHA-512:	84B92E88759770BC4BE6DD87C9CBAC1B62D65D22B7517DB5FFDB25861D1F50B45BABED2EB151D5D2B420FA993E491EC7ABA3D66C32CBFB5138C7893A7E0A2C0D
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm6....Z...............................................................................................................................................................................................................................................................................................................................................s..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.995254639615574
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EiO4tqZ3o4.exe
File size:	421'888 bytes
MD5:	0731d232d0af12a5320238914de6bf4a
SHA1:	41b1d57292fa942352373e587a638011893649ab
SHA256:	adc6b85fbb55624cdd9a25d9634f08d3991ac60dce86c8f3ed520a88e36371fe
SHA512:	a1af80997ce12df93cd17be40f78cfaced5fda36e1a601819e7e0790fa1efba13c2f818d45f83290707e3ac8e1fc54fea7f2d6a17640e83da5ba816ee629a436
SSDEEP:	6144:y+YH9d/Ucs7XgCbXTFm2HTMFyowl07iLC0Ga2wdyRwIfjc6YRjd66Al:y5HUcaX5Lxm2atlf0Ga2NRwI7YJbAl
TLSH:	079423BBDA505429F3F12A30822E1BFE13EEC9B618E2CAFF05A57B7D790574519E1081
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...._mg.........."...0......R........... ....@...... ....................................`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x676D5FD5 [Thu Dec 26 13:53:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4000	0x650e4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x1be8	0x1c00	aeaf46fb6e1449e0cc9529912967f602	False	0.6697823660714286	data	6.15566711659085	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4000	0x650e4	0x65200	7651d1a152952151462b3296bc1b78c5	False	0.9975374690976514	data	7.998950594784604	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
STRONGER	0x42e4	0x20	data	1.34375
STRONGER	0x4304	0x10	data	1.5625
STRONGER	0x4314	0x10	data	1.5625
STRONGER	0x4324	0x64810	DOS executable (COM)	1.0003303665124956
STRONGER	0x68b34	0x10	data	1.5625
STRONGER	0x68b44	0x180	DOS executable (COM)	1.0286458333333333
RT_VERSION	0x68cc4	0x234	data	0.4734042553191489
RT_MANIFEST	0x68ef8	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-12-29T19:02:07.277772+0100	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	108.174.194.58	7707	192.168.2.4	49733	TCP
2024-12-29T19:02:07.277772+0100	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	108.174.194.58	7707	192.168.2.4	49733	TCP
2024-12-29T19:02:07.277772+0100	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	108.174.194.58	7707	192.168.2.4	49733	TCP
2024-12-29T19:02:07.277772+0100	2035607	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	108.174.194.58	7707	192.168.2.4	49733	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 19:02:05.811455965 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:05.931389093 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:05.931484938 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:05.943253040 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:06.063127995 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:07.150644064 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:07.150731087 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:07.150777102 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:07.157548904 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:07.277771950 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:07.520966053 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:07.565658092 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:09.740673065 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:09.860563040 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:09.860637903 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:09.980606079 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:10.970465899 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:11.018728971 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:11.171694994 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:11.221858978 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:19.691368103 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:19.811387062 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:19.811449051 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:19.931351900 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:20.172450066 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:20.221838951 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:20.373471975 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:20.378669024 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:20.498722076 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:20.498800039 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:20.618720055 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:29.644599915 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:29.764774084 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:29.765084028 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:29.885011911 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:30.136703014 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:30.190629959 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:30.337568998 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:30.339143038 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:30.460007906 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:30.460206985 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:30.580194950 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:39.597306013 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:39.717345953 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:39.717470884 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:39.837399960 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:40.091810942 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:40.143747091 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:40.292861938 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:40.312968016 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:40.432890892 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:40.433059931 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:40.493958950 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:40.534399033 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:40.552936077 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:40.634197950 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:40.675015926 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:49.550492048 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:49.670653105 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:49.670717955 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:49.790590048 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:50.032757998 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:50.081278086 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:50.233922005 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:50.235389948 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:50.355439901 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:50.355516911 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:50.475429058 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:59.503773928 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:59.624150038 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:59.624520063 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:02:59.744507074 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:02:59.985804081 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:00.034434080 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:00.187170029 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:00.188694000 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:00.308603048 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:00.308670044 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:00.428771973 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:09.456650019 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:09.587507010 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:09.587569952 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:09.770205975 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:09.953223944 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:10.003305912 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:10.154304028 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:10.155776024 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:10.276074886 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:10.276128054 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:10.395968914 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:10.484951973 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:10.534439087 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:10.597268105 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:10.643834114 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:19.411607981 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:19.531562090 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:19.531629086 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:19.651498079 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:19.894243002 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:19.940717936 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:20.095340967 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:20.097301960 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:20.217180967 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:20.217230082 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:20.337141991 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:20.628751993 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:20.748974085 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:20.749037981 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:20.868859053 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:21.112327099 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:21.159601927 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:21.313179970 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:21.319093943 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:21.438999891 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:21.441704988 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:21.561634064 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:25.113116026 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:25.232940912 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:25.237610102 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:25.357558966 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:25.686542988 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:25.737622023 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:25.887795925 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:25.891565084 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:26.011468887 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:26.012224913 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:26.132062912 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:35.066174030 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:35.378254890 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:35.577291965 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:35.577303886 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:35.577399015 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:35.697220087 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:35.897950888 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:35.940742016 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:36.099061966 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:36.130403996 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:36.250909090 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:36.250965118 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:36.370857000 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:38.691473007 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:38.811378002 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:38.811506033 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:38.931725025 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:39.172584057 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:39.349555016 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:39.373682022 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:39.378926992 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:39.499144077 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:39.501678944 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:39.621629000 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:40.443257093 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:40.594491959 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:40.644263983 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:40.737636089 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:42.316154003 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:42.436252117 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:42.436297894 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:42.557204008 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:42.798552990 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:42.847019911 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:42.999682903 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:43.001461983 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:43.121562958 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:43.121623993 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:43.241504908 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:44.784981012 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:44.904964924 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:44.905023098 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:45.025079966 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:45.270926952 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:45.347029924 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:45.471923113 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:45.473572016 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:45.593585968 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:45.593692064 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:45.713619947 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:49.331840038 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:49.451924086 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:49.453660965 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:49.573636055 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:49.817796946 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:49.865241051 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:50.018744946 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:50.025574923 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:50.145389080 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:50.145478964 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:50.265328884 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:59.285592079 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:59.405467033 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:59.405647039 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:59.709594011 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:03:59.949429035 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:03:59.949861050 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:00.193964005 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:00.237678051 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:00.395020962 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:00.396677017 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:00.516622066 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:00.516668081 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:00.636586905 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:03.144474030 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:03.264405966 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:03.264652014 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:03.384567976 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:03.626954079 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:03.784629107 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:03.828061104 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:03.829442024 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:03.949364901 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:03.951679945 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:04.071577072 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:10.454922915 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:10.522300005 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:10.646780968 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:10.690828085 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:13.097652912 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:13.217730999 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:13.217789888 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:13.337647915 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:13.579174995 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:13.628365040 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:13.780054092 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:13.783155918 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:13.903110981 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:13.903187037 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:14.023108959 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:23.050740004 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:23.170845985 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:23.171021938 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:23.290884972 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:23.533679008 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:23.581532955 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:23.733300924 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:23.737632036 