Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
a36r7SLgH7.exe

Overview

General Information

Sample name:a36r7SLgH7.exe
renamed because original name is a hash value
Original sample name:7c41073a0f6d04187987594fe990242d.exe
Analysis ID:1583971
MD5:7c41073a0f6d04187987594fe990242d
SHA1:8edb4897e61ff19c8fb1603b2713fb544ba97154
SHA256:d59fcfd1f5fd871873d3f2d4de2c938825d8e49c7357da078cd7f4a3e42239bf
Tags:AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
AI detected suspicious sample
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • a36r7SLgH7.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\a36r7SLgH7.exe" MD5: 7C41073A0F6D04187987594FE990242D)
    • cmd.exe (PID: 7552 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7624 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 7568 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25F4.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7588 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7652 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • Windows Command Processor.exe (PID: 7708 cmdline: "C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe" MD5: 7C41073A0F6D04187987594FE990242D)
  • Windows Command Processor.exe (PID: 7672 cmdline: "C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe" MD5: 7C41073A0F6D04187987594FE990242D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "213.142.159.59", "Ports": "1605", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "Windows Command Processor.exe", "Install_File": "eVE4dWtlVk0zN0hNdWxiWHQwdU1zTHdaZnR1aExCeDQ="}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
a36r7SLgH7.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    a36r7SLgH7.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      a36r7SLgH7.exerat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
      • 0x66fb:$str01: get_ActivatePong
      • 0x744a:$str02: get_SslClient
      • 0x7466:$str03: get_TcpClient
      • 0x5d0e:$str04: get_SendSync
      • 0x5d5e:$str05: get_IsConnected
      • 0x6491:$str06: set_UseShellExecute
      • 0x9c7f:$str07: Pastebin
      • 0x9d01:$str08: Select * from AntivirusProduct
      • 0x9a59:$str10: timeout 3 > NUL
      • 0x9949:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
      • 0x99d9:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      a36r7SLgH7.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0x99db:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

      Dropped Files

      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Local\Temp\Windows Command Processor.exerat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
          • 0x66fb:$str01: get_ActivatePong
          • 0x744a:$str02: get_SslClient
          • 0x7466:$str03: get_TcpClient
          • 0x5d0e:$str04: get_SendSync
          • 0x5d5e:$str05: get_IsConnected
          • 0x6491:$str06: set_UseShellExecute
          • 0x9c7f:$str07: Pastebin
          • 0x9d01:$str08: Select * from AntivirusProduct
          • 0x9a59:$str10: timeout 3 > NUL
          • 0x9949:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
          • 0x99d9:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
          C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0x99db:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.1693214929.00000000032F1000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0x1fa3e:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          00000007.00000002.2899718572.00000000032C9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000000.00000000.1649159114.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              00000000.00000000.1649159114.0000000000EF2000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
              • 0x97db:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
              00000007.00000002.2899718572.0000000003271000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                Click to see the 6 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                0.2.a36r7SLgH7.exe.3455cc8.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.2.a36r7SLgH7.exe.3455cc8.0.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
                  • 0x48fb:$str01: get_ActivatePong
                  • 0x564a:$str02: get_SslClient
                  • 0x5666:$str03: get_TcpClient
                  • 0x3f0e:$str04: get_SendSync
                  • 0x3f5e:$str05: get_IsConnected
                  • 0x4691:$str06: set_UseShellExecute
                  • 0x7e7f:$str07: Pastebin
                  • 0x7f01:$str08: Select * from AntivirusProduct
                  • 0x7c59:$str10: timeout 3 > NUL
                  • 0x10ae6:$str10: timeout 3 > NUL
                  • 0x11f1c:$str10: timeout 3 > NUL
                  • 0x7b49:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
                  • 0x7bd9:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                  0.2.a36r7SLgH7.exe.3455cc8.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                  • 0x7bdb:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                  0.0.a36r7SLgH7.exe.ef0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                    0.0.a36r7SLgH7.exe.ef0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                      Click to see the 5 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Invoke-Obfuscation CLIP+ Launcher
                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\a36r7SLgH7.exe", ParentImage: C:\Users\user\Desktop\a36r7SLgH7.exe, ParentProcessId: 7472, ParentProcessName: a36r7SLgH7.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exit, ProcessId: 7552, ProcessName: cmd.exe
                      Sigma detected: Invoke-Obfuscation VAR+ Launcher
                      Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\a36r7SLgH7.exe", ParentImage: C:\Users\user\Desktop\a36r7SLgH7.exe, ParentProcessId: 7472, ParentProcessName: a36r7SLgH7.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exit, ProcessId: 7552, ProcessName: cmd.exe
                      Sigma detected: Suspicious Schtasks From Env Var Folder
                      Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7552, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' , ProcessId: 7624, ProcessName: schtasks.exe

