Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
WN3Y9XR9c7.exe

Overview

General Information

Sample name:WN3Y9XR9c7.exe
renamed because original name is a hash value
Original sample name:1200b4fd308637f6aa6e8de5fbb57ff1.exe
Analysis ID:1583122
MD5:1200b4fd308637f6aa6e8de5fbb57ff1
SHA1:5e467c042ef8080f9608f0bf268ea2bb5dc3248c
SHA256:6238bd8ffaadb351f9a5abd2b86e72ec96ba07c2fabe4484c1a985035353ae60
Tags:AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected non-DNS traffic on DNS port
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • WN3Y9XR9c7.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\WN3Y9XR9c7.exe" MD5: 1200B4FD308637F6AA6E8DE5FBB57FF1)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "hellonew2025.kozow.com", "Ports": "6606,7707,8808,6666,7777", "Version": "| Edit by Vinom Rat", "Autorun": "false", "Install_Folder": "R3huQjdQUWpPbWZ6MTlKdkZwbjFrSnlBYzhwNW1lbnE=", "Install_File": "rdJdKIBGOpuOWllNDaXHNEvkvJo22F0zDwETw/NoXgXuFRsRaD3lzECtbo86y2xCt9aVPHpdlhhO0DF/rcdkbJ1JXZpXjEGlRASzkQ8aUgY=", "AES_key": "GxnB7PQjOmfz19JvFpn1kJyAc8p5menq", "Mutex": "a8sfp0g1eS/gK3zqNYWTCsb/ruev0b4KZy9MeBWq3nf+Vz4jhyZgbhKONAZV2mYFQ0RwdKDE4VHbVF6enFY21tEJJODD3jLxKRTxAvfOrOhSlXedNpLmOH/vbVniE80NqJeAI2oZaU88zCihPnVzQwI4D5d92tbdy4IQDNU+VMSe5EmAd42IaUm8tYq30Oaa6lq994eS/Z4Te4SgM/LdnC7JHnY51EYKcmgJOg8H8/R9XL5TAKUcjnqQM+A9S1GJ6pcB9GTI8P4Q4eqyzWa/oYRfcAu6i/GAmMQlWHA2anAP88rud6EdMeE1u5meK2AyMH2eIPhOfxlXLrjy+5fU5jJiR8H6VVB2kckwTrgwTvukK2ieR73QVdgSuk/ZxP7kiIiuPzH2GaYX3q5fTwQPAuXsS7qnhDqcPmI1Re5JiyNoeQE0EO8QyWnzz3RbbOY0XE1UQyKJYnIHHu9ewnqyD5016J9dQd4/3KGC47Le8VbZSffsQ5iS2bowHMLqFEviLNwPO1DMp2L2ohBpZNOMX+Ll/IZf+AEw8erSDYnXSMXPokCYFiTRNCz8MozmjqP1jIUtTvwZ9INAKrcFPVYTk65ixt9ubnAC0GAM0Vb3UCh91GvsXRwEZuieKQXVgYFkSHWm9rsTtEXZmwltkswgyl7MzBi4N0JlSoisYwVnkxc=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
WN3Y9XR9c7.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    WN3Y9XR9c7.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      WN3Y9XR9c7.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xd1c4:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x10038:$a2: Stub.exe
      • 0x100c8:$a2: Stub.exe
      • 0x991f:$a3: get_ActivatePong
      • 0xd3dc:$a4: vmware
      • 0xd254:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0xa986:$a6: get_SslClient
      WN3Y9XR9c7.exerat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
      • 0x991f:$str01: get_ActivatePong
      • 0xa986:$str02: get_SslClient
      • 0xa9a2:$str03: get_TcpClient
      • 0x8f14:$str04: get_SendSync
      • 0x8fb2:$str05: get_IsConnected
      • 0x96c9:$str06: set_UseShellExecute
      • 0xd4ea:$str07: Pastebin
      • 0xeb82:$str08: Select * from AntivirusProduct
      • 0x10038:$str09: Stub.exe
      • 0x100c8:$str09: Stub.exe
      • 0xd2d4:$str10: timeout 3 > NUL
      • 0xd1c4:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
      • 0xd254:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      WN3Y9XR9c7.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xd256:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0xcfc4:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0x10238:$a2: Stub.exe
        • 0x102c8:$a2: Stub.exe
        • 0x971f:$a3: get_ActivatePong
        • 0xd1dc:$a4: vmware
        • 0xd054:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0xa786:$a6: get_SslClient
        00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0xd056:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        00000000.00000002.4110500447.00000000029A1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: WN3Y9XR9c7.exe PID: 7340JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.WN3Y9XR9c7.exe.540000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.0.WN3Y9XR9c7.exe.540000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.0.WN3Y9XR9c7.exe.540000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                • 0xd1c4:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                • 0x10038:$a2: Stub.exe
                • 0x100c8:$a2: Stub.exe
                • 0x991f:$a3: get_ActivatePong
                • 0xd3dc:$a4: vmware
                • 0xd254:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                • 0xa986:$a6: get_SslClient
                0.0.WN3Y9XR9c7.exe.540000.0.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
                • 0x991f:$str01: get_ActivatePong
                • 0xa986:$str02: get_SslClient
                • 0xa9a2:$str03: get_TcpClient
                • 0x8f14:$str04: get_SendSync
                • 0x8fb2:$str05: get_IsConnected
                • 0x96c9:$str06: set_UseShellExecute
                • 0xd4ea:$str07: Pastebin
                • 0xeb82:$str08: Select * from AntivirusProduct
                • 0x10038:$str09: Stub.exe
                • 0x100c8:$str09: Stub.exe
                • 0xd2d4:$str10: timeout 3 > NUL
                • 0xd1c4:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
                • 0xd254:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                0.0.WN3Y9XR9c7.exe.540000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                • 0xd256:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-01T23:26:59.737170+010020355951Domain Observed Used for C2 Detected207.32.218.356666192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-01T23:26:59.737170+010020356071Domain Observed Used for C2 Detected207.32.218.356666192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-01T23:26:59.737170+010028424781Malware Command and Control Activity Detected207.32.218.356666192.168.2.449730TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: WN3Y9XR9c7.exeAvira: detected
                Found malware configuration