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:23.857662916 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:23.857734919 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:23.977845907 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:24.473637104 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:24.593487978 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:24.593544006 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:24.713413954 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:24.955102921 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:25.003367901 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:25.156316042 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:25.157649994 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:25.277631044 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:25.277679920 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:25.397576094 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:27.222453117 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:27.342478037 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:27.342564106 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:27.462523937 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:27.711791039 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:27.753353119 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:27.912885904 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:27.917644024 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:28.037590027 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:28.037842035 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:28.157735109 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:34.738126993 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:34.858108044 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:34.858172894 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:34.978096962 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:35.596369028 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:35.596916914 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:35.596970081 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:35.597042084 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:35.597042084 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:35.599059105 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:35.718924999 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:35.719034910 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:35.839180946 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:40.460200071 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:40.503388882 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:40.655354023 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:40.706518888 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:43.519444942 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:43.639631987 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:43.639739990 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:43.759696007 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:43.878897905 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:43.998800039 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:44.001776934 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:44.002610922 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:44.050280094 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:44.168725967 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:44.200213909 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:44.205668926 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:44.341028929 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:44.341130972 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:44.401202917 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:44.440901041 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:44.461143970 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:44.533904076 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:44.540529013 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:44.660415888 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:44.660487890 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:44.780402899 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:53.832175016 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:53.952393055 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:53.952481985 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:54.072361946 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:54.313971996 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:54.362795115 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:54.515069962 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:54.517080069 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:54.636909008 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:04:54.636969090 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:04:54.756802082 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:02.816420078 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:02.936458111 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:02.936718941 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:03.056623936 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:03.298068047 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:03.347177029 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:03.499499083 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:03.502888918 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:03.622831106 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:03.623039007 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:03.743046999 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:10.478106022 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:10.519076109 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:10.679043055 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:10.722198963 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:12.769741058 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:12.889666080 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:12.889823914 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:13.009713888 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:13.251442909 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:13.300329924 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:13.452465057 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:13.472037077 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:13.591916084 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:13.597265959 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:13.717164993 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:16.582276106 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:16.702272892 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:16.702322006 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:16.822182894 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:17.063668966 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:17.112947941 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:17.264695883 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:17.266305923 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:17.386212111 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:17.386315107 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:17.506239891 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:18.316375017 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:18.436597109 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:18.436739922 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:18.556622028 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:18.812318087 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:18.862942934 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:19.013456106 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:19.015130997 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:19.135037899 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:19.135092020 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:19.254947901 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:28.269493103 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:28.389553070 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:28.389731884 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:28.509727001 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:28.769769907 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:28.815992117 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:28.970781088 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:28.972218037 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:29.092348099 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:29.092398882 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:29.212423086 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:29.347779989 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:29.467864037 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:29.473750114 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:29.593698025 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:29.835069895 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:29.881737947 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:30.036331892 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:30.042293072 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:30.162228107 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:30.162381887 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:30.282321930 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:31.207052946 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:31.326953888 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:31.327009916 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:31.446875095 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:31.688210964 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:31.739908934 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:31.889183044 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:31.891940117 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:32.011797905 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:32.011851072 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:32.131908894 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:35.597794056 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:35.718069077 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:35.722218990 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:35.842159033 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:36.086865902 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:36.128509998 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:36.287861109 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:36.291127920 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:36.411041975 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:36.413860083 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:36.533713102 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:40.468131065 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:40.519145966 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:40.669137001 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:40.722278118 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:42.972850084 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:43.092833042 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:43.092896938 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:43.212754965 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:43.455373049 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:43.503623962 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:43.655580997 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:43.661850929 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:43.781743050 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:43.784244061 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:43.908739090 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:46.944603920 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:47.064549923 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:47.064604044 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:47.184497118 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:47.425805092 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:47.472281933 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:47.626755953 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:47.628825903 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:47.748688936 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:47.748744965 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:47.868820906 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:56.894664049 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:57.014750004 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:57.014823914 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:57.135019064 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:57.377830029 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:57.425442934 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:57.578869104 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:57.583441019 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:57.703370094 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:05:57.703435898 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:05:57.823412895 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:06:04.863512993 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:06:04.983629942 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:06:04.983686924 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:06:05.103774071 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:06:05.344991922 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:06:05.425462961 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:06:05.545999050 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:06:05.613789082 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:06:05.863799095 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:06:05.983768940 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:06:05.983854055 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:06:06.104047060 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:06:06.345843077 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:06:06.427798986 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:06:06.546921015 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:06:06.547749043 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:06:06.667635918 CET	7707	49733	108.174.194.58	192.168.2.4
Dec 29, 2024 19:06:06.667695045 CET	49733	7707	192.168.2.4	108.174.194.58
Dec 29, 2024 19:06:06.787638903 CET	7707	49733	108.174.194.58	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 29, 2024 19:02:04.591274023 CET	55404	53	192.168.2.4	1.1.1.1
Dec 29, 2024 19:02:05.581285000 CET	55404	53	192.168.2.4	1.1.1.1
Dec 29, 2024 19:02:05.806668997 CET	53	55404	1.1.1.1	192.168.2.4
Dec 29, 2024 19:02:05.824600935 CET	53	55404	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 29, 2024 19:02:04.591274023 CET	192.168.2.4	1.1.1.1	0x369	Standard query (0)	5sdf23d2sdf.ddnss.eu	A (IP address)	IN (0x0001)	false
Dec 29, 2024 19:02:05.581285000 CET	192.168.2.4	1.1.1.1	0x369	Standard query (0)	5sdf23d2sdf.ddnss.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 29, 2024 19:02:03.802685976 CET	1.1.1.1	192.168.2.4	0x4423	No error (0)	edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 29, 2024 19:02:03.802685976 CET	1.1.1.1	192.168.2.4	0x4423	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.100	A (IP address)	IN (0x0001)	false
Dec 29, 2024 19:02:03.802685976 CET	1.1.1.1	192.168.2.4	0x4423	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.101	A (IP address)	IN (0x0001)	false
Dec 29, 2024 19:02:03.802685976 CET	1.1.1.1	192.168.2.4	0x4423	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.98	A (IP address)	IN (0x0001)	false
Dec 29, 2024 19:02:03.802685976 CET	1.1.1.1	192.168.2.4	0x4423	No error (0)	default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com		217.20.58.99	A (IP address)	IN (0x0001)	false
Dec 29, 2024 19:02:05.806668997 CET	1.1.1.1	192.168.2.4	0x369	No error (0)	5sdf23d2sdf.ddnss.eu		108.174.194.58	A (IP address)	IN (0x0001)	false
Dec 29, 2024 19:02:05.824600935 CET	1.1.1.1	192.168.2.4	0x369	No error (0)	5sdf23d2sdf.ddnss.eu		108.174.194.58	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:01:56
Start date:	29/12/2024
Path:	C:\Users\user\Desktop\EiO4tqZ3o4.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EiO4tqZ3o4.exe"
Imagebase:	0x16b49060000
File size:	421'888 bytes
MD5 hash:	0731D232D0AF12A5320238914DE6BF4A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1945987917.0000016B4B1E3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1945987917.0000016B4AF22000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:01:59
Start date:	29/12/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\EiO4tqZ3o4.exe" -Force
Imagebase:	0x7ff788560000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	13:01:59
Start date:	29/12/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:01:59
Start date:	29/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:	0x4f0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000003.00000002.4155351831.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.4156348185.0000000002821000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	13:01:59
Start date:	29/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	13:01:59
Start date:	29/12/2024
Path:	C:\Windows\System32\WerFault.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\WerFault.exe -u -p 6836 -s 1512
Imagebase:	0x7ff791870000
File size:	570'736 bytes
MD5 hash:	FD27D9F6D02763BDE32511B5DF7FF7A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:02:02
Start date:	29/12/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff693ab0000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	10.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00007FFD9B800C48 Relevance: 4.5, Strings: 3, Instructions: 703
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