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-03T23:57:03.811543+010020355951Domain Observed Used for C2 Detected213.142.159.591605192.168.2.449730TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-03T23:57:03.811543+010020356071Domain Observed Used for C2 Detected213.142.159.591605192.168.2.449730TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2025-01-03T23:57:03.811543+010028424781Malware Command and Control Activity Detected213.142.159.591605192.168.2.449730TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: a36r7SLgH7.exeAvira: detected
                      Antivirus detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeAvira: detection malicious, Label: HEUR/AGEN.1305744
                      Found malware configuration
                      Source: a36r7SLgH7.exeMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "213.142.159.59", "Ports": "1605", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "Windows Command Processor.exe", "Install_File": "eVE4dWtlVk0zN0hNdWxiWHQwdU1zTHdaZnR1aExCeDQ="}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeReversingLabs: Detection: 78%
                      Multi AV Scanner detection for submitted file
                      Source: a36r7SLgH7.exeReversingLabs: Detection: 78%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for dropped file
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeJoe Sandbox ML: detected
                      Machine Learning detection for sample
                      Source: a36r7SLgH7.exeJoe Sandbox ML: detected
                      Source: a36r7SLgH7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: a36r7SLgH7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 213.142.159.59:1605 -> 192.168.2.4:49730
                      Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 213.142.159.59:1605 -> 192.168.2.4:49730
                      Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 213.142.159.59:1605 -> 192.168.2.4:49730
                      Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 213.142.159.59:1605 -> 192.168.2.4:49730
                      Yara detected Generic Downloader
                      Source: Yara matchFile source: a36r7SLgH7.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.0.a36r7SLgH7.exe.ef0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.a36r7SLgH7.exe.3455cc8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, type: DROPPED
                      Source: global trafficTCP traffic: 192.168.2.4:49730 -> 213.142.159.59:1605
                      Source: Joe Sandbox ViewASN Name: ONLINENETTR ONLINENETTR
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: unknownTCP traffic detected without corresponding DNS query: 213.142.159.59
                      Source: Windows Command Processor.exe, 00000007.00000002.2898563994.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.7.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: Windows Command Processor.exe, 00000007.00000002.2898563994.00000000013D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enA
                      Source: a36r7SLgH7.exe, 00000000.00000002.1693214929.0000000003437000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032C9000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.0000000003271000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: a36r7SLgH7.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.a36r7SLgH7.exe.3455cc8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.a36r7SLgH7.exe.ef0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.a36r7SLgH7.exe.3455cc8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.2899718572.00000000032C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1649159114.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2899718572.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1693214929.0000000003455000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: a36r7SLgH7.exe PID: 7472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Windows Command Processor.exe PID: 7672, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, type: DROPPED