                Source: WN3Y9XR9c7.exeMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "hellonew2025.kozow.com", "Ports": "6606,7707,8808,6666,7777", "Version": "| Edit by Vinom Rat", "Autorun": "false", "Install_Folder": "R3huQjdQUWpPbWZ6MTlKdkZwbjFrSnlBYzhwNW1lbnE=", "Install_File": "rdJdKIBGOpuOWllNDaXHNEvkvJo22F0zDwETw/NoXgXuFRsRaD3lzECtbo86y2xCt9aVPHpdlhhO0DF/rcdkbJ1JXZpXjEGlRASzkQ8aUgY=", "AES_key": "GxnB7PQjOmfz19JvFpn1kJyAc8p5menq", "Mutex": "a8sfp0g1eS/gK3zqNYWTCsb/ruev0b4KZy9MeBWq3nf+Vz4jhyZgbhKONAZV2mYFQ0RwdKDE4VHbVF6enFY21tEJJODD3jLxKRTxAvfOrOhSlXedNpLmOH/vbVniE80NqJeAI2oZaU88zCihPnVzQwI4D5d92tbdy4IQDNU+VMSe5EmAd42IaUm8tYq30Oaa6lq994eS/Z4Te4SgM/LdnC7JHnY51EYKcmgJOg8H8/R9XL5TAKUcjnqQM+A9S1GJ6pcB9GTI8P4Q4eqyzWa/oYRfcAu6i/GAmMQlWHA2anAP88rud6EdMeE1u5meK2AyMH2eIPhOfxlXLrjy+5fU5jJiR8H6VVB2kckwTrgwTvukK2ieR73QVdgSuk/ZxP7kiIiuPzH2GaYX3q5fTwQPAuXsS7qnhDqcPmI1Re5JiyNoeQE0EO8QyWnzz3RbbOY0XE1UQyKJYnIHHu9ewnqyD5016J9dQd4/3KGC47Le8VbZSffsQ5iS2bowHMLqFEviLNwPO1DMp2L2ohBpZNOMX+Ll/IZf+AEw8erSDYnXSMXPokCYFiTRNCz8MozmjqP1jIUtTvwZ9INAKrcFPVYTk65ixt9ubnAC0GAM0Vb3UCh91GvsXRwEZuieKQXVgYFkSHWm9rsTtEXZmwltkswgyl7MzBi4N0JlSoisYwVnkxc=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}
                Multi AV Scanner detection for submitted file
                Source: WN3Y9XR9c7.exeReversingLabs: Detection: 78%
                Source: WN3Y9XR9c7.exeVirustotal: Detection: 66%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: WN3Y9XR9c7.exeJoe Sandbox ML: detected
                Source: WN3Y9XR9c7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: WN3Y9XR9c7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 207.32.218.35:6666 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 207.32.218.35:6666 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 207.32.218.35:6666 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 207.32.218.35:6666 -> 192.168.2.4:49730
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: hellonew2025.kozow.com
                Yara detected Generic Downloader
                Source: Yara matchFile source: WN3Y9XR9c7.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.WN3Y9XR9c7.exe.540000.0.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:49730 -> 207.32.218.35:6666
                Source: global trafficTCP traffic: 192.168.2.4:58445 -> 1.1.1.1:53
                Source: Joe Sandbox ViewASN Name: 1GSERVERSUS 1GSERVERSUS
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: hellonew2025.kozow.com
                Source: WN3Y9XR9c7.exe, 00000000.00000002.4109516170.0000000000A51000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: WN3Y9XR9c7.exe, 00000000.00000002.4109516170.0000000000A9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/ents
                Source: WN3Y9XR9c7.exe, 00000000.00000002.4110500447.00000000029A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: WN3Y9XR9c7.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.WN3Y9XR9c7.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4110500447.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WN3Y9XR9c7.exe PID: 7340, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: WN3Y9XR9c7.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: WN3Y9XR9c7.exe, type: SAMPLEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: WN3Y9XR9c7.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.0.WN3Y9XR9c7.exe.540000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0.0.WN3Y9XR9c7.exe.540000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 0.0.WN3Y9XR9c7.exe.540000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: WN3Y9XR9c7.exe PID: 7340, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeCode function: 0_2_00C8E0480_2_00C8E048
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeCode function: 0_2_06DD1B100_2_06DD1B10
                Source: WN3Y9XR9c7.exe, 00000000.00000002.4112573796.00000000053C9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs WN3Y9XR9c7.exe
                Source: WN3Y9XR9c7.exe, 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs WN3Y9XR9c7.exe
                Source: WN3Y9XR9c7.exeBinary or memory string: OriginalFilenameStub.exe" vs WN3Y9XR9c7.exe
                Source: WN3Y9XR9c7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: WN3Y9XR9c7.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: WN3Y9XR9c7.exe, type: SAMPLEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: WN3Y9XR9c7.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.0.WN3Y9XR9c7.exe.540000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0.0.WN3Y9XR9c7.exe.540000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 0.0.WN3Y9XR9c7.exe.540000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: WN3Y9XR9c7.exe PID: 7340, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: WN3Y9XR9c7.exe, PUfZINxuvqDfKifX.csBase64 encoded string: 'qHLM+lEU9IN/FwEGYD81WFgSsboLobhjuYtq4+WQwFq6J1KtoebeXpb5QEzpw6XE7YrhrCuZnKRTkgmMDGfK/rp2pZGRGG5y/YvLIYpjHlA=', 'NwmeDKFXx4fBmRrJ/JPZYxdzjs+jKbXwodzTfuJtQdbb4niwPRkgTIDMrFOJJjx3zVaV/+D4nI2gUrjQ922SoggIL1mNH97KcEhNbEz1ESg=', 'rdJdKIBGOpuOWllNDaXHNEvkvJo22F0zDwETw/NoXgXuFRsRaD3lzECtbo86y2xCt9aVPHpdlhhO0DF/rcdkbJ1JXZpXjEGlRASzkQ8aUgY=', 'RnsH4d7tJmoMXyhvefqEP5qFIYMOuqIG0FBGBdCdDRC+TjtyETxBYCHP7iCXp7jzNqfTdBh+qfLqWUPdlsPDx/tMkXoJUa9d9EkJlzQs0qgmdtFUrpMS+3OwjEkpWzMJY7hOoP2pnZ76tNQI1RkeNbY4QYMtt65XCyHGn/EKRKg4/s/drIwRS2NZbVKoazZkV+GrIAnV1zJjObeatC5rRklvvEFbQC1Y4QCSBGCUN4j3/QCFnhdkaHMoZtfOyeAhEh7u/mdmdO1bINU2bAiu/NZlp90pTkTZyyjNtCqG78FqHAcR/BMb1XIgwAtLsskoy2RZtB8TnSgjOImasd5sMmUgLR1/ynLuL5RgHXKVMUEe27KUySxwtU7bn/4qCPG3/FODZNhC8Ouf0S4jbhTxKE/X4me3zTUFx2S+UX+VuprfREv61GKcoZwyD+yZUnJmg1JdBftQpUl2c9N7JeMVonwgqA+iGQDmMF6jwc/Emu4bMjD3r1tw6gN6Kv+tHEs/HmQDUCZ2z9w4/fBLxYbT7QfzZJvKu0Ok3QQDIssWH3uks623wjSLHXTnFyzkb3LBafHT0PH3uHCsDjIbamKn4OqiaBvKE/xyeWCmreFGW7hnkI4lIh6qxUzUIkQAjAiILnkuBR5IV4pfcnf+ZC6Lfz4kfizyH+VAZdzIciGhl7Z11hzJnuKr7rDt/OYrGOMijfARKzMhOSqVS/xDW4ERAExjHvfy7ZUJFaEAA3PhYvL9o8sNBphB7xNLnniy827G6e8y37BFdulGbqXiFX4Tz8PyDnc0mNUbPqRc6CyyYS7igstfqT5lAjcuG+A5/5qaKnDNmfnnkd70BY9F2tV/PTsmuvLBqQP/kLvxLAf4ACV92fSqgybRmA7y5FsnqpGQ9X+wKA/Pze6bCp6w5iDP/jCznRiCKfewCywCpWWcNEAp1SBeTggFXt+EL48xDCVKxJykqiBHTRT9bRea8KXT9BDAHibnqci48A2Lh/h4eJoeJxCBpesuvuhKSA2KFeVDiQe70R0gMM+xsz+L4XPvSbI9OGjzHlNTq0bgzU7CyI9JUGBROUzftJgXtOE6GXsffpMQGjtwrlSMgcqjcDKoQgQEl3bUMguZECI/UXrTo1nMlJcB85DdnHTbuknhZUHenrOOwgEL3Rle5+QEqCbP3CRBa5H3gRXnxIBwQgriaWFabLd7qRD8QYyO8S5sd9AHnfB/8V68wT3YYvdGvQZiHFYeVscWEYHR78gGwpoLNoDtZXRRKOZYBmEUdkRs1ftScayGCoUWkx9WDDOUBqksAEv1S6XnsT8JQxzMbMX8JFfGMCBAzXxnFuvje8l5Ni2zFaUznjoN0mSRdE/eVCKdFo81xNXUFTmqHDkS61AGVnchRwppOxIwtRortPDVwqWzCvHt