d, xrefs: 00007FFD9B80426F
K_H, xrefs: 00007FFD9B803FDF
K_H, xrefs: 00007FFD9B804363

Memory Dump Source

Source File: 00000000.00000002.1947927895.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_EiO4tqZ3o4.jbxd

Similarity

API ID:
String ID: d$K_H$K_H
API String ID: 0-2040067875
Opcode ID: 6812a97ec275fac7471c01fcbd8553bfd395a87d7fc0a395772e1f72105ef823
Instruction ID: 050ca9a76f28cb620b7edcf120853c9d80995b3fb96889055e5dc86e864e562d
Opcode Fuzzy Hash: 6812a97ec275fac7471c01fcbd8553bfd395a87d7fc0a395772e1f72105ef823
Instruction Fuzzy Hash: 1D228A31B0DA4A4FE768DB6894A19B177E1EF99310B1A01BDD49EC71E7DE24F842C380

Function 00007FFD9B80DEC7 Relevance: 4.1, Strings: 2, Instructions: 1645
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

x6Z, xrefs: 00007FFD9B80EB79
x6Z, xrefs: 00007FFD9B80EC89

Memory Dump Source

Source File: 00000000.00000002.1947927895.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_EiO4tqZ3o4.jbxd

Similarity

API ID:
String ID: x6Z$x6Z
API String ID: 0-3393415879
Opcode ID: 9db67216f56f917bde6ccf4fa9fc9993c3ff03fdd901ea153dda1d042bcd4e6f
Instruction ID: 6d5a5f2561610eee4936d0ee082a75fee4b34c269876bc43e59c23a50d499eea
Opcode Fuzzy Hash: 9db67216f56f917bde6ccf4fa9fc9993c3ff03fdd901ea153dda1d042bcd4e6f
Instruction Fuzzy Hash: 12B25830A0DB4A4FD369DB28C4A14B677E1FF99301B0545BEE4CAC72A6DE34E946C781

Function 00007FFD9B80B47D Relevance: 1.3, Instructions: 1266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1947927895.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_EiO4tqZ3o4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dbd1287ac0e288f90dc924ad6f0a079e21f92af00cc0e191777f1490cc04968
Instruction ID: 25e85caf4b06a1f01cf230a91d1e2f9aec5155e7b29231654b7973b03fd8e1b4
Opcode Fuzzy Hash: 8dbd1287ac0e288f90dc924ad6f0a079e21f92af00cc0e191777f1490cc04968
Instruction Fuzzy Hash: 49923830A1DB4A8FD729DF28C4A44E5B7E1FF89344B1145BEE48AC72A6DE34E946C740

Function 00007FFD9B803988 Relevance: 1.2, Instructions: 1250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1947927895.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_EiO4tqZ3o4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b69a33528dde24711b742097df2b9f2e9cc75a5b1a6a0b2376c5de911f8ae2de
Instruction ID: 623da05b86e8f8b7a6e13b57d3a5635e3b33f25b15f269dbae00e58a47680490
Opcode Fuzzy Hash: b69a33528dde24711b742097df2b9f2e9cc75a5b1a6a0b2376c5de911f8ae2de
Instruction Fuzzy Hash: D8926A31A0F68E9FE7298B54C4615B477E1EF99310F0644BDD0AE8B5E3DE38AA46C740

Function 00007FFD9B808650 Relevance: .9, Instructions: 926COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1947927895.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_EiO4tqZ3o4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 931637800a9d492e1884eed59ba06408507024796ec4ae25948c7368c4206658
Instruction ID: 5d309a372224966b6203b6e942a0113c672e6e70fa642609bf7101dc867a564b
Opcode Fuzzy Hash: 931637800a9d492e1884eed59ba06408507024796ec4ae25948c7368c4206658
Instruction Fuzzy Hash: F852F730B19A0D4FDB68DF6CD465AB977E1EF59340F1501BDE48EC32A2DE24AD428B81

Function 00007FFD9B80AEA9 Relevance: .5, Instructions: 502COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1947927895.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_EiO4tqZ3o4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00a32e648805facd8299295f0931311fe0f21005ef0528675261686eb8a56440
Instruction ID: 94b24eab9173a43ec7c51d32d32ccc62c500a6abc17671f77b3c166be8d5df48
Opcode Fuzzy Hash: 00a32e648805facd8299295f0931311fe0f21005ef0528675261686eb8a56440
Instruction Fuzzy Hash: E5F1BE31A1EB8A4FE328CB2884A15B577D2FFD9351B04467ED4DAC72B1DE34A506C780

Function 00007FFD9B813F67 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1947927895.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_EiO4tqZ3o4.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4180f1b943780274c63f81974e8c70def66e6c4b2c2524ae6ad808c4ab514135
Instruction ID: 4bc18884784538d837b15ca05bce0b84ed89226bb07c2539025cbc5e66c81b16
Opcode Fuzzy Hash: 4180f1b943780274c63f81974e8c70def66e6c4b2c2524ae6ad808c4ab514135
Instruction Fuzzy Hash: 0441AA3270D78D0FD72D9B2898220B57BE5EB86310B0682BFD48BC75E7DC18A9468391

Function 00007FFD9B8D026B Relevance: 4.1, Strings: 2, Instructions: 1612COMMON

Download Yara Rule

Strings

`7Z, xrefs: 00007FFD9B8D1183
A, xrefs: 00007FFD9B8D0786

Memory Dump Source

Source File: 00000000.00000002.1948111034.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_EiO4tqZ3o4.jbxd

Similarity

API ID:
String ID: A$`7Z
API String ID: 0-987360005
Opcode ID: aac170e2d3787961ba78798e5ba90f84db0cb528cd6612dde5935bc658b13f69
Instruction ID: aefd9dfb0f81aea8f11a3e7d6d723b4bf2f09cfb1c0038f4c74ab3ed1fd91073
Opcode Fuzzy Hash: aac170e2d3787961ba78798e5ba90f84db0cb528cd6612dde5935bc658b13f69
Instruction Fuzzy Hash: 70B25871A1E78A4FDB66DB68C8755A87BE0FF99304F0507FFD089CB0A2DA246906C741

Function 00007FFD9B817909 Relevance: 1.7, APIs: 1, Instructions: 186
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FFD9B817A41

Memory Dump Source

Source File: 00000000.00000002.1947927895.00007FFD9B800000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B800000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b800000_EiO4tqZ3o4.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: af190f18130ce761afa125e03d0a4747270bf2b2cf21e8d5a7a3e95bfb28cd53
Instruction ID: cc4c66dd0dad264a96c675e9b89bcef4ca5c9187e2196d6581ceaa08fdaca557
Opcode Fuzzy Hash: af190f18130ce761afa125e03d0a4747270bf2b2cf21e8d5a7a3e95bfb28cd53
Instruction Fuzzy Hash: DD513D7660EA880FE718DFAC68155B87FB2EFD9320F0442BFE048C31A7D9656D098791

Function 00007FFD9B8D11DC Relevance: 1.7, Strings: 1, Instructions: 422
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Uc, xrefs: 00007FFD9B8D1549

Memory Dump Source

Source File: 00000000.00000002.1948111034.00007FFD9B8D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B8D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ffd9b8d0000_EiO4tqZ3o4.jbxd

Similarity

API ID:
String ID: Uc
API String ID: 0-2128555316
Opcode ID: 1f662146904be30ca35d0c2206ad75402b933d14ee04537dc5d4c66dadd22657
Instruction ID: 1df153bbef5e4c180000224ee866e8695ae5ebf3d72df0a16d292606d13a7cc5
Opcode Fuzzy Hash: 1f662146904be30ca35d0c2206ad75402b933d14ee04537dc5d4c66dadd22657
Instruction Fuzzy Hash: FBC16E71A0E7CA4FD756DB6898655A47FE1FF9A310B0A03FBD48CCB0A3DA186906C341

Analysis Process: RegSvcs.exePID: 5936, Parent PID: 6836COMMON

Executed Functions

Function 00E67038 Relevance: 1.5, Strings: 1, Instructions: 281COMMON

Download Yara Rule

Strings

\V=m, xrefs: 00E672EF

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: \V=m
API String ID: 0-2437245023
Opcode ID: 8ca6ba406e02b7ca2a495aa3fe32a167beb416a8e2030da106744023a6fe50b7
Instruction ID: 07beb86e6efc9b2e87fc32d3ae2aa82bcc35e8445292adcbc003e1f94e59e0b5
Opcode Fuzzy Hash: 8ca6ba406e02b7ca2a495aa3fe32a167beb416a8e2030da106744023a6fe50b7
Instruction Fuzzy Hash: C2B16C70E44209CFDB10CFA8D98579EBBF2AF88358F149129E854B73A4EB349845CF81