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: a36r7SLgH7.exe, type: SAMPLEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                      Source: a36r7SLgH7.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 0.2.a36r7SLgH7.exe.3455cc8.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                      Source: 0.2.a36r7SLgH7.exe.3455cc8.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 0.0.a36r7SLgH7.exe.ef0000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                      Source: 0.0.a36r7SLgH7.exe.ef0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 0.2.a36r7SLgH7.exe.3455cc8.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                      Source: 00000000.00000002.1693214929.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 00000000.00000000.1649159114.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: 00000007.00000002.2899718572.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: Process Memory Space: a36r7SLgH7.exe PID: 7472, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: Process Memory Space: Windows Command Processor.exe PID: 7672, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, type: DROPPEDMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeCode function: 7_2_030763E07_2_030763E0
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeCode function: 7_2_03076CB07_2_03076CB0
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeCode function: 7_2_030760987_2_03076098
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeCode function: 7_2_0307AF607_2_0307AF60
                      Source: a36r7SLgH7.exe, 00000000.00000002.1693214929.0000000003455000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamecmdj% vs a36r7SLgH7.exe
                      Source: a36r7SLgH7.exe, 00000000.00000000.1649182169.0000000000EFE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecmdj% vs a36r7SLgH7.exe
                      Source: a36r7SLgH7.exeBinary or memory string: OriginalFilenamecmdj% vs a36r7SLgH7.exe
                      Source: a36r7SLgH7.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: a36r7SLgH7.exe, type: SAMPLEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                      Source: a36r7SLgH7.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 0.2.a36r7SLgH7.exe.3455cc8.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                      Source: 0.2.a36r7SLgH7.exe.3455cc8.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 0.0.a36r7SLgH7.exe.ef0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                      Source: 0.0.a36r7SLgH7.exe.ef0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 0.2.a36r7SLgH7.exe.3455cc8.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                      Source: 00000000.00000002.1693214929.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 00000000.00000000.1649159114.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: 00000007.00000002.2899718572.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: Process Memory Space: a36r7SLgH7.exe PID: 7472, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: Process Memory Space: Windows Command Processor.exe PID: 7672, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, type: DROPPEDMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                      Source: a36r7SLgH7.exe, Settings.csBase64 encoded string: 'Tjy/wcLNOel+jzLqEEGZtAu1zfbr5IOBb8Yp6kfnN07+WBqVuyoJe8kggASCXolMpBmGFKxqQlcQIlOAvZnhCg==', 'mC8eGQL7q5ibhE9Gc17056YV5aBk/TjV6InZNNlc9jntXkenBn5yW+C61uObHrSgnH7uT/n/FCDz7v6bcMpQXA==', 'n3bP/mYbg/P7FbXdkKd9klXq3MXlkOCIQ9FrIE5zmEX6mp1A9nFEPfqUvbQvx5yucsmwnRe5ppUmEEB3ikRO1A==', 'NepwegtKjs2SZA3SHpPg5rrGhcYswTwiB34xVdfWoD9xit+Vp2QGooh5kRhVURRmdY4LHos6PrizCLMlRUBvLWBGeemQWYfsMJ7ACQ7Fu3kYnClHcfT8goE2h/y2nnGIFzsq48awlVxMvlmNW/u9DNcZeR+YgHmXbkMaxDlEvGMHaG46kqnM/LyqrvqBKkMWbUimBLC4bMVBgFlf8WyQbMcd+SnoKKK9Ekx9ByDmpzs+vUpgLQ1Ibam2EhCrbENfwYEH/ZaxNo+26qPu72yMCJ1VZGwJ0EByp1UQQcWdkhLmazAPqgRJxerGIxloWsrt1htGveBKUuOOnonfRhEdrNuD4hVrFIvOY1o0qjCBQm+arr0qlFp0SP/R5CrIHBhr9HgCNHTEwiXINE2KXadE4XVoZZfWhbdEdUXJi0owNDJC5I1JoDPVlYxM92oFo2rreMHpy8FzDbJHDIDWzXRvRX1O+lAGtpdLaYrDNjwUunYPU5/1ng4yWh8GDhH9ZVwvkEeM2mPFzMrCHL6j4iOrxIF+KsPf2KNfQtZNwnaIqGD9Ql8AeG6UQIk3xtiaQUjJzf3lxX7MF+2nahB6wCfOdrcAWJxIi/bwKVIHFR4tulDnkClYMiQM/jzojb4wg2d58ya99SiF6dc69Uc5dIuF5kqBgH/vi6nIOZXkBt441ZWcPdtMh49gwDr4QB8N21nWBB1ENmqBi2XX5/f5ZUsuA6mcA7BdNDSsmwtzZaz+iy3Jw0uYxXyrcKxPmPMaBrl8IFcW2769i8jh4AA3TXqnqxBjupUxd/qIyovLrBlA2nLzOcct0YxFQsXlAyq4Ox5nQeuIBUH5uF07br5A9QLRw8ao+70ElBd/tcx0JSl/kEoLo1Nd7zZuURxbmPIT1GK/2eTBIQbJqkSgl0yY53IdWHjTxgW6L4xkThTv5LdCGxatxbMu5mFDTv29K+r/aor3nd2t/m+Eay+adAV1okFzuw==', 'TFFLlxa1A3vK2u7nrnzf2MGPd1QRp+gI7JCell+FJObUHFQCCNsyCCoXEOtAkkgkDMgq0V95hi7uR5pfCmfu8g==', 'h2TTF71L7oWwhqQpmYIAksPmztf4ltXXBzpb0bmTu9fkOSwmgvzZgAamDPTIZLWTqc6hB0tC3dFlvV8nAZwVsg=='
                      Source: Windows Command Processor.exe.0.dr, Settings.csBase64 encoded string: 'Tjy/wcLNOel+jzLqEEGZtAu1zfbr5IOBb8Yp6kfnN07+WBqVuyoJe8kggASCXolMpBmGFKxqQlcQIlOAvZnhCg==', 'mC8eGQL7q5ibhE9Gc17056YV5aBk/TjV6InZNNlc9jntXkenBn5yW+C61uObHrSgnH7uT/n/FCDz7v6bcMpQXA==', 'n3bP/mYbg/P7FbXdkKd9klXq3MXlkOCIQ9FrIE5zmEX6mp1A9nFEPfqUvbQvx5yucsmwnRe5ppUmEEB3ikRO1A==', 'NepwegtKjs2SZA3SHpPg5rrGhcYswTwiB34xVdfWoD9xit+Vp2QGooh5kRhVURRmdY4LHos6PrizCLMlRUBvLWBGeemQWYfsMJ7ACQ7Fu3kYnClHcfT8goE2h/y2nnGIFzsq48awlVxMvlmNW/u9DNcZeR+YgHmXbkMaxDlEvGMHaG46kqnM/LyqrvqBKkMWbUimBLC4bMVBgFlf8WyQbMcd+SnoKKK9Ekx9ByDmpzs+vUpgLQ1Ibam2EhCrbENfwYEH/ZaxNo+26qPu72yMCJ1VZGwJ0EByp1UQQcWdkhLmazAPqgRJxerGIxloWsrt1htGveBKUuOOnonfRhEdrNuD4hVrFIvOY1o0qjCBQm+arr0qlFp0SP/R5CrIHBhr9HgCNHTEwiXINE2KXadE4XVoZZfWhbdEdUXJi0owNDJC5I1JoDPVlYxM92oFo2rreMHpy8FzDbJHDIDWzXRvRX1O+lAGtpdLaYrDNjwUunYPU5/1ng4yWh8GDhH9ZVwvkEeM2mPFzMrCHL6j4iOrxIF+KsPf2KNfQtZNwnaIqGD9Ql8AeG6UQIk3xtiaQUjJzf3lxX7MF+2nahB6wCfOdrcAWJxIi/bwKVIHFR4tulDnkClYMiQM/jzojb4wg2d58ya99SiF6dc69Uc5dIuF5kqBgH/vi6nIOZXkBt441ZWcPdtMh49gwDr4QB8N21nWBB1ENmqBi2XX5/f5ZUsuA6mcA7BdNDSsmwtzZaz+iy3Jw0uYxXyrcKxPmPMaBrl8IFcW2769i8jh4AA3TXqnqxBjupUxd/qIyovLrBlA2nLzOcct0YxFQsXlAyq4Ox5nQeuIBUH5uF07br5A9QLRw8ao+70ElBd/tcx0JSl/kEoLo1Nd7zZuURxbmPIT1GK/2eTBIQbJqkSgl0yY53IdWHjTxgW6L4xkThTv5LdCGxatxbMu5mFDTv29K+r/aor3nd2t/m+Eay+adAV1okFzuw==', 'TFFLlxa1A3vK2u7nrnzf2MGPd1QRp+gI7JCell+FJObUHFQCCNsyCCoXEOtAkkgkDMgq0V95hi7uR5pfCmfu8g==', 'h2TTF71L7oWwhqQpmYIAksPmztf4ltXXBzpb0bmTu9fkOSwmgvzZgAamDPTIZLWTqc6hB0tC3dFlvV8nAZwVsg=='