4kLA3jlvGo5knZTsUakISdakS3XZae0jgulMUuXZaFCe1+udEtOe2QnkG/wc4FOzR6kZSEmz8APDVfVfvBNkNzaj5pp7NijhMZf1xD11vvY95hi0eSG7RGxPpSuvl7bJ/gsVo7ioZx2rOgWL5WSGafZ669o1CkG8fWjZEcCaDufZ2hUPx/oEgxnMQ4eaRY9WYBsfdIDZY41+ESkmgJmA2ECRaMDaW18hsm2NOBGSEfU2XL/2DUyrW5lIbz39p+/vkK9zXqN2JxvkPwlF9yOMu/lOyASabVMpJdAppoa8zWCdiTPzmd/arTzO0psdwo0xGncObXOc4d9qQzQX924cWsi39pqIZbd1AtzQT7WRwKtsyHGK72I4I3FSoNQZz5hifqwQ+CPUnl0Tk4mGF3OaEiCSbpiaKCiKrqRdOupIhCYgoiHLtI78YJ9TuavcQ6Y00PoftvIVpMpLMlT46NQVbx5GjzdXZNi/d6vqZknQzST0nBkfgnDLccL93MB2HFsjLOdhQiVg5NpkSt9Mj/OFS78rW7igHU93YWMTxY+baxzboOsH10YsYbqGfHhUxb2tt9h26gzuE68f6KaF12WSddL6on3RpqD7yTCQz3SRCnEMfZXSZcnG3fZ34fVm3ZNVv5tPm6GB2dCDdkQqp0vVq3PeV4CEQ4U0XzGh9VG0SkEXSYYgh7DgNIFnZTrxb5A7pE2JcE70kO+KnUMohZF8TbJjKl1uiuwh9WMlVP01hR+EF1KKPVAsEM/5dXl3xydI1w+kxBa7ME53CNzNipC2bd3l45GKS5p+vl1/jxgZySd974aEGIB+B3NwwsjPhAKuy/JZVBHbT5xZZOwc5y2K1bb7wHREYezYZVp1f+SBaHMACkk0rD8NO8FFAP4k1G0MJ0ypHPCku0rwX2ToDjw2PVKJe1DGxsyoESnRlJ8=', 'LBZH7gfOSgp3PKzFG9mHcVSsb3Jn+vgS5+tF4gh9Qj0OTz4awAvORKamTB2lERoxTCql2YzmCV+XHwAv27w6SpDTo3W19s2lTjVHV4n/l66uOQAox0x1fEF3RKFM8C4goEilYgQuzZrWOw9YLxR8Xdx2WBkwqU3om/LkrxCOvFyguZRc7JMffM/6LSVfPFK7zcCvzwBqy3NfpZzlkS9muEY1HIrtH7og7zdHlNJB+zKRNkUGQODcvLaGqlm6ZsFwQDmaEurd3741qZIC5t2l18EM+wqoRyuW1IIsDPN2jYc+D5kT9vXfayh
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@1/1
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeMutant created: NULL
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                Source: WN3Y9XR9c7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: WN3Y9XR9c7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: WN3Y9XR9c7.exeReversingLabs: Detection: 78%
                Source: WN3Y9XR9c7.exeVirustotal: Detection: 66%
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: WN3Y9XR9c7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: WN3Y9XR9c7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: WN3Y9XR9c7.exe, ZArsPcVEXRronFD.cs.Net Code: GlFCyXrBWuB System.AppDomain.Load(byte[])
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeCode function: 0_2_00C806AF push esp; retn 0000h0_2_00C806BA
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeCode function: 0_2_00C806A0 push ecx; retn 0000h0_2_00C806AA
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeCode function: 0_2_00C8063D push edi; retn 0000h0_2_00C80652
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeCode function: 0_2_00C81967 push esp; retn 0000h0_2_00C81972
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeCode function: 0_2_00C8197B push esp; retn 0000h0_2_00C81982
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeCode function: 0_2_06DD19E5 push 6C05966Ch; iretd 0_2_06DD19F5
                Source: WN3Y9XR9c7.exe, jlbRrkqBmmGQJGcT.csHigh entropy of concatenated method names: 'OLtOAjOXldYUQ', 'kPheFRumbhVXK', 'pxfPcTtcZLDl', 'oRAVjruHCIWkr', 'JSGlNUqWip', 'qTAavxrQLvqgO', 'whkWrztNSCns', 'YPtohsblDmss', 'RDxQpPgwrVOyhpS', 'azvabGXewXgdzz'

                Boot Survival

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: WN3Y9XR9c7.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.WN3Y9XR9c7.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4110500447.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WN3Y9XR9c7.exe PID: 7340, type: MEMORYSTR
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: WN3Y9XR9c7.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.WN3Y9XR9c7.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4110500447.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WN3Y9XR9c7.exe PID: 7340, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: WN3Y9XR9c7.exeBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeMemory allocated: C80000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeMemory allocated: 29A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeMemory allocated: 27D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeWindow / User API: threadDelayed 6242Jump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeWindow / User API: threadDelayed 3604Jump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exe TID: 7436Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exe TID: 7452Thread sleep time: -21213755684765971s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exe TID: 7460Thread sleep count: 6242 > 30Jump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exe TID: 7460Thread sleep count: 3604 > 30Jump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: WN3Y9XR9c7.exeBinary or memory string: vmware
                Source: WN3Y9XR9c7.exe, 00000000.00000002.4111593815.0000000004E4B000.00000004.00000020.00020000.00000000.sdmp, WN3Y9XR9c7.exe, 00000000.00000002.4109730582.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, WN3Y9XR9c7.exe, 00000000.00000002.4109516170.0000000000A51000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeQueries volume information: C:\Users\user\Desktop\WN3Y9XR9c7.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: WN3Y9XR9c7.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.WN3Y9XR9c7.exe.540000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4110500447.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: WN3Y9XR9c7.exe PID: 7340, type: MEMORYSTR
                Source: WN3Y9XR9c7.exe, 00000000.00000002.4109516170.0000000000A9C000.00000004.00000020.00020000.00000000.sdmp, WN3Y9XR9c7.exe, 00000000.00000002.4109516170.0000000000A07000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\WN3Y9XR9c7.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		OS Credential Dumping1
                Query Registry                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		31
                Virtualization/Sandbox Evasion                		LSASS Memory121
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)111
                Obfuscated Files or Information                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Software Packing                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture11
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                WN3Y9XR9c7.exe79%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat
                WN3Y9XR9c7.exe67%VirustotalBrowse