Function 00E67908 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b962120325cf1a313322d9f429a1ac56703352d4c1af20a5d82beb3c8dc3d5d0
Instruction ID: 1c8ba2ccdd6d40855bcb2daebbdd84be8343a39f4e52fd05ffc808b52677ff04
Opcode Fuzzy Hash: b962120325cf1a313322d9f429a1ac56703352d4c1af20a5d82beb3c8dc3d5d0
Instruction Fuzzy Hash: EEB18F70E442098FDB10CFA8E9817EDBBF2AF88358F249529D455F7254EB349985CB81

Function 00E6209D Relevance: 5.4, Strings: 4, Instructions: 432COMMON

Download Yara Rule

Strings

aiq, xrefs: 00E6269F
,, xrefs: 00E62230
xmq, xrefs: 00E62736
aiq, xrefs: 00E626FC

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: aiq$ aiq$,$xmq
API String ID: 0-198554163
Opcode ID: 2e509837e996ace60b1b2ed7a80c4c8c213e50e009a4834704b7bd68b8544473
Instruction ID: 148206b313094a296e2a1ac7b9884c8931d627a074a3c16a1275708b378c1743
Opcode Fuzzy Hash: 2e509837e996ace60b1b2ed7a80c4c8c213e50e009a4834704b7bd68b8544473
Instruction Fuzzy Hash: ED02AC307406018FDB15EF28E554B6EB7A2BB84314F24C66DE515AB3A9CFB4EC85CB90

Function 00E620E8 Relevance: 5.3, Strings: 4, Instructions: 332COMMON

Download Yara Rule

Strings

aiq, xrefs: 00E6269F
,, xrefs: 00E62230
xmq, xrefs: 00E62736
aiq, xrefs: 00E626FC

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: aiq$ aiq$,$xmq
API String ID: 0-198554163
Opcode ID: 074f6c57bf4ad191069bec6f514742e925520825e7a2c9a852165ac031b064e5
Instruction ID: b8ba4f34d4ec94380cb9850059ace142e9f749d1d2fdd96f3089e84554e8cc7d
Opcode Fuzzy Hash: 074f6c57bf4ad191069bec6f514742e925520825e7a2c9a852165ac031b064e5
Instruction Fuzzy Hash: F5D1BC307402009FDB15AF28E954B6AB7A2BF84314F24C56DE505AF3A9DBB4EC85CB90

Function 00E62322 Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

aiq, xrefs: 00E6269F
xmq, xrefs: 00E62736
aiq, xrefs: 00E626FC

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: aiq$ aiq$xmq
API String ID: 0-2145220678
Opcode ID: 3da150731071e9d16d584af28bbeb25c7542e92d495fb3bd91139fcdc858fb87
Instruction ID: fbf02a5be1a47ac0da61b99b82cfb33e94cb7d0aa1645e439376f92d8dea7f1e
Opcode Fuzzy Hash: 3da150731071e9d16d584af28bbeb25c7542e92d495fb3bd91139fcdc858fb87
Instruction Fuzzy Hash: CA61AC347803008FD711EF28E954B6E7BA2FB84314F24856DE505AF3A9DBB4EC458BA1

Function 00E60F80 Relevance: 2.7, Strings: 2, Instructions: 160COMMON

Download Yara Rule

Strings

Teiq, xrefs: 00E60FB5
(mq, xrefs: 00E6125A

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: (mq$Teiq
API String ID: 0-3423551303
Opcode ID: d99da78e8ae6ab9383fb8ccead11e1cbfea0016919349474521e754064372f88
Instruction ID: 9623b63cbaf9c1a6f93f9b4bab6ab9aa7597d061f214a0dca02186128e890c90
Opcode Fuzzy Hash: d99da78e8ae6ab9383fb8ccead11e1cbfea0016919349474521e754064372f88
Instruction Fuzzy Hash: 7C516930B005148FCB44DF69D458B5EBBF6FF88700F2581A9E906EB3A6CA71DD058B91

Function 00E60DE8 Relevance: 2.6, Strings: 2, Instructions: 129COMMON

Download Yara Rule

Strings

Hmq, xrefs: 00E60F08
dLoq, xrefs: 00E60E23

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hmq$dLoq
API String ID: 0-221678391
Opcode ID: 45c6c0bc686730c17fde8cc5df73e1e5aa6df60add58dbed831ee7f1e549353c
Instruction ID: 1234082e9a4b248559e3a69aaa09751fc84432c12f8ad58cdecb2d259eb41844
Opcode Fuzzy Hash: 45c6c0bc686730c17fde8cc5df73e1e5aa6df60add58dbed831ee7f1e549353c
Instruction Fuzzy Hash: 7041AF357002148FCB159F69D458AAEBBF6FF89300F1485AAE106EB3A5CB759C05CBA1

Function 00E6A6B0 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

$iq, xrefs: 00E6A6E5
$iq, xrefs: 00E6A6EF

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: $iq$$iq
API String ID: 0-3479330454
Opcode ID: d6a0c087fb6a31636a666e3de50c556348d1dd7f04147262ae6054bb7df49443
Instruction ID: 0ff8c90d3f4c147dc2be07e4eebb2f11961ffa2a802be67cdb38acb92913574e
Opcode Fuzzy Hash: d6a0c087fb6a31636a666e3de50c556348d1dd7f04147262ae6054bb7df49443
Instruction Fuzzy Hash: 35412570A54405CFC7085F5AA50843EBB77FB84755738A96AE006AB3A4DB31DC138FD6

Function 00E69D6D Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

LRiq, xrefs: 00E6A035

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRiq
API String ID: 0-209933059
Opcode ID: 85742d407a79919e465a38cf9a748bdcd4299ebde2321e5e2fd841cf1fec6dc2
Instruction ID: 952d434f0df4ef1e63b0319d0b118fa23160d027e58fc1afb88109978c83888e
Opcode Fuzzy Hash: 85742d407a79919e465a38cf9a748bdcd4299ebde2321e5e2fd841cf1fec6dc2
Instruction Fuzzy Hash: 83012630F816019FCB45AB7CA8057AE3BE0EF4A390F1450BDE105F72A7EA708D058B92

Function 00E6B720 Relevance: 1.6, Instructions: 1574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb209161f84f3897e34991fecbd197b6b41642367277583db3c91af0e7971ad
Instruction ID: b4235b0da655c6c8df3eddcdb7399e74a897087fb39b8d8014d4c9b00ed2cdf3
Opcode Fuzzy Hash: cdb209161f84f3897e34991fecbd197b6b41642367277583db3c91af0e7971ad
Instruction Fuzzy Hash: 56D22B307403008FCB29EF74E5A566D77E3ABC9344B6094ADE40AEB3A5EF359C429B51

Function 00E6702C Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

\V=m, xrefs: 00E672EF

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: \V=m
API String ID: 0-2437245023
Opcode ID: 3a2bcbd88c42fd066d5cbc27eb86d78ccea529259f7cdb457c7ce85b86b968d5
Instruction ID: be90134c8375cf064dad8bd2cb8d71198c39972fc6c59561a5519d469f10506a
Opcode Fuzzy Hash: 3a2bcbd88c42fd066d5cbc27eb86d78ccea529259f7cdb457c7ce85b86b968d5
Instruction Fuzzy Hash: ECB15C70E48209CFDB10CFA8D9857DDBBF2AF49358F149129E894B73A4EB349845CB91

Function 00E6B2B8 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

xmq, xrefs: 00E6B5FE

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: xmq
API String ID: 0-2213616078
Opcode ID: 078926ba59106716316e6ce0e3f79023e0699ae2c91f3079266968195ac737c3
Instruction ID: fa307ab27948e1dea602d3010e2ca9a3cc79d9e843cb50ce73f0fdc1a4988e73
Opcode Fuzzy Hash: 078926ba59106716316e6ce0e3f79023e0699ae2c91f3079266968195ac737c3
Instruction Fuzzy Hash: D1918A74682300CFD724DF28F9147553BAAF785358F20926BD419EF3A1EBB49885CBA1