                      Source: 0.2.a36r7SLgH7.exe.3455cc8.0.raw.unpack, Settings.csBase64 encoded string: 'Tjy/wcLNOel+jzLqEEGZtAu1zfbr5IOBb8Yp6kfnN07+WBqVuyoJe8kggASCXolMpBmGFKxqQlcQIlOAvZnhCg==', 'mC8eGQL7q5ibhE9Gc17056YV5aBk/TjV6InZNNlc9jntXkenBn5yW+C61uObHrSgnH7uT/n/FCDz7v6bcMpQXA==', 'n3bP/mYbg/P7FbXdkKd9klXq3MXlkOCIQ9FrIE5zmEX6mp1A9nFEPfqUvbQvx5yucsmwnRe5ppUmEEB3ikRO1A==', 'NepwegtKjs2SZA3SHpPg5rrGhcYswTwiB34xVdfWoD9xit+Vp2QGooh5kRhVURRmdY4LHos6PrizCLMlRUBvLWBGeemQWYfsMJ7ACQ7Fu3kYnClHcfT8goE2h/y2nnGIFzsq48awlVxMvlmNW/u9DNcZeR+YgHmXbkMaxDlEvGMHaG46kqnM/LyqrvqBKkMWbUimBLC4bMVBgFlf8WyQbMcd+SnoKKK9Ekx9ByDmpzs+vUpgLQ1Ibam2EhCrbENfwYEH/ZaxNo+26qPu72yMCJ1VZGwJ0EByp1UQQcWdkhLmazAPqgRJxerGIxloWsrt1htGveBKUuOOnonfRhEdrNuD4hVrFIvOY1o0qjCBQm+arr0qlFp0SP/R5CrIHBhr9HgCNHTEwiXINE2KXadE4XVoZZfWhbdEdUXJi0owNDJC5I1JoDPVlYxM92oFo2rreMHpy8FzDbJHDIDWzXRvRX1O+lAGtpdLaYrDNjwUunYPU5/1ng4yWh8GDhH9ZVwvkEeM2mPFzMrCHL6j4iOrxIF+KsPf2KNfQtZNwnaIqGD9Ql8AeG6UQIk3xtiaQUjJzf3lxX7MF+2nahB6wCfOdrcAWJxIi/bwKVIHFR4tulDnkClYMiQM/jzojb4wg2d58ya99SiF6dc69Uc5dIuF5kqBgH/vi6nIOZXkBt441ZWcPdtMh49gwDr4QB8N21nWBB1ENmqBi2XX5/f5ZUsuA6mcA7BdNDSsmwtzZaz+iy3Jw0uYxXyrcKxPmPMaBrl8IFcW2769i8jh4AA3TXqnqxBjupUxd/qIyovLrBlA2nLzOcct0YxFQsXlAyq4Ox5nQeuIBUH5uF07br5A9QLRw8ao+70ElBd/tcx0JSl/kEoLo1Nd7zZuURxbmPIT1GK/2eTBIQbJqkSgl0yY53IdWHjTxgW6L4xkThTv5LdCGxatxbMu5mFDTv29K+r/aor3nd2t/m+Eay+adAV1okFzuw==', 'TFFLlxa1A3vK2u7nrnzf2MGPd1QRp+gI7JCell+FJObUHFQCCNsyCCoXEOtAkkgkDMgq0V95hi7uR5pfCmfu8g==', 'h2TTF71L7oWwhqQpmYIAksPmztf4ltXXBzpb0bmTu9fkOSwmgvzZgAamDPTIZLWTqc6hB0tC3dFlvV8nAZwVsg=='
                      Source: a36r7SLgH7.exe, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: a36r7SLgH7.exe, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: Windows Command Processor.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: Windows Command Processor.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: 0.2.a36r7SLgH7.exe.3455cc8.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                      Source: 0.2.a36r7SLgH7.exe.3455cc8.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                      Source: classification engineClassification label: mal100.troj.evad.winEXE@15/7@0/1
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a36r7SLgH7.exe.logJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeMutant created: NULL
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7588:120:WilError_03
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeFile created: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25F4.tmp.bat""
                      Source: a36r7SLgH7.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: a36r7SLgH7.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: a36r7SLgH7.exeReversingLabs: Detection: 78%
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeFile read: C:\Users\user\Desktop\a36r7SLgH7.exeJump to behavior
                      Source: unknownProcess created: C:\Users\user\Desktop\a36r7SLgH7.exe "C:\Users\user\Desktop\a36r7SLgH7.exe"
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exit
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25F4.tmp.bat""
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"'
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe "C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe "C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exitJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25F4.tmp.bat""Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe "C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe" Jump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: edputil.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: appresolver.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: bcp47langs.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: slc.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: sppc.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
                      Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: secur32.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: schannel.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: mskeyprotect.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: ntasn1.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: ncrypt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: ncryptsslp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: gpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: cryptnet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: cabinet.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: wbemcomn.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: amsi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: mscoree.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: version.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeSection loaded: msasn1.dllJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
                      Source: a36r7SLgH7.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                      Source: a36r7SLgH7.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeFile created: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeJump to dropped file