                WN3Y9XR9c7.exe100%AviraTR/Dropper.Gen
                WN3Y9XR9c7.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                hellonew2025.kozow.com0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.210.172
                		truefalse
                  		high
                  hellonew2025.kozow.com
                  		207.32.218.35
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    hellonew2025.kozow.comtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWN3Y9XR9c7.exe, 00000000.00000002.4110500447.00000000029A1000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      207.32.218.35
                      		hellonew2025.kozow.comUnited States
                      		143151GSERVERSUStrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1583122
                      Start date and time:2025-01-01 23:26:05 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 3s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:5
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:WN3Y9XR9c7.exe
                      renamed because original name is a hash value
                      Original Sample Name:1200b4fd308637f6aa6e8de5fbb57ff1.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/2@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 99%
                      • Number of executed functions: 18
                      • Number of non-executed functions: 2
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded IPs from analysis (whitelisted): 199.232.210.172, 20.109.210.53, 13.107.246.45
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      17:27:00API Interceptor8265906x Sleep call for process: WN3Y9XR9c7.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      bg.microsoft.map.fastly.nettest.doc.bin.docGet hashmaliciousUnknownBrowse
                      • 199.232.214.172
                      test.doc.bin.docGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      ROtw3Hvdow.exeGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      vfrcxq.ps1Get hashmaliciousAveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                      • 199.232.210.172
                      trwsfg.ps1Get hashmaliciousAveMaria, DcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                      • 199.232.214.172
                      vj0Vxt8xM4.exeGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      Dd5DwDCHJD.exeGet hashmaliciousQuasarBrowse
                      • 199.232.210.172
                      rename_me_before.exeGet hashmaliciousPython Stealer, Exela StealerBrowse
                      • 199.232.210.172
                      2VsJzzWTpA.exeGet hashmaliciousCobaltStrikeBrowse
                      • 199.232.214.172
                      2VsJzzWTpA.exeGet hashmaliciousUnknownBrowse
                      • 199.232.210.172

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      1GSERVERSUSMoney.exeGet hashmaliciousQuasarBrowse
                      • 104.251.123.245
                      Client-built.exeGet hashmaliciousQuasarBrowse
                      • 104.251.123.245
                      jew.sh4.elfGet hashmaliciousUnknownBrowse
                      • 207.32.216.19
                      SecuriteInfo.com.Win64.Malware-gen.4046.15809.exeGet hashmaliciousEICARBrowse
                      • 104.251.123.67
                      loader.exeGet hashmaliciousXmrigBrowse
                      • 142.202.242.43
                      sora.arm.elfGet hashmaliciousMiraiBrowse
                      • 207.32.216.26
                      PT54FFSL7ET46RASB.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, Xmrig, zgRATBrowse
                      • 142.202.242.43
                      System.exeGet hashmaliciousFlesh Stealer, XmrigBrowse
                      • 142.202.242.43
                      2BuZaUic3i.exeGet hashmaliciousRedLineBrowse
                      • 207.32.219.79
                      EpCrfIUgyF.exeGet hashmaliciousRedLineBrowse
                      • 207.32.219.79

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Users\user\Desktop\WN3Y9XR9c7.exe
                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                      Category:dropped
                      Size (bytes):71954
                      Entropy (8bit):7.996617769952133
                      Encrypted:true
                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Users\user\Desktop\WN3Y9XR9c7.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):328
                      Entropy (8bit):3.245596380966818
                      Encrypted:false
                      SSDEEP:6:kKLn9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:z2DImsLNkPlE99SNxAhUe/3
                      MD5:727EAC207CD07E7C6D7A56735D9CA0C3
                      SHA1:918DE649ECF6FB1A985D6F8E01E15E509605400B
                      SHA-256:F6FFA7EA19E46849FD7FB52F2D8FD34B1B3154097C727AD05DE4D3C233ABFD6C
                      SHA-512:BB49759BB372F6639A6B21923F8148AC45A024B57C85CC1C3EB59ED276381B53B5FBF70327319D7C4AA49A67D9D1537C721C63FFA26E75ED32990A8A83D3B34A
                      Malicious:false
                      Reputation:low
                      Preview:p...... .........0>F.\..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):5.516606587411499
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:WN3Y9XR9c7.exe
                      File size:67'584 bytes
                      MD5:1200b4fd308637f6aa6e8de5fbb57ff1
                      SHA1:5e467c042ef8080f9608f0bf268ea2bb5dc3248c
                      SHA256:6238bd8ffaadb351f9a5abd2b86e72ec96ba07c2fabe4484c1a985035353ae60
                      SHA512:8011014730c7a0e5f5e91ce227bacf95b2a79965b732d97ecf6f4d5708a228f954dce732f3d8f9f4d0cce450d4e0a9702c10ff874d014cdb651e3d251b965ac1
                      SSDEEP:1536:PmImx6tX2kNff4sKu+UYFVsL7DlbT2KXpfmzG8RLh2LlLrmTGtx:Pm9x6tmkN7Ku+UYFVG7JbTafR0lLEmx
                      TLSH:7A6308053BE98029F3BE8F7469F6268446FAF4AF2D11D95D1CC810DE0532BC29951BBB
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d................................. ... ....@.. .......................`............`................................