Function 00E6AC60 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

Teiq, xrefs: 00E6ACFE

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: Teiq
API String ID: 0-3087720294
Opcode ID: 1fe89d682ba8df30a50b44b1f23b3a4e5a9bec3246ff0f183db7c91b54d28be3
Instruction ID: 83708923722ef7085a42656bb1f6a9e1ff154d63da7c2be4818e0e5c427bd92f
Opcode Fuzzy Hash: 1fe89d682ba8df30a50b44b1f23b3a4e5a9bec3246ff0f183db7c91b54d28be3
Instruction Fuzzy Hash: CE519E34A80601DFD724DF29D958B69BBB1AF48714F248169E501AB3F1CBB5EC41CF50

Function 00E645B8 Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

|, xrefs: 00E646C8

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: a05cc12182cc4a764f4ab19448e8bdd4b11e6d9c68113774317fc16a3f117132
Instruction ID: 038e15cbc7a66da1a360a5d8d6dec610ca6595baedc7139ff9092a86624693de
Opcode Fuzzy Hash: a05cc12182cc4a764f4ab19448e8bdd4b11e6d9c68113774317fc16a3f117132
Instruction Fuzzy Hash: 9A41F5727442119FCB15DB38E944A5EB7E6EF89350F0084AEE506DB7A5DB71EC01CBA0

Function 00E6A699 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

$iq, xrefs: 00E6A6E5

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: $iq
API String ID: 0-2267446798
Opcode ID: 0a4fc4d9ed86a7cc8cb5ec1f832e461554a57a14f302e116c14c182eae544294
Instruction ID: 630c203cf2e18f6c8e013b72b63ad01bcd7070d3ebb22069bfd94a5866efee18
Opcode Fuzzy Hash: 0a4fc4d9ed86a7cc8cb5ec1f832e461554a57a14f302e116c14c182eae544294
Instruction Fuzzy Hash: 78416770A44541CFC7095F5AA50803ABB73BF8035573DA5AAE006AB2A1CB319C13CFD6

Function 00E61401 Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

LRiq, xrefs: 00E61453

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRiq
API String ID: 0-209933059
Opcode ID: a042cfa4ee44c2c66d7ee7eb5a4f80394d75e0b2cd9be05f790f55977e042e60
Instruction ID: 133158d3de6429f3c81c8ef35e79ead19da2d8bde0cf6eb9bf575ad7567bef26
Opcode Fuzzy Hash: a042cfa4ee44c2c66d7ee7eb5a4f80394d75e0b2cd9be05f790f55977e042e60
Instruction Fuzzy Hash: CE31B170F002168FCB45AB79D595A6E7BF6FFC9310B1480ADE505EB3A5DE309D0687A0

Function 00E60DD9 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

dLoq, xrefs: 00E60E23

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: dLoq
API String ID: 0-703069486
Opcode ID: b332283cd7ddaa97643bc42d1c9263fe7f624bc5d96bbfa651740aa68b8f3aed
Instruction ID: 2d037ee84cb56f173d074a8a40afc4a517d4455b04dd56f7aa15e80bddcdede6
Opcode Fuzzy Hash: b332283cd7ddaa97643bc42d1c9263fe7f624bc5d96bbfa651740aa68b8f3aed
Instruction Fuzzy Hash: 1831BE71A402199FCB14DF68D558B9EBBF1FF4C304F1494A9E401AB3A1CB759D48CBA1

Function 00E6AB48 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Teiq, xrefs: 00E6AB73

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: Teiq
API String ID: 0-3087720294
Opcode ID: 8ca0ab387f8bf897a7c274aacd2085f6ab5e630a3b3a00769e39ca3cdb48d454
Instruction ID: cdc3d16ab44d8e6093e9294b27b28112b959b499f138c330b3ebbde7a136ce7e
Opcode Fuzzy Hash: 8ca0ab387f8bf897a7c274aacd2085f6ab5e630a3b3a00769e39ca3cdb48d454
Instruction Fuzzy Hash: 79314134B501009FDB149F68D898F69BBF6EF88754F1990A9E506EB3B2CA719C01CB91

Function 00E6A5BB Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

Teiq, xrefs: 00E6A5E2

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: Teiq
API String ID: 0-3087720294
Opcode ID: 08598fc22251acc261db2895e1951894ef0c31a873a09a187d8715588a997a14
Instruction ID: 7da75725872298e83d6f4080a816becd14cb4d890e00bf1f6e1bb069f6545ece
Opcode Fuzzy Hash: 08598fc22251acc261db2895e1951894ef0c31a873a09a187d8715588a997a14
Instruction Fuzzy Hash: 9921B431B542508FDB05DB28D858BAD7BF1AF49704F2D40AAE502EB3A2CB749C05CB62

Function 00E6A5C8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Teiq, xrefs: 00E6A5E2

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: Teiq
API String ID: 0-3087720294
Opcode ID: 70eecadd3a458367852673b824265282bea4a0c1ea849f946b035104e7ce1bd8
Instruction ID: 7b402963f96390eb8e36ce3bdd6895654796b314c88c2639d7124835db2f4bab
Opcode Fuzzy Hash: 70eecadd3a458367852673b824265282bea4a0c1ea849f946b035104e7ce1bd8
Instruction Fuzzy Hash: DD218130B501108FCB049B28D858B6E7BF6AF88714F294069E502FB3A1CF71DC008BA2

Function 00E6466B Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

|, xrefs: 00E646C8

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: cb78fc702aa5236f7361028ada5d81ca82e40e3addb93ee3ae73d17a8917c13e
Instruction ID: 56a6d0bdc64213934b4d3ab1163f14729cedce817ac65f56134420c9fa11b2f3
Opcode Fuzzy Hash: cb78fc702aa5236f7361028ada5d81ca82e40e3addb93ee3ae73d17a8917c13e
Instruction Fuzzy Hash: 7A117C75B402259FCB44DF78D809B6E7BF5AB49740F10846AE50AEB3A4DB35A9009B80

Function 00E6D017 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Teiq, xrefs: 00E6D045

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: Teiq
API String ID: 0-3087720294
Opcode ID: 38e1483de273290a56a0ae686d41871695d11691d710a2e600460a633a97b49f
Instruction ID: 858a0a10117639594a4b98a51aee506c0230de453358f776d45f262259094303
Opcode Fuzzy Hash: 38e1483de273290a56a0ae686d41871695d11691d710a2e600460a633a97b49f
Instruction Fuzzy Hash: DC11A731B442009FCB149B68D859BADBBF2AF8C740F240069E402E73A1CBB15C02CB91

Function 00E6AB58 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Teiq, xrefs: 00E6AB73

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: Teiq
API String ID: 0-3087720294
Opcode ID: 78258791b7f6b32337d72ca4b99d6ec9674e5c6cfc9dba7dcfa21e4efe5f3f5a
Instruction ID: fc785a650425720d0610ab7dea9b9816f9bd3e032d96a080ccc2789e75daea88
Opcode Fuzzy Hash: 78258791b7f6b32337d72ca4b99d6ec9674e5c6cfc9dba7dcfa21e4efe5f3f5a
Instruction Fuzzy Hash: 90118230B40204CFDB149F29D498B6DBBF6AF88754F145069E902EB3A2CA719C40CB90

Function 00E60F07 Relevance: 1.3, Strings: 1, Instructions: 45COMMON

Download Yara Rule

Strings

Hmq, xrefs: 00E60F08

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: Hmq
API String ID: 0-2274041443
Opcode ID: f6d165ea842bcb99adbda82372b01ac62a4a88766c46aa3b5b1b75365c0a6a34
Instruction ID: 155daff01a8ac79b4d25f160779ae8b26441dd2b85fddd71a9155a8ca0f4c1cc
Opcode Fuzzy Hash: f6d165ea842bcb99adbda82372b01ac62a4a88766c46aa3b5b1b75365c0a6a34
Instruction Fuzzy Hash: C1F0A4253096814FC7456B39A86452A3FE6EFCE25031545EAD249CB3AACE388C06C7A5

Function 00E6A020 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

LRiq, xrefs: 00E6A035

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID: LRiq
API String ID: 0-209933059
Opcode ID: 09e1b2ef46005cef75002a5007e5916d27ee94c94d9c553e025c9fd6deccba30
Instruction ID: ba74b5074f8464c5c2d9d7ee54088625df08a07c1c60cbe8743bc9e2c54129d9
Opcode Fuzzy Hash: 09e1b2ef46005cef75002a5007e5916d27ee94c94d9c553e025c9fd6deccba30
Instruction Fuzzy Hash: 98018471F401159FCB44EB78A501AAE73B4FB48740F1040A9E509E7251EA709E018BD1