                      Boot Survival

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: a36r7SLgH7.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.a36r7SLgH7.exe.3455cc8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.a36r7SLgH7.exe.ef0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.a36r7SLgH7.exe.3455cc8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.2899718572.00000000032C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1649159114.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2899718572.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1693214929.0000000003455000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: a36r7SLgH7.exe PID: 7472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Windows Command Processor.exe PID: 7672, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, type: DROPPED
                      Uses schtasks.exe or at.exe to add and modify task schedules
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"'
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: a36r7SLgH7.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.a36r7SLgH7.exe.3455cc8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.a36r7SLgH7.exe.ef0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.a36r7SLgH7.exe.3455cc8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.2899718572.00000000032C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1649159114.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2899718572.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1693214929.0000000003455000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: a36r7SLgH7.exe PID: 7472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Windows Command Processor.exe PID: 7672, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, type: DROPPED
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: a36r7SLgH7.exe, Windows Command Processor.exe.0.drBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeMemory allocated: 1690000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeMemory allocated: 32F0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeMemory allocated: 3180000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeMemory allocated: 3070000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeMemory allocated: 3270000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeMemory allocated: 5270000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeMemory allocated: 1360000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeMemory allocated: 31A0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeMemory allocated: 15C0000 memory reserve | memory write watchJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeWindow / User API: threadDelayed 2859Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeWindow / User API: threadDelayed 6989Jump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exe TID: 7492Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe TID: 7780Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe TID: 7796Thread sleep time: -7378697629483816s >= -30000sJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe TID: 7804Thread sleep count: 2859 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe TID: 7804Thread sleep count: 6989 > 30Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe TID: 7728Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: Windows Command Processor.exe.0.drBinary or memory string: vmware
                      Source: Windows Command Processor.exe, 00000007.00000002.2898563994.00000000013D7000.00000004.00000020.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2902380728.00000000057B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeMemory allocated: page read and write | page guardJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exitJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25F4.tmp.bat""Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe "C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe" Jump to behavior
                      Source: Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.0000000003304000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032BA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTekq
                      Source: Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTekqX[,
                      Source: Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                      Source: Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032C5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTekqxY,
                      Source: Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager`,kq
                      Source: Windows Command Processor.exe, 00000007.00000002.2899718572.0000000003304000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTekqpn0
                      Source: Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\kq
                      Source: Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032C5000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032BE000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.0000000003304000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\kq%
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeQueries volume information: C:\Users\user\Desktop\a36r7SLgH7.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\a36r7SLgH7.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Lowering of HIPS / PFW / Operating System Security Settings