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0x411aee
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x64A6F687 [Thu Jul 6 17:14:47 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x11aa00x4b.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x7ff.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xfaf40xfc000ba9a0aeb19946ca4ababd91ccdb4f9bFalse0.4977213541666667data5.555802128203955IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0x120000x7ff0x80033cdbc5c50f34a35b4f0e61582ac7f11False0.41650390625data4.884866150337139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x140000xc0x200d21db3a879c5fc17277313d0e05685d8False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0x120a00x2ccdata0.43575418994413406
                      RT_MANIFEST0x1236c0x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2025-01-01T23:26:59.737170+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1207.32.218.356666192.168.2.449730TCP
                      2025-01-01T23:26:59.737170+01002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1207.32.218.356666192.168.2.449730TCP
                      2025-01-01T23:26:59.737170+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1207.32.218.356666192.168.2.449730TCP
                      2025-01-01T23:26:59.737170+01002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1207.32.218.356666192.168.2.449730TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 1, 2025 23:26:59.074845076 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:26:59.079637051 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:26:59.079722881 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:26:59.091852903 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:26:59.096818924 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:26:59.672673941 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:26:59.672693968 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:26:59.672776937 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:26:59.732290983 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:26:59.737169981 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:26:59.891808987 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:26:59.945643902 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:01.200197935 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:01.204994917 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:01.205058098 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:01.209901094 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:01.706053972 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:01.758107901 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:01.809245110 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:01.851855993 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:10.513391018 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:10.518352985 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:10.520612001 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:10.529833078 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:10.781393051 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:10.836360931 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:10.886948109 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:10.890523911 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:10.895282030 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:10.895335913 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:10.900176048 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:16.111836910 CET5844553192.168.2.41.1.1.1
                      Jan 1, 2025 23:27:16.118859053 CET53584451.1.1.1192.168.2.4
                      Jan 1, 2025 23:27:16.118932009 CET5844553192.168.2.41.1.1.1
                      Jan 1, 2025 23:27:16.125991106 CET53584451.1.1.1192.168.2.4
                      Jan 1, 2025 23:27:16.584582090 CET5844553192.168.2.41.1.1.1
                      Jan 1, 2025 23:27:16.589576960 CET53584451.1.1.1192.168.2.4
                      Jan 1, 2025 23:27:16.589663982 CET5844553192.168.2.41.1.1.1
                      Jan 1, 2025 23:27:19.831177950 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:19.836088896 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:19.836630106 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:19.841527939 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:20.093524933 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:20.148802996 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:20.229365110 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:20.267573118 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:20.272375107 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:20.276099920 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:20.280999899 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:29.139451027 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:29.144311905 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:29.144382000 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:29.149174929 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:29.406173944 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:29.461420059 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:29.514786005 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:29.526225090 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:29.531003952 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:29.531053066 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:29.535851002 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:31.726352930 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:31.773823977 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:31.857429981 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:31.898833036 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:38.446315050 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:38.451246023 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:38.452670097 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:38.457467079 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:38.718569040 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:38.758333921 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:38.824961901 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:38.828228951 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:38.833013058 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:38.833066940 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:38.837917089 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:47.758874893 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:47.763854980 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:47.763915062 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:47.768769026 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:48.030627012 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:48.070749998 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:48.165261030 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:48.167016029 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:48.171742916 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:48.171788931 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:48.176582098 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:57.071147919 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:57.076047897 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:57.076700926 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:57.081465960 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:57.332823038 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:57.383292913 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:57.467735052 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:57.469394922 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:57.474195957 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:27:57.474246025 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:27:57.479063988 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:01.716202974 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:01.758264065 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:01.850753069 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:01.898909092 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:06.393565893 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:06.398375988 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:06.398432970 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:06.403253078 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:06.656491995 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:06.711524963 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:06.764183998 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:06.775499105 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:06.780327082 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:06.784694910 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:06.789547920 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:15.696680069 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:15.701530933 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:15.701584101 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:15.706331968 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:15.991539001 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:16.065649033 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:16.125221968 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:16.130502939 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:16.135318041 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:16.135355949 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:16.140156031 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:25.008836985 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:25.013681889 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:25.016813993 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:25.021673918 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:25.298676014 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:25.433329105 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:25.433440924 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:25.435193062 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:25.440000057 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:25.440272093 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:25.444994926 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:31.796541929 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:31.930732965 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:31.930794001 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:34.321327925 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:34.326122046 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:34.326181889 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:34.330971956 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:34.580681086 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:34.650522947 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:34.686481953 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:34.689160109 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:34.693953991 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:34.695513964 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:34.700365067 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:36.165261984 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:36.170166016 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:36.170270920 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:36.175123930 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:36.447896957 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:36.585366011 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:36.588869095 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:36.598927975 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:36.603722095 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:36.604844093 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:36.609687090 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:42.306000948 