Function 00E63320 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c334afca6fb14e186911d5b28018c5b7869ae5a430f29d60f8f11b4d00676c0
Instruction ID: 3fd8a2060be95597ffb9415a1fd2190491859db0cb44350e7c0bbcaaad294749
Opcode Fuzzy Hash: 4c334afca6fb14e186911d5b28018c5b7869ae5a430f29d60f8f11b4d00676c0
Instruction Fuzzy Hash: E0925074305741CFCB65EF34E9586597BB2AB94304B20C9EAC806C73A9EB35D946CFA0

Function 00E63310 Relevance: .7, Instructions: 708COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c3a4818a053cee7ad7e7332e8823ebf604ca01a62793efc9809236f6ef2c002
Instruction ID: 46273ffd32d8667cd84cd7e60969708e3ec9e6d0905dbf98030aba11f0d6f0be
Opcode Fuzzy Hash: 6c3a4818a053cee7ad7e7332e8823ebf604ca01a62793efc9809236f6ef2c002
Instruction Fuzzy Hash: CD62A074305741CFCB65EF34E9546597BA2AF94344B20C9AAC806C73A9EB35DE42CFA0

Function 00E64740 Relevance: .4, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e47311313d64589c7bebd93070e5c97fe34bd9be23f2bfad146b1df58795bfe
Instruction ID: 7d1c508159a2f7b4fdff6a9be2540a3f4995e86a133353094e0b0b0341ee8a06
Opcode Fuzzy Hash: 1e47311313d64589c7bebd93070e5c97fe34bd9be23f2bfad146b1df58795bfe
Instruction Fuzzy Hash: 94D1469288E7E05FD71B6B7C69712963F709E93358B1A10E7C0C0DB1A3E5598C4EC7A2

Function 00E678FF Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbff2b7277a6b57a500e2368b0aed3aa013442823c80e56bcf8acdd5b35fb72f
Instruction ID: 051f32a0068752697f1b4ad1d6568fefbd8b4c469356090704c087c443a8f72f
Opcode Fuzzy Hash: fbff2b7277a6b57a500e2368b0aed3aa013442823c80e56bcf8acdd5b35fb72f
Instruction Fuzzy Hash: 75A18E70E44209CFDB10CFA8E9817DDBBF1AF48398F249529D854F7254EB349985CB81

Function 00E6A86B Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b1264039129f5bf4db70eb085f6f6d538f7b7227f11212134e0121324eb907
Instruction ID: 9353045a1bcbdba6cd231ca113359b253a5931331afdbc575caad38f8261cd68
Opcode Fuzzy Hash: 02b1264039129f5bf4db70eb085f6f6d538f7b7227f11212134e0121324eb907
Instruction Fuzzy Hash: 0B515D74A00155CFCB04DF68D5849AEFBB2FF85314B2A84A5E555BB362C730ED41CBA1

Function 00E60B49 Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b307f7535dff9dceb52b4bec8bef49dcc9e4c464325f0d4ebb40d9aed7e05d44
Instruction ID: cb6669010191c3f5eaa95241a2a8a02100e9fbe401fede3805aec4aace4db272
Opcode Fuzzy Hash: b307f7535dff9dceb52b4bec8bef49dcc9e4c464325f0d4ebb40d9aed7e05d44
Instruction Fuzzy Hash: 0A51FC78202A01EFC726EF24FA649497773FF9430571085A9D0098B32DDBB9988ACF91

Function 00E628F7 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4229897bfc6a5174d4315dcf9c5fffbfb255b3fdee95d9c163724300d6b0b23
Instruction ID: f55235ab37661e146376aa875ca69767a936d24be0e50503e1ae033d9ab94db5
Opcode Fuzzy Hash: e4229897bfc6a5174d4315dcf9c5fffbfb255b3fdee95d9c163724300d6b0b23
Instruction Fuzzy Hash: C4416F75B20228DFCB049BA9ED14B9E76BABBCC310F148429E805B3368CA756D458B94

Function 00E61298 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1d8e4aaaf3649eaea12e3597b2565804c019e5d99d80bfc6ccb6edfeddcf9b3
Instruction ID: 1acb89b90a71bb9507be9976f0c4ed088bb4330c3dedd73e89b25be2758d1df9
Opcode Fuzzy Hash: a1d8e4aaaf3649eaea12e3597b2565804c019e5d99d80bfc6ccb6edfeddcf9b3
Instruction Fuzzy Hash: BB41E270E40209AFCB04DFBD95546AEBBFAFF88310F20C5A9D409E3355DA349D468BA0

Function 00E609A8 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec169c0d1eb49f1620900b4c3badeaa5277673866d5d1a5e96175e297952f88b
Instruction ID: bf417582c76a069e00848c4586ea0139620a1306f46d8faf248f0b2fda1a3ed7
Opcode Fuzzy Hash: ec169c0d1eb49f1620900b4c3badeaa5277673866d5d1a5e96175e297952f88b
Instruction Fuzzy Hash: 93419F302817168FDB25ABB9B95463F3BA6BF843C4714A92DC446E7394EF24DD408BA1

Function 00E6554C Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7585fb6f97e7bac961b3c4323dc17477c323e9b4172bd4250254b419c9c2d66
Instruction ID: bb388423156d5c658df0822356b19f307d9517463b10c2f48b537393464705a3
Opcode Fuzzy Hash: e7585fb6f97e7bac961b3c4323dc17477c323e9b4172bd4250254b419c9c2d66
Instruction Fuzzy Hash: 524145B1900749DFCB10DFA8D984ADEBFB5FF48314F108129E41AAB254DB35A945CB94

Function 00E609B8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c681c9494c593c6a5c25e0de0f81b9debfb95e47f24b682c05257b709acacd2
Instruction ID: 9587d941929c7382dcfeedcbac9a4fc452a442e27441d883276d26e7354e8038
Opcode Fuzzy Hash: 2c681c9494c593c6a5c25e0de0f81b9debfb95e47f24b682c05257b709acacd2
Instruction Fuzzy Hash: F83198303517528FDB25ABB9B96463F77A6BF843C4714A52DC406E3398EF24CD409B61

Function 00E65558 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a52f0119e56c20e4d7ee3fbb7dab6176972b52c826c5c9811795ab93a806242d
Instruction ID: 2356a5e43fd62c2b87dfc622de78dbbf037eb3356dea1fb3627a97c20ac0b063
Opcode Fuzzy Hash: a52f0119e56c20e4d7ee3fbb7dab6176972b52c826c5c9811795ab93a806242d
Instruction Fuzzy Hash: 9941EEB1D003499FCB10DFA9D984ADEBFB5AF48314F608029E819AB254DB75A945CB90

Function 00DCD4A0 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156001493.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dcd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72b90ad4df602686432b823028cd1306d204849f798ceb37b32e3887c5b48f57
Instruction ID: e3aa23adfce2fb349a502a08fdf5a7ac7beca8ae191e87c9976dd762dac0005f
Opcode Fuzzy Hash: 72b90ad4df602686432b823028cd1306d204849f798ceb37b32e3887c5b48f57
Instruction Fuzzy Hash: 4721E071504201DFDB059F14D9C0F26BF66EB98318F24857DE9090B256C336D856CAB2

Function 00E6A33B Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2218abfdd73c91c76842835ac439c40e1e40451aa6eea7a6f394a2d2376b13b
Instruction ID: 5d0d1e86fdf941cfd15c61994fe18b9da26629722366c02c7cfa48dfcade8de9
Opcode Fuzzy Hash: c2218abfdd73c91c76842835ac439c40e1e40451aa6eea7a6f394a2d2376b13b
Instruction Fuzzy Hash: D9218E30A406058FCB14EB74D9586AE7BF6AF8A344F149038D406BB3A5DF759C45CBA1