                      barindex
                      Yara detected AsyncRAT
                      Source: Yara matchFile source: a36r7SLgH7.exe, type: SAMPLE
                      Source: Yara matchFile source: 0.2.a36r7SLgH7.exe.3455cc8.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.a36r7SLgH7.exe.ef0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.a36r7SLgH7.exe.3455cc8.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000007.00000002.2899718572.00000000032C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000000.1649159114.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2899718572.0000000003271000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1693214929.0000000003455000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: a36r7SLgH7.exe PID: 7472, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: Windows Command Processor.exe PID: 7672, type: MEMORYSTR
                      Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, type: DROPPED
                      Source: Windows Command Processor.exe, 00000007.00000002.2898563994.00000000013D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                      Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information1
                      Scripting                      		Valid Accounts1
                      Windows Management Instrumentation                      		2
                      Scheduled Task/Job                      		12
                      Process Injection                      		1
                      Masquerading                      		OS Credential Dumping1
                      Query Registry                      		Remote Services1
                      Archive Collected Data                      		1
                      Encrypted Channel                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts2
                      Scheduled Task/Job                      		1
                      Scripting                      		2
                      Scheduled Task/Job                      		1
                      Disable or Modify Tools                      		LSASS Memory221
                      Security Software Discovery                      		Remote Desktop ProtocolData from Removable Media1
                      Non-Standard Port                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAt1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		31
                      Virtualization/Sandbox Evasion                      		Security Account Manager2
                      Process Discovery                      		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                      Process Injection                      		NTDS31
                      Virtualization/Sandbox Evasion                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
                      Obfuscated Files or Information                      		LSA Secrets1
                      Application Window Discovery                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      DLL Side-Loading                      		Cached Domain Credentials1
                      File and Directory Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
                      System Information Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1583971 Sample: a36r7SLgH7.exe Startdate: 03/01/2025 Architecture: WINDOWS Score: 100 34 Suricata IDS alerts for network traffic 2->34 36 Found malware configuration 2->36 38 Malicious sample detected (through community Yara rule) 2->38 40 12 other signatures 2->40 7 a36r7SLgH7.exe 7 2->7         started        10 Windows Command Processor.exe 2 2->10         started        process3 dnsIp4 28 C:\Users\...\Windows Command Processor.exe, PE32 7->28 dropped 30 C:\Users\user\AppData\...\a36r7SLgH7.exe.log, ASCII 7->30 dropped 13 cmd.exe 1 7->13         started        16 cmd.exe 1 7->16         started        32 213.142.159.59, 1605, 49730 ONLINENETTR Turkey 10->32 file5 process6 signatures7 42 Uses schtasks.exe or at.exe to add and modify task schedules 13->42 18 conhost.exe 13->18         started        20 schtasks.exe 1 13->20         started        22 Windows Command Processor.exe 3 16->22         started        24 conhost.exe 16->24         started        26 timeout.exe 1 16->26         started        process8

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      a36r7SLgH7.exe79%ReversingLabsByteCode-MSIL.Backdoor.AsyncRATMarte
                      a36r7SLgH7.exe100%AviraHEUR/AGEN.1305744
                      a36r7SLgH7.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe100%AviraHEUR/AGEN.1305744
                      C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe79%ReversingLabsByteCode-MSIL.Backdoor.AsyncRATMarte

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      bg.microsoft.map.fastly.net
                      		199.232.214.172
                      		truefalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namea36r7SLgH7.exe, 00000000.00000002.1693214929.0000000003437000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.00000000032C9000.00000004.00000800.00020000.00000000.sdmp, Windows Command Processor.exe, 00000007.00000002.2899718572.0000000003271000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          213.142.159.59
                          		unknownTurkey
                          		202505ONLINENETTRtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1583971
                          Start date and time:2025-01-03 23:56:04 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 41s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:13
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:a36r7SLgH7.exe
                          renamed because original name is a hash value
                          Original Sample Name:7c41073a0f6d04187987594fe990242d.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@15/7@0/1
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 80
                          • Number of non-executed functions: 2
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded IPs from analysis (whitelisted): 199.232.214.172, 4.175.87.197, 20.12.23.50, 13.107.246.45
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target Windows Command Processor.exe, PID 7672 because it is empty
                          • Execution Graph export aborted for target Windows Command Processor.exe, PID 7708 because it is empty
                          • Execution Graph export aborted for target a36r7SLgH7.exe, PID 7472 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: a36r7SLgH7.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          17:57:03API Interceptor1x Sleep call for process: Windows Command Processor.exe modified
                          22:56:57Task SchedulerRun new task: Windows Command Processor path: "C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          bg.microsoft.map.fastly.net3lhrJ4X.exeGet hashmaliciousLiteHTTP BotBrowse
                          • 199.232.214.172
                          2Mi3lKoJfj.exeGet hashmaliciousQuasarBrowse
                          • 199.232.210.172
                          Reparto Trabajo TP4.xlsmGet hashmaliciousUnknownBrowse
                          • 199.232.210.172
                          file.exeGet hashmaliciousDcRat, JasonRATBrowse
                          • 199.232.214.172
                          iviewers.dllGet hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                          • 199.232.214.172
                          wrcaf.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                          • 199.232.210.172
                          iubn.ps1Get hashmaliciousDcRat, KeyLogger, StormKitty, Strela Stealer, VenomRATBrowse
                          • 199.232.210.172
                          rwvg1.exeGet hashmaliciousDcRat, KeyLogger, StormKitty, VenomRATBrowse
                          • 199.232.210.172
                          ersyb.exeGet hashmaliciousDcRat, KeyLogger, StormKitty, VenomRATBrowse
                          • 199.232.214.172
                          Hornswoggle.exeGet hashmaliciousGuLoaderBrowse
                          • 199.232.214.172

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          ONLINENETTRqqyt33.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 80.253.246.4
                          qqyt33.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 80.253.246.4
                          qqyt33.i586.elfGet hashmaliciousMirai, GafgytBrowse
                          • 80.253.246.4
                          qqyt33.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 80.253.246.4
                          qqyt33.m68k.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 80.253.246.4
                          qqyt33.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 80.253.246.4
                          qqyt33.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 80.253.246.4
                          qqyt33.sh4.elfGet hashmaliciousGafgyt, MiraiBrowse
                          • 80.253.246.4
                          qqyt33.x32.elfGet hashmaliciousMirai, GafgytBrowse
                          • 80.253.246.4
                          qqyt33.x86.elfGet hashmaliciousMirai, GafgytBrowse
                          • 80.253.246.4