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:42.310859919 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:42.310911894 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:42.315623999 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:42.567357063 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:42.649050951 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:42.705348969 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:42.718211889 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:42.723063946 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:42.728848934 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:42.733587027 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:51.634186983 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:51.639863014 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:51.639908075 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:51.644649982 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:51.921572924 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:52.004205942 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:52.057132959 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:52.059041977 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:52.063977957 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:28:52.064018965 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:28:52.068890095 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:00.946408987 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:00.951319933 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:00.951381922 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:00.956202030 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:01.108850956 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:01.241442919 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:01.241513014 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:01.244807959 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:01.249558926 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:01.249615908 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:01.254396915 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:01.713349104 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:01.849353075 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:01.849417925 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:05.821465969 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:05.826380968 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:05.826436043 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:05.831294060 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:06.104414940 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:06.161588907 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:06.218436956 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:06.219996929 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:06.224797964 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:06.224842072 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:06.229573011 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:11.930917978 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:11.935986996 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:11.936039925 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:11.940825939 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:12.400388956 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:12.445962906 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:12.537535906 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:12.539052963 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:12.543803930 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:12.543868065 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:12.548644066 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:21.244852066 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:21.249844074 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:21.253060102 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:21.257838964 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:21.513839960 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:21.633475065 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:21.645412922 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:21.648473024 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:21.653271914 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:21.653373003 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:21.658126116 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:23.415263891 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:23.420100927 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:23.420207024 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:23.424964905 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:23.685323954 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:23.742863894 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:23.817308903 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:23.819430113 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:23.824193954 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:23.824613094 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:23.829473019 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:31.724684000 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:31.857929945 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:31.861382961 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:31.987339973 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:32.728883028 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:33.136878967 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:33.713056087 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:33.713069916 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:33.865057945 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:33.913605928 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:33.969012976 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:33.970997095 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:33.975821972 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:33.975860119 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:33.980722904 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:42.040215969 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:42.045152903 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:42.045201063 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:42.049977064 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:42.310153008 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:42.439982891 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:42.445316076 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:42.446943998 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:42.451750040 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:42.451795101 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:42.456568956 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:44.649641037 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:44.654495955 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:44.654546022 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:44.659310102 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:44.919096947 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:45.053319931 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:45.057041883 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:45.058790922 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:45.063580036 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:45.063637018 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:45.068381071 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:53.962409019 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:53.967356920 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:53.967422009 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:53.972240925 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:54.265433073 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:54.403285027 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:54.403341055 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:54.404969931 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:54.410989046 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:29:54.411040068 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:29:54.416982889 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:01.774492979 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:01.900451899 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:01.909337997 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:02.014400959 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:03.276526928 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:03.281497002 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:03.281626940 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:03.286420107 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:03.548835039 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:03.649204016 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:03.657188892 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:03.659262896 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:03.664006948 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:03.664093018 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:03.668899059 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:10.618386984 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:10.623332024 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:10.623517990 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:10.628345013 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:10.887844086 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:10.946198940 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:11.021342993 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:11.043518066 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:11.048348904 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:11.051520109 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:11.056324959 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:19.931143999 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:19.936021090 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:19.936073065 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:19.940817118 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:20.210052967 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:20.309165001 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:20.341572046 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:20.343235016 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:20.348052025 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:20.348105907 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:20.352961063 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:21.540247917 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:21.545101881 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:21.545207024 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:21.549932957 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:21.809870958 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:21.934572935 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:21.945405960 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:21.948438883 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:21.953226089 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:21.953275919 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:21.958106041 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:30.853185892 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:30.858244896 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:30.858361006 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:30.863149881 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:31.129837990 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:31.243024111 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:31.265328884 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:31.268129110 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:31.272974014 