Function 00E6A4C8 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 839c8c2ad53d183cd4530dac393c146e5f314e9a71a68de711fbc7e8fa051e36
Instruction ID: fd043af04f723fdb4a11c5488951d165deca1da6ecc51f5854687656fb915db1
Opcode Fuzzy Hash: 839c8c2ad53d183cd4530dac393c146e5f314e9a71a68de711fbc7e8fa051e36
Instruction Fuzzy Hash: D5219070F006069FCB50CF79A6406EEBBF1AB88380F24916AC816F3255E73099418FA1

Function 00E6E04B Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92dd3b2c2f793c393b7e0219ecafaa9cb71a2d7bf3485ff1f76b100a8df2b46a
Instruction ID: f9e65cfbc7953a8dabe3cfdbd3c14bb811ed32f49d33ce6e435cc45bbe78afc8
Opcode Fuzzy Hash: 92dd3b2c2f793c393b7e0219ecafaa9cb71a2d7bf3485ff1f76b100a8df2b46a
Instruction Fuzzy Hash: A1218070A002059FCB45EF78F451A5EBBE2EF85354B1086B9D0059B396EB719A0A8BD1

Function 00E6B714 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2ed559de438fd05a2c9ef382b5a4a2759980fab3af08ee33477bbe7aef9359f
Instruction ID: b960772513e9e1ce89c315230f9451de32ffe65009b4d0c8e570102d6ff3c2c9
Opcode Fuzzy Hash: e2ed559de438fd05a2c9ef382b5a4a2759980fab3af08ee33477bbe7aef9359f
Instruction Fuzzy Hash: 44210A316412158FCB389B38F89466EB7E2EBC8354B5048BED10AE3391DF319C85DB51

Function 00E6B71B Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4150ecb0cdcbdfe4c6c5ba936c924f24c68abaa5f55fdc094b55c7497dd31d72
Instruction ID: 02c162f43c748fe7f7e92e8811063a74fac21e5b24e77aac00386f241172bebe
Opcode Fuzzy Hash: 4150ecb0cdcbdfe4c6c5ba936c924f24c68abaa5f55fdc094b55c7497dd31d72
Instruction Fuzzy Hash: 3C11D6316412158FCB38AB28F89466EB7E6EBC4354B5048BED10AE3395EF31DC859B91

Function 00E6E058 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63f33d85ef58d709015b37d89b87d00d1e13163d371e54115608702af23bb959
Instruction ID: 740d2c3f5062c038aef858d93c2ba955af02f05b5f6136a8015f7fb60c46de16
Opcode Fuzzy Hash: 63f33d85ef58d709015b37d89b87d00d1e13163d371e54115608702af23bb959
Instruction Fuzzy Hash: 7D21AE70A002059FCB45FF78F411A5EBBE1EF81354B2086B9D0059B39AEB719A0ACBD1

Function 00E614F9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d59b9155c15a3df48a61bce1a3589cf09b304d632bea16d32f73a13fc57f109
Instruction ID: 3feb7f45f1ace5b8a945d171840c1ace73df85e18161ca67160df52097eb8736
Opcode Fuzzy Hash: 8d59b9155c15a3df48a61bce1a3589cf09b304d632bea16d32f73a13fc57f109
Instruction Fuzzy Hash: D211E574B01201DFCB10EB78E9445AA7BF6EF8834075444B9D007DB364EA38DC02CB90

Function 00DCD49B Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156001493.0000000000DCD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DCD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_dcd000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction ID: f971afe59173aec176def84970c1e6bd215d87507e47c65b831e6bd71a96955d
Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
Instruction Fuzzy Hash: 6E11D376504241CFDB16CF14D9C4B16BF72FB94324F28C5ADD9090B256C336D85ACBA2

Function 00E627A8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 152b9aaee70dfa1223468481adc526fce733080bdd933a847483e35e516e7b42
Instruction ID: 7a2d08ef73af96c4bf07925a422d42eacf2fc475d8f0ec82a5379523048b4d4a
Opcode Fuzzy Hash: 152b9aaee70dfa1223468481adc526fce733080bdd933a847483e35e516e7b42
Instruction Fuzzy Hash: 6B115E757056028FD319DF69FA50615FBE6FFD6314309C2AAD508DB35ADA70E801C7A0

Function 00E61508 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e25b109086d922440da204caa16f3fcbf4132782d57325f6d94ddb91b9cbf2a
Instruction ID: 383594138eeebae2452ffc61239eaf4d745938018fa795e03f1bc252d2f1bac3
Opcode Fuzzy Hash: 6e25b109086d922440da204caa16f3fcbf4132782d57325f6d94ddb91b9cbf2a
Instruction Fuzzy Hash: 0211A170B002059FCB55EBB9E90466A7BE6AFC834071448B9D40BDB368EA35DC41CB90

Function 00E64730 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e29e77d15f6f3c38d225b35c57970f40875bba62d9f025208733507c11ca974
Instruction ID: f4867eaad4ada2ae1638b957daa4226e166f0c017e42e4bed2d09db38a0a20b9
Opcode Fuzzy Hash: 2e29e77d15f6f3c38d225b35c57970f40875bba62d9f025208733507c11ca974
Instruction Fuzzy Hash: C401F2353042004BCB29BB39A960A2E77E79FCA398704543EF00ADB395CF35DC0587A1

Function 00E6A593 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4749b9b9825a9ea9d713f5563381b5afe578785f4e67ce44fe1468ea840f0d1e
Instruction ID: f182096f0ced15acea8d0d6fa9a2be21d1b5d93ad7156679687b37c0f36eb235
Opcode Fuzzy Hash: 4749b9b9825a9ea9d713f5563381b5afe578785f4e67ce44fe1468ea840f0d1e
Instruction Fuzzy Hash: 52117C35E405059FDB10CF69E981799B7B1BB843A4F2890A9C802BB365EB31D909CFA5

Function 00E6A0A8 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12159dfcf89e5ed950298abc05f845ae63e0b7620417e1db985e428f520f866
Instruction ID: 005c1da8cced5d2807aadc7e64b261d531cf40e0bb9e510c4173283d4a12ab09
Opcode Fuzzy Hash: b12159dfcf89e5ed950298abc05f845ae63e0b7620417e1db985e428f520f866
Instruction Fuzzy Hash: 521133B58012488FCB20CF99D585BDEBFF4EB49324F248469C468B7350C375A940CFA2

Function 00E6A0B0 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4897c5ba876177d23ef99afe4f73b870e945baf4e64293b44b4eea5de317e7b7
Instruction ID: a504c43b2aeec9bd77e9c456e70cb5032d18600c65f6f7f29585abf86c0a1c7a
Opcode Fuzzy Hash: 4897c5ba876177d23ef99afe4f73b870e945baf4e64293b44b4eea5de317e7b7
Instruction Fuzzy Hash: D1111EB58002488FCB20DF9AD484BDEBFF4EB49324F208469D458B7350C378A984CFA5

Function 00E61C60 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61bb8df27d82b15cd1ab1af2a12ead4021c0e2c2c3814b171378e7a57e59a5cf
Instruction ID: 451940c20f05caa92e2e606c7428a4508ef8875d283658487fab8b7aa4eec6c5
Opcode Fuzzy Hash: 61bb8df27d82b15cd1ab1af2a12ead4021c0e2c2c3814b171378e7a57e59a5cf
Instruction Fuzzy Hash: 8D01A43494170ACFC705FBB8FA5965DBB75EF81304B008666C446A739CEB745504CBA5

Function 00E61C4F Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 747505446bba8e2a47f77f641a54ac5e0d9cde61b3bc0727510aa64f027f74a3
Instruction ID: 3ea0f5afc2b172afb037149cff08d1388e4bfd5a186f50d512b1770623060b79
Opcode Fuzzy Hash: 747505446bba8e2a47f77f641a54ac5e0d9cde61b3bc0727510aa64f027f74a3
Instruction Fuzzy Hash: EFF02830C45745CFD302EBB8E95566CBB70EF82344F1447AAC446B7399EB344508C756