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe
                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                          Category:dropped
                          Size (bytes):71954
                          Entropy (8bit):7.996617769952133
                          Encrypted:true
                          SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                          MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                          SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                          SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                          SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                          Malicious:false
                          Reputation:high, very likely benign file
                          Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):328
                          Entropy (8bit):3.245596380966818
                          Encrypted:false
                          SSDEEP:6:kKe99UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:WkDImsLNkPlE99SNxAhUe/3
                          MD5:D87104A907AFAD5CFE4DA6342AE2F2E1
                          SHA1:2CB7A58ABD8237F5848516E4F23574A3C477EF32
                          SHA-256:5F914DA8D9622164AD1E178E7AD667C3C350404D18045BC97A5D187C7BC51DAD
                          SHA-512:3318C0F11D9DEA7886CB5B10D9D04F14F90F12D69B48E3EE3051047B97A1C52161F86375D4813332F618BBFAD130B77A3CC2910E27D7CE46562C0F686997AEB6
                          Malicious:false
                          Reputation:low
                          Preview:p...... .........R*.2^..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Command Processor.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe
                          File Type:CSV text
                          Category:dropped
                          Size (bytes):425
                          Entropy (8bit):5.353683843266035
                          Encrypted:false
                          SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                          MD5:859802284B12C59DDBB85B0AC64C08F0
                          SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                          SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                          SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                          Malicious:false
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\a36r7SLgH7.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\a36r7SLgH7.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):522
                          Entropy (8bit):5.358731107079437
                          Encrypted:false
                          SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhat92n4M6:ML9E4KlKDE4KhKiKhg84j
                          MD5:AE6AF1A0CB468ECBA64E2D77CB4517DB
                          SHA1:09BD6366ED569ADB79274BBAB0BBF09C8244FD97
                          SHA-256:3A917DCBC4952EA9A1135B379B56604B3B63198E540C653683D522445258B710
                          SHA-512:E578CD0D9BF43FD1BA737B9C44B70130462CE55B4F368E2E341BB94A3A3FFA47D4A9FE714EB86926620D1B4BE9FFF4582C219DF9ACC923C765650B13C5451500
                          Malicious:true
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                          C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe

                          Download File
                          Process:C:\Users\user\Desktop\a36r7SLgH7.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):78336
                          Entropy (8bit):5.185630338034101
                          Encrypted:false
                          SSDEEP:1536:FuEYVTn8H2EMZGtUbbjXSVmw9gptdcjyGBvI+:FuE0Tn8H29kUbbjqytujyGt1
                          MD5:7C41073A0F6D04187987594FE990242D
                          SHA1:8EDB4897E61FF19C8FB1603B2713FB544BA97154
                          SHA-256:D59FCFD1F5FD871873D3F2D4DE2C938825D8E49C7357DA078CD7F4A3E42239BF
                          SHA-512:FA219E7AB70D78336C737CC16BE57C4AFBFDE281F955EECE644A13F27F860212323B2A8738C014BB4DC53EA85324E501F0C4B1DC56C8BE4C3E980F87D694AEDA
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, Author: Joe Security
                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, Author: Joe Security
                          • Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, Author: Sekoia.io
                          • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 79%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n8e................................. ........@.. ....................................`.....................................S.......8............................................................................ ............... ..H............text...$.... ...................... ..`.rsrc...8...........................@..@.reloc...............0..............@..B........................H........Y...l.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vr.%.p~....(o....#...*.s...

                          C:\Users\user\AppData\Local\Temp\tmp25F4.tmp.bat

                          Download File
                          Process:C:\Users\user\Desktop\a36r7SLgH7.exe
                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):172
                          Entropy (8bit):5.079011873824364
                          Encrypted:false
                          SSDEEP:3:mKDDCMNqTtvL5ot+kiE2J5xAI5KIFdCRbZmqRDt+kiE2J5xAInTRI928HVZPy:hWKqTtT6wkn23fh8bZmq1wkn23fTbWVk
                          MD5:DA78F08DEDF20AD44E0721ABF4C5BDDF
                          SHA1:F467A55CB9BFE2AA3D18126262A1E108F04AF9C9
                          SHA-256:8E7E0AF8BB5A224E12814418CD6B7F4E95CADEB5A033EE1F0D283AB48BFA4DB4
                          SHA-512:866DEC18CD721DADEE9FC891E9AE232A46F5F845D4C71F7BCC29010B3B04A9440D0F669089EED99B3C125587F2285D836BAAD7DDEE3F6A7BEBA9D17C6F7CFAA9
                          Malicious:false
                          Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp25F4.tmp.bat" /f /q..