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:31.273024082 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:31.277884960 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:31.745032072 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:31.836771965 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:31.877439976 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:31.945826054 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:37.387013912 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:37.391885042 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:37.395211935 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:37.400082111 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:37.659471035 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:37.743042946 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:37.767219067 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:37.769720078 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:37.774610043 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:37.774755955 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:37.779510021 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:46.665587902 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:46.670536041 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:46.670753002 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:46.675534010 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:47.040752888 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:47.137027025 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:47.177305937 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:47.180397987 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:47.185228109 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:47.185388088 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:47.190206051 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:55.979687929 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:55.984581947 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:55.984636068 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:55.989418983 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:56.287517071 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:56.336849928 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:56.425368071 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:56.427056074 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:56.431790113 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:56.431852102 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:56.436672926 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:56.806063890 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:56.810930967 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:56.810973883 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:56.815749884 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:57.075879097 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:57.133728027 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:57.213234901 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:57.214884996 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:57.219696045 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:30:57.219808102 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:30:57.224562883 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:31:00.572411060 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:31:00.577482939 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:31:00.577524900 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:31:00.582258940 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:31:00.839246988 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:31:00.884337902 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:31:00.973438025 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:31:00.974482059 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:31:00.979208946 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:31:00.985050917 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:31:00.989819050 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:31:01.709630966 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:31:01.758729935 CET497306666192.168.2.4207.32.218.35
                      Jan 1, 2025 23:31:01.841408968 CET666649730207.32.218.35192.168.2.4
                      Jan 1, 2025 23:31:01.883740902 CET497306666192.168.2.4207.32.218.35

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 1, 2025 23:26:58.948257923 CET5920653192.168.2.41.1.1.1
                      Jan 1, 2025 23:26:59.072762012 CET53592061.1.1.1192.168.2.4
                      Jan 1, 2025 23:27:16.111238956 CET53524111.1.1.1192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Jan 1, 2025 23:26:58.948257923 CET192.168.2.41.1.1.10xe0f6Standard query (0)hellonew2025.kozow.comA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Jan 1, 2025 23:26:59.072762012 CET1.1.1.1192.168.2.40xe0f6No error (0)hellonew2025.kozow.com207.32.218.35A (IP address)IN (0x0001)false
                      Jan 1, 2025 23:27:00.391798973 CET1.1.1.1192.168.2.40x986cNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                      Jan 1, 2025 23:27:00.391798973 CET1.1.1.1192.168.2.40x986cNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:17:26:53
                      Start date:01/01/2025
                      Path:C:\Users\user\Desktop\WN3Y9XR9c7.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\WN3Y9XR9c7.exe"
                      Imagebase:0x540000
                      File size:67'584 bytes
                      MD5 hash:1200B4FD308637F6AA6E8DE5FBB57FF1
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1653920370.0000000000542000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.4110500447.00000000029A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:6.9%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:70
                        Total number of Limit Nodes:4
                        execution_graph 15391 c829c8 15392 c82a0c SetWindowsHookExW 15391->15392 15394 c82a52 15392->15394 15395 c87ec8 DuplicateHandle 15396 c87f5e 15395->15396 15397 c884e0 15398 c8850e 15397->15398 15401 c87a44 15398->15401 15400 c8852e 15400->15400 15402 c87a4f 15401->15402 15403 c89054 15402->15403 15406 c8a8d8 15402->15406 15413 c8a8e0 15402->15413 15403->15400 15407 c8a901 15406->15407 15408 c8a925 15407->15408 15420 c8aae8 15407->15420 15427 c8aa90 15407->15427 15431 c8a7e0 15407->15431 15435 c8a84f 15407->15435 15408->15403 15414 c8a901 15413->15414 15415 c8a925 15414->15415 15416 c8aae8 KiUserCallbackDispatcher 15414->15416 15417 c8a84f KiUserCallbackDispatcher 15414->15417 15418 c8a7e0 KiUserCallbackDispatcher 15414->15418 15419 c8aa90 KiUserCallbackDispatcher 15414->15419 15415->15403 15416->15415 15417->15415 15418->15415 15419->15415 15421 c8aa8d 15420->15421 15422 c8aaf7 15420->15422 15423 c8aad6 15421->15423 15443 c88cd4 15421->15443 15426 c8ab48 15422->15426 15447 c88d08 15422->15447 15423->15408 15426->15426 15428 c8aa9d 15427->15428 15429 c8aad6 15428->15429 15430 c88cd4 KiUserCallbackDispatcher 15428->15430 15429->15408 15430->15429 15432 c8aa7d 15431->15432 15433 c8aad6 15432->15433 15434 c88cd4 KiUserCallbackDispatcher 15432->15434 15433->15408 15434->15433 15436 c8aaed 15435->15436 15437 c8aa8d 15436->15437 15438 c8aaf7 15436->15438 15439 c8aad6 15437->15439 15440 c88cd4 KiUserCallbackDispatcher 15437->15440 15441 c88d08 KiUserCallbackDispatcher 15438->15441 15442 c8ab48 15438->15442 15439->15408 15440->15439 15441->15442 15442->15442 15444 c88cdf 15443->15444 15445 c88d08 KiUserCallbackDispatcher 15444->15445 15446 c8ab48 15444->15446 15445->15446 15446->15446 15448 c88d13 15447->15448 15451 c88d18 15448->15451 15450 c8abb7 15450->15426 15452 c88d23 15451->15452 15457 c8bb5c 15452->15457 15454 c8c138 15454->15450 15455 c8a8e0 KiUserCallbackDispatcher 15455->15454 15456 c8bf10 15456->15454 15456->15455 15458 c8bb67 15457->15458 15459 c8d31a 15458->15459 15461 c8d368 15458->15461 15459->15456 15462 c8d3bb 15461->15462 15463 c8d3f0 15462->15463 15464 c8d3c6 KiUserCallbackDispatcher 15462->15464 15463->15459 15464->15463 15465 c87c80 15466 c87cc6 GetCurrentProcess 15465->15466 15468 c87d18 GetCurrentThread 15466->15468 15469 c87d11 15466->15469 15470 c87d4e 15468->15470 15471 c87d55 GetCurrentProcess 15468->15471 15469->15468 15470->15471 15474 c87d8b 15471->15474 15472 c87db3 GetCurrentThreadId 15473 c87de4 15472->15473 15474->15472

                        Executed Functions

                        Function 00C87C7A Relevance: 6.2, APIs: 4, Instructions: 155threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 00C87CFE
                        • GetCurrentThread.KERNEL32 ref: 00C87D3B
                        • GetCurrentProcess.KERNEL32 ref: 00C87D78
                        • GetCurrentThreadId.KERNEL32 ref: 00C87DD1
                        Memory Dump Source
                        • Source File: 00000000.00000002.4110078330.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c80000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 77c1d6a2be3dc9520eafc97ee5596f651476bc8a0d4abd7a526d9a88330cb1f4
                        • Instruction ID: 1ef5241192c5c53675674ef5052968d3f714a470aba963c8a91563d7522e400d
                        • Opcode Fuzzy Hash: 77c1d6a2be3dc9520eafc97ee5596f651476bc8a0d4abd7a526d9a88330cb1f4
                        • Instruction Fuzzy Hash: 8861A8B0A08348CFDB14DFA9C5487EEBFF1EF48318F24856AD419A7260D7749984CB65
                        Function 00C87C80 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • GetCurrentProcess.KERNEL32 ref: 00C87CFE
                        • GetCurrentThread.KERNEL32 ref: 00C87D3B
                        • GetCurrentProcess.KERNEL32 ref: 00C87D78
                        • GetCurrentThreadId.KERNEL32 ref: 00C87DD1
                        Memory Dump Source
                        • Source File: 00000000.00000002.4110078330.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c80000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID: Current$ProcessThread
                        • String ID:
                        • API String ID: 2063062207-0
                        • Opcode ID: 2c5806895ed4a46a2ed7b03bc42628dbce2d5b7006a83e943628ca2ade9c50ec
                        • Instruction ID: 02639230c3a655ce3f272748012210c9a9fffb4707a4447dc80e913bb9282ceb
                        • Opcode Fuzzy Hash: 2c5806895ed4a46a2ed7b03bc42628dbce2d5b7006a83e943628ca2ade9c50ec
                        • Instruction Fuzzy Hash: 5D5177B0A00709CFDB14DFA9C548BEEBBF1AF48318F20845AE419A7360D7749984CF65
                        Function 00C829C0 Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 333 c829c0-c829c5 334 c8295d 333->334 335 c829c7-c82a12 333->335 336 c8294f-c8295a 334->336 337 c8295f 334->337 340 c82a1e-c82a50 SetWindowsHookExW 335->340 341 c82a14 335->341 339 c82962-c8298d 336->339 347 c8295c 336->347 337->339 348 c8298f-c82995 339->348 349 c82996-c829b3 339->349 342 c82a59-c82a7e 340->342 343 c82a52-c82a58 340->343 345 c82a1c 341->345 343->342 345->340 347->334 348->349
                        APIs
                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00C82A43
                        Memory Dump Source
                        • Source File: 00000000.00000002.4110078330.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c80000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID: HookWindows
                        • String ID:
                        • API String ID: 2559412058-0
                        • Opcode ID: 71bca88ae056cfe019a38609d0ca598434347a78339940f6bf2d357de718fb12
                        • Instruction ID: 4fa147f482628eddfe8e06256d7e16950c520a2a88b58b86b385ff8a96c97c7c
                        • Opcode Fuzzy Hash: 71bca88ae056cfe019a38609d0ca598434347a78339940f6bf2d357de718fb12
                        • Instruction Fuzzy Hash: 0E4144B1D002598FCB24DFA9C548BEEFBF0AF48324F14842AD469A7250C775AA45CFA4
                        Function 06DD0040 Relevance: 1.6, Instructions: 1574COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4113146426.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6dd0000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d005d7a33802329a161dc253893e1958c2198258e945f8194b69d633e99b643e