Function 00E6ADFE Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ef5f6fe794885a0f76dbb7ec3981fc79c4511a623e4c5fb5d9ceca448e0e45d
Instruction ID: 6da5ad7717d5dcfb2cd284e2b97e00277d6f227494778c0bc3c6e0a379ce1956
Opcode Fuzzy Hash: 6ef5f6fe794885a0f76dbb7ec3981fc79c4511a623e4c5fb5d9ceca448e0e45d
Instruction Fuzzy Hash: DFF0A775EC42458FD7109B10E4657B87F70AF12394F1D20A6E411F76A3C6258D45DF23

Function 00E69BC8 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361788924e72f67cb17ea28e1578101fd2ec6b912fd36e6c7293dde804dbbbaa
Instruction ID: f41a554890efeedfe3ff77243afff327b3cf7d9510e9b183755937b0aecd4951
Opcode Fuzzy Hash: 361788924e72f67cb17ea28e1578101fd2ec6b912fd36e6c7293dde804dbbbaa
Instruction Fuzzy Hash: FCE0D822B446946FD70597B9A40995D3FE9EF8B21475A80EEE044CB2A3DE28DC0893A5

Function 00E60F48 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69e96e83829ea480bba2c6daf60de1bf0e517f4b64e7a652dd254eabb8ddd4d5
Instruction ID: ee2a9ca15a1ab6db4346207578f41354d9a14852f5817a24659abccb517e6a0d
Opcode Fuzzy Hash: 69e96e83829ea480bba2c6daf60de1bf0e517f4b64e7a652dd254eabb8ddd4d5
Instruction Fuzzy Hash: C8E08C323012005F8744977EA88485AB7EAEFC8120314047AE10ACB325CE64DC014690

Function 00E6B660 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 046a099aa4a7531c4eb53b57c5219d10a818a2de6b5d123dcf7282e4d8fd88de
Instruction ID: 1c612998a9f7e98ef39654c07a26e0a898fcb41d7fc66a612a46fb6144f4db74
Opcode Fuzzy Hash: 046a099aa4a7531c4eb53b57c5219d10a818a2de6b5d123dcf7282e4d8fd88de
Instruction Fuzzy Hash: 0AF0E575906285DFCF01CFB8EA5198DBF75EB0A30470285EBD448DB292D7705A09DB51

Function 00E62EBF Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: adcdc2a496a309459c30fbb127e4d1c781e63a261dc7a39da984ae9cd2255c66
Instruction ID: 1d0c732cf689586923911b421a54585def4257036ea83c3fd62eb6ce665d52f0
Opcode Fuzzy Hash: adcdc2a496a309459c30fbb127e4d1c781e63a261dc7a39da984ae9cd2255c66
Instruction Fuzzy Hash: 92E07D300C8FC00FE713AB98FD123603F689B01304F4861FA85044B2BF9EA6AC4843B9

Function 00E6DFD3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 137269de7309ea3255bb76d341c73798993b18b055d4f150ff678168c60855b0
Instruction ID: 1ff7abd4137dc864ca03206303c20cca45cc2d2898caaf350b2c4666a591dbcb
Opcode Fuzzy Hash: 137269de7309ea3255bb76d341c73798993b18b055d4f150ff678168c60855b0
Instruction Fuzzy Hash: C5D05E37B4D48487DB348679AC52B99B364FF61398B9858AAD806EB752E2628C0B8510

Function 00E6B670 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4020c81bbfad631b3cdf72b16a8abb7036845d25af7591198155b6eb7979aed6
Instruction ID: 4c964486d372eb4a12d5c30701e5eb016081b47925e0b44b9fd5c2104d38fe10
Opcode Fuzzy Hash: 4020c81bbfad631b3cdf72b16a8abb7036845d25af7591198155b6eb7979aed6
Instruction Fuzzy Hash: DFD01270911108EFCF40DFA8F95195DBBB9EB44300B1085A9D408D7340DB719F049B51

Function 00E62E99 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c48a5c2489477f2bc370d1586672b8db6c8b04f458557569874e9c4053d5564
Instruction ID: bf8f9a219c6fa71370b55579725eca9185b18a628cfd65ae95ae680ac3b1b6fd
Opcode Fuzzy Hash: 2c48a5c2489477f2bc370d1586672b8db6c8b04f458557569874e9c4053d5564
Instruction Fuzzy Hash: B9D0C7792966448FC301DB55E9D5C817F78FF5B60134700D5E4408B673C664E809D771

Function 00E62ED0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a03fef35ddd87478ce84232a45a62f559526d75e995daf26914f009c03e5979
Instruction ID: 697b6a057b2e315a0592973acf5196f5e03d1b2823dd31579bf2ceb52d26d7c7
Opcode Fuzzy Hash: 2a03fef35ddd87478ce84232a45a62f559526d75e995daf26914f009c03e5979
Instruction Fuzzy Hash: 02D012301547494FDA12F768FB117A67B999B90700F84427981094B3BD9FB9B84942F6

Function 00E6DFB0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43dcf6a4309c6c597c98923311941b369cbe3eafed875de66002f3a9e3455124
Instruction ID: 1cb0cfb49b5833ad2740efbc228614519c34aac80afc03523191b1af46009eec
Opcode Fuzzy Hash: 43dcf6a4309c6c597c98923311941b369cbe3eafed875de66002f3a9e3455124
Instruction Fuzzy Hash: 5ED052A6E4E6808FD3228B74AC24148BB20FE173543E900C2C0009B216E660083C9730

Function 00E60B35 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cda3e98b823d90dd5e7a2b13b404683a2f897bc64d8dea06a7135ee64823ef6e
Instruction ID: 7e4e5b37a9e45d9937f7c81dc69218d1a4be5b2ca1b89085cbdfa8bec1618d73
Opcode Fuzzy Hash: cda3e98b823d90dd5e7a2b13b404683a2f897bc64d8dea06a7135ee64823ef6e
Instruction Fuzzy Hash: 64C08020085364CFD70427F8FA0C36D3B10975134DF306052D042915744D7404C48633

Function 00E60B19 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 268a8aa1eaf96fb50f8f11cc6f6c7127b206f706a16557426c0b924cd6bab2ab
Instruction ID: a41033ea629873d4ffb0653b0207aefb83cf88459f016ba2e5cfb46c2966e75f
Opcode Fuzzy Hash: 268a8aa1eaf96fb50f8f11cc6f6c7127b206f706a16557426c0b924cd6bab2ab
Instruction Fuzzy Hash: E8C08C20086768CFDB182BF8FA0C36D3B20D7A134EF30A157E002A06788E7408C98A33

Function 00E62EA8 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.4156170780.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_e60000_RegSvcs.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa04653dbe62da109dfb02de880a80e3cebe9dbaf6362b8e5ab0ad98ee73bc9f
Instruction ID: 8a063184521f54400bccece73e2a80167fdaa56c08fe7987ec9ed54e1befde38
Opcode Fuzzy Hash: fa04653dbe62da109dfb02de880a80e3cebe9dbaf6362b8e5ab0ad98ee73bc9f
Instruction Fuzzy Hash: 47C048392606088F8244EA99E698C12B7A8BF68A003414099E9058B722CB61F810DA61

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EiO4tqZ3o4.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_EiO4tqZ3o4.exe_fa4ae2d8aac167bf5165e198cddc7330b01b64_a0e0fc51_ebff8189-50d7-4c69-bf97-7260af2683d7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAC21.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE54.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAE84.tmp.xml

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ljs32xwr.5zz.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oi0lhqc0.omy.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qnnumejd.jg0.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xb0d0vwe.0xc.ps1

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

General

File Icon

Windows Analysis Report
EiO4tqZ3o4.exe

Function 00007FFD9B800C48 Relevance: 4.5, Strings: 3, Instructions: 703
COMMON

Function 00007FFD9B80DEC7 Relevance: 4.1, Strings: 2, Instructions: 1645
COMMON

Function 00007FFD9B817909 Relevance: 1.7, APIs: 1, Instructions: 186
memoryCOMMON

Function 00007FFD9B8D11DC Relevance: 1.7, Strings: 1, Instructions: 422
COMMON