                        • Instruction ID: b018c93aba04e4b9c2c5c846e774cc6a3316120ccc25c993d76c89f024e3fa2f
                        • Opcode Fuzzy Hash: d005d7a33802329a161dc253893e1958c2198258e945f8194b69d633e99b643e
                        • Instruction Fuzzy Hash: C5D2F534B002048FDB58BB74D96466E77E3EBC9309B1049A8D44B9B394EF39ED478B91
                        Function 00C87EC0 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 905 c87ec0-c87f5c DuplicateHandle 906 c87f5e-c87f64 905->906 907 c87f65-c87f82 905->907 906->907
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C87F4F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4110078330.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c80000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 936fb965053dc65949441ec65f8a298b3711d757c6bf168efbb51de093ab85ca
                        • Instruction ID: 367d3ee075f4933c1a66cb90e99f9ffde67c45976f2c1ae8b18ca23df6cee93a
                        • Opcode Fuzzy Hash: 936fb965053dc65949441ec65f8a298b3711d757c6bf168efbb51de093ab85ca
                        • Instruction Fuzzy Hash: 202103B59002499FDB10CFAAD884AEEFFF4FB48310F14801AE969A7310D375A945CFA4
                        Function 00C87EC8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 910 c87ec8-c87f5c DuplicateHandle 911 c87f5e-c87f64 910->911 912 c87f65-c87f82 910->912 911->912
                        APIs
                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00C87F4F
                        Memory Dump Source
                        • Source File: 00000000.00000002.4110078330.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c80000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID: DuplicateHandle
                        • String ID:
                        • API String ID: 3793708945-0
                        • Opcode ID: 14d637137aae255800a545d989c1bee4549bc2645a6ae98dbb6d63d057db3e54
                        • Instruction ID: 5ab88589d9a30efec9ef54c9b5715fbcc26d65acb018cf680199275def509d76
                        • Opcode Fuzzy Hash: 14d637137aae255800a545d989c1bee4549bc2645a6ae98dbb6d63d057db3e54
                        • Instruction Fuzzy Hash: 5021E2B59002489FDB10CFAAD984ADEBFF8EB48320F14801AE958A7310D374A944CFA4
                        Function 00C829C8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 915 c829c8-c82a12 917 c82a1e-c82a50 SetWindowsHookExW 915->917 918 c82a14 915->918 919 c82a59-c82a7e 917->919 920 c82a52-c82a58 917->920 921 c82a1c 918->921 920->919 921->917
                        APIs
                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00C82A43
                        Memory Dump Source
                        • Source File: 00000000.00000002.4110078330.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c80000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID: HookWindows
                        • String ID:
                        • API String ID: 2559412058-0
                        • Opcode ID: afedc83dc03f9370fe4cb9695c591a86a27f7e0e1dee3460868b8c072716dff9
                        • Instruction ID: ba4b3094c5620d86ce2508890affd9dbb8da4eaf5bea74f30d0779b7aa9f1d4e
                        • Opcode Fuzzy Hash: afedc83dc03f9370fe4cb9695c591a86a27f7e0e1dee3460868b8c072716dff9
                        • Instruction Fuzzy Hash: 492127B1D002098FCB14DF99C948BEEFBF5EF88324F14842AD459A7250C775A945CFA5
                        Function 00C8D368 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 925 c8d368-c8d3c4 927 c8d412-c8d42b 925->927 928 c8d3c6-c8d3ee KiUserCallbackDispatcher 925->928 929 c8d3f0-c8d3f6 928->929 930 c8d3f7-c8d40b 928->930 929->930 930->927
                        APIs
                        • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 00C8D3DD
                        Memory Dump Source
                        • Source File: 00000000.00000002.4110078330.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c80000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID: CallbackDispatcherUser
                        • String ID:
                        • API String ID: 2492992576-0
                        • Opcode ID: b7de226a26a4dce00924c437e6e7aaa2dd5b83ee550d01b4314c75172cea6041
                        • Instruction ID: ebe75cffb216928742887dd2ab767f310d7e76d2f08b3b88a08deecdf48c6582
                        • Opcode Fuzzy Hash: b7de226a26a4dce00924c437e6e7aaa2dd5b83ee550d01b4314c75172cea6041
                        • Instruction Fuzzy Hash: D321E1B08083898FCB11CFA9C5497EEBFF0EB05314F14846DD495A7682C3395A05CF61
                        Function 06DD1937 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4113146426.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6dd0000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: 63752e408865233ed61e1e7da860585e62c3e1c6911fda0005dcc564a55c34ca
                        • Instruction ID: 180a907f8105f34a103eb3e1c80a81f89bbe69a82a1305f10cfac1d428f94034
                        • Opcode Fuzzy Hash: 63752e408865233ed61e1e7da860585e62c3e1c6911fda0005dcc564a55c34ca
                        • Instruction Fuzzy Hash: 2711CE31B005049FDB08EB29C958BAEBBF6EB8C700F200069E442EB3A1CF759D05CB90
                        Function 06DD1948 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4113146426.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6dd0000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: 071ca3baa441b100aeab0e8dabf2812b31e11ed54737dc51708737c90ceb0c36
                        • Instruction ID: a807437dd4a41722c5674cc8a6098b43ace70810954a450721767967965848e2
                        • Opcode Fuzzy Hash: 071ca3baa441b100aeab0e8dabf2812b31e11ed54737dc51708737c90ceb0c36
                        • Instruction Fuzzy Hash: B40180317001049FDB04AB29C958B6EBBF6EB8C701F200069E502EB3A1CF759D05CB91
                        Function 06DD2AC8 Relevance: .1, Instructions: 88COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4113146426.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6dd0000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 163666df7cb7f30c9dd736fe39ac45d9a053b34f6aba07b4b1650bf6a819e6a7
                        • Instruction ID: 7da6ea4ca78d11fe40cff0d5944e338ec04dbb91671f9ad17a62e761b1792ce2
                        • Opcode Fuzzy Hash: 163666df7cb7f30c9dd736fe39ac45d9a053b34f6aba07b4b1650bf6a819e6a7
                        • Instruction Fuzzy Hash: 9E2179326442008FE798EF28DC84B597BA1EF81720F1541AAF6558F3B6C7B1DE06CB90
                        Function 06DD001D Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4113146426.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6dd0000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d4cfa4e30b303e658d08372dbd0d9dca123958f20371111dab7a5e31806dddf8
                        • Instruction ID: c139da7499f615e68f353e5e0a5287b87aaf5368cf4686cad1b457c8973affa2
                        • Opcode Fuzzy Hash: d4cfa4e30b303e658d08372dbd0d9dca123958f20371111dab7a5e31806dddf8
                        • Instruction Fuzzy Hash: A32137306052048FDB25AF38E89029EBBF2EFC9355F1008AED14AD7351DA39DD4ACB91
                        Function 06DD2920 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4113146426.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6dd0000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fd74ec5b859f38a8dd24ace05a5926ff62123fb7a10674db713826775b78fb5c
                        • Instruction ID: 6d8018ea50eb6a2a146aaa56f543ef87767fb41bfda81fd34a95ba23dbd0ae45
                        • Opcode Fuzzy Hash: fd74ec5b859f38a8dd24ace05a5926ff62123fb7a10674db713826775b78fb5c
                        • Instruction Fuzzy Hash: D72103717402518FDB05FB68E910B5EBBA1DF81718F148668C10A8F39ADB71EA0BCBD0
                        Function 00C2D0FC Relevance: .1, Instructions: 72COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4109910326.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c2d000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6b1a6deedcc74b6a7d32d4b7f5fabb61ae3887d15cccaa1a837db8d801e1c365
                        • Instruction ID: 395c352cc897ef37daa4371f953c09d351702e1dce542a76aa4a71344ead599d
                        • Opcode Fuzzy Hash: 6b1a6deedcc74b6a7d32d4b7f5fabb61ae3887d15cccaa1a837db8d801e1c365
                        • Instruction Fuzzy Hash: 2E212675504204DFDB05DF14E9C4B2ABBA5FBA8324F20C56DD80B4BA96C33BD866CA61
                        Function 06DD296A Relevance: .1, Instructions: 66COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4113146426.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6dd0000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: b125153151e68f3896dc73bc71063c43321fd1d0e490b6b50390222560367827
                        • Instruction ID: 09932b1c616a9fc82f6120294b61b59b89f48f534d6d7877081964595c926320
                        • Opcode Fuzzy Hash: b125153151e68f3896dc73bc71063c43321fd1d0e490b6b50390222560367827
                        • Instruction Fuzzy Hash: 6B2195706402459FDB41FB78D950A9EBBE1DF81318F108768C1058B396DB71EA4BCBD1
                        Function 06DD2978 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4113146426.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6dd0000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4d2a2d0b605482f8ae43241ca0f79e4d668f46731532c8fab7f152c714e5ff6f
                        • Instruction ID: c68b8fa41897ab23daa4ef92b183b3a8b4163854dfc2af5406cbf4d20677ae21
                        • Opcode Fuzzy Hash: 4d2a2d0b605482f8ae43241ca0f79e4d668f46731532c8fab7f152c714e5ff6f
                        • Instruction Fuzzy Hash: 01216F70A002459FDB45FB78E950A5EBBA1EF81318F108768C1068B35ADB71EA4BCBD1
                        Function 00C2D0F7 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4109910326.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c2d000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                        • Instruction ID: 80ba3739a69789b33a8ec99ca761d7f2f5ce815a552a2cc4b2462d907104d5aa
                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                        • Instruction Fuzzy Hash: 9A11D075504240CFDB05CF10E9C4B19BF71FB54324F24C6A9DC4A4BA56C33AD95ACB51
                        Function 06DD2A80 Relevance: .0, Instructions: 46COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4113146426.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6dd0000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6c0b8b9ed893ae83c2626d8aa4ec203e13da1cb59bacf0338b23c110aac1f2c9
                        • Instruction ID: acff8dbde4f8940f5153cdc62cdcd85a234a5064a36a34fb49ec73ef169de527
                        • Opcode Fuzzy Hash: 6c0b8b9ed893ae83c2626d8aa4ec203e13da1cb59bacf0338b23c110aac1f2c9
                        • Instruction Fuzzy Hash: 150128739442405FD351EB68E800B8AFFF0EFC1364F0486ABD1568B351D770D60A8B90

                        Non-executed Functions

                        Function 06DD1B10 Relevance: 1.0, Instructions: 1023COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4113146426.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_6dd0000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 866dcb13959f68c751be261c22fe64fe04e6bff85939f40c0eea0a3b711f37c3
                        • Instruction ID: 5447ccd7b7dadb95c926d7e4b0d20ac3e5719f85ee8c4d2695d83945f7c08b4a
                        • Opcode Fuzzy Hash: 866dcb13959f68c751be261c22fe64fe04e6bff85939f40c0eea0a3b711f37c3
                        • Instruction Fuzzy Hash: 20828F30B002049FDB54EF69C9C4B6EBAE2FF84304F508578D1469B3A6DB75DE4A8B91
                        Function 00C8E048 Relevance: .7, Instructions: 664COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4110078330.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_c80000_WN3Y9XR9c7.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d0a3a668fa32a9df0e6f272592d60de307aeb5e743bc5e59307f0d7d36c1904d
                        • Instruction ID: f23ab1472de2856c424ae6957d412d3c1c265b24ca4cdd80b12097217e5fc0bd
                        • Opcode Fuzzy Hash: d0a3a668fa32a9df0e6f272592d60de307aeb5e743bc5e59307f0d7d36c1904d
                        • Instruction Fuzzy Hash: 7B528031A00619CFCB15DF64C880BAEB7B6FF45308F5584A9E919AB251D770FE85CB84