                          \Device\Null

                          Download File
                          Process:C:\Windows\SysWOW64\timeout.exe
                          File Type:ASCII text, with CRLF line terminators, with overstriking
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.41440934524794
                          Encrypted:false
                          SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                          MD5:3DD7DD37C304E70A7316FE43B69F421F
                          SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                          SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                          SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                          Malicious:false
                          Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):5.185630338034101
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                          • Win32 Executable (generic) a (10002005/4) 49.75%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Windows Screen Saver (13104/52) 0.07%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          File name:a36r7SLgH7.exe
                          File size:78'336 bytes
                          MD5:7c41073a0f6d04187987594fe990242d
                          SHA1:8edb4897e61ff19c8fb1603b2713fb544ba97154
                          SHA256:d59fcfd1f5fd871873d3f2d4de2c938825d8e49c7357da078cd7f4a3e42239bf
                          SHA512:fa219e7ab70d78336c737cc16be57c4afbfde281f955eece644a13f27f860212323b2a8738c014bb4dc53ea85324e501f0c4b1dc56c8be4c3e980f87d694aeda
                          SSDEEP:1536:FuEYVTn8H2EMZGtUbbjXSVmw9gptdcjyGBvI+:FuE0Tn8H29kUbbjqytujyGt1
                          TLSH:7173194073D88576E27E0B74DCA3D5B04A79BE33A902F22B5EC47D5F393278965022AD
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....n8e................................. ........@.. ....................................`................................

                          File Icon

                          Icon Hash:657a525641550165

                          Static PE Info

                          General

                          Entrypoint:0x40c71e
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x65386E86 [Wed Oct 25 01:25:26 2023 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc6c80x53.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x8438.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x180000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xa7240xa8007e54c1a7edba869fd72f5f9360231209False0.4995814732142857data5.5090974189436235IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xe0000x84380x86006ab84ebb08961adb9815223cb7829e1eFalse0.27999650186567165data4.459033239112091IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x180000xc0x200dbf267823414e704fd8e35edb5e82417False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xe2e00x668Device independent bitmap graphic, 48 x 96 x 4, image size 11520.21097560975609755
                          RT_ICON0xe9480x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 5120.2647849462365591
                          RT_ICON0xec300x128Device independent bitmap graphic, 16 x 32 x 4, image size 1280.3783783783783784
                          RT_ICON0xed580xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors0.11567164179104478
                          RT_ICON0xfc000x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors0.18592057761732853
                          RT_ICON0x104a80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors0.08236994219653179
                          RT_ICON0x10a100x169ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.968048359240069
                          RT_ICON0x120b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.06130705394190871
                          RT_ICON0x146580x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.1177298311444653
                          RT_ICON0x157000x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.09308510638297872
                          RT_GROUP_ICON0x15b680x92data0.589041095890411
                          RT_VERSION0x15bfc0x3c4data0.43257261410788383
                          RT_MANIFEST0x15fc00x478exported SGML document, Unicode text, UTF-8 (with BOM) text0.4423076923076923

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2025-01-03T23:57:03.811543+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1213.142.159.591605192.168.2.449730TCP
                          2025-01-03T23:57:03.811543+01002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1213.142.159.591605192.168.2.449730TCP
                          2025-01-03T23:57:03.811543+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1213.142.159.591605192.168.2.449730TCP
                          2025-01-03T23:57:03.811543+01002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1213.142.159.591605192.168.2.449730TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Jan 3, 2025 23:57:02.865535975 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:02.870471954 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:02.870568037 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:02.882623911 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:02.887434959 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:03.591749907 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:03.591770887 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:03.591845036 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:03.806732893 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:03.811542988 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:04.032634974 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:04.074194908 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:05.197189093 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:05.201989889 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:05.202044964 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:05.206828117 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:16.610831976 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:16.615761995 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:16.615825891 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:16.620646954 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:17.011147022 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:17.058592081 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:17.184861898 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:17.192877054 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:17.199682951 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:17.199733973 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:17.208111048 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:28.027957916 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:28.032886028 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:28.032943964 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:28.037765026 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:28.424635887 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:28.464953899 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:28.605313063 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:28.607860088 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:28.612677097 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:28.612720966 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:28.617480040 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:30.307215929 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:30.355592966 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:30.479798079 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:30.527363062 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:39.449860096 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:39.761774063 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:40.371149063 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:40.555150032 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:40.555967093 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:40.555977106 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:40.775502920 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:40.824265957 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:40.948872089 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:40.960274935 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:40.965080023 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:40.965132952 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:40.969860077 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:50.871779919 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:50.876590014 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:50.880340099 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:50.885185003 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:51.268587112 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:51.324284077 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:51.464545965 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:51.466370106 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:51.471148968 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:57:51.471200943 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:57:51.475975990 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:00.291637897 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:00.339915991 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:00.464745045 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:00.511784077 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:02.294557095 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:02.299377918 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:02.299423933 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:02.304207087 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:02.527973890 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:02.574285984 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:02.714920998 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:02.716478109 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:02.721276045 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:02.721332073 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:02.726108074 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:13.715454102 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:13.720268011 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:13.722479105 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:13.727447033 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:14.112343073 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:14.152445078 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:14.293009996 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:14.294903994 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:14.299793959 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:14.302503109 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:14.307394981 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:25.137236118 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:25.142074108 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:25.142138958 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:25.146954060 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:25.535084009 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:25.589948893 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:25.715019941 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:25.716600895 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:25.721385002 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:25.721440077 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:25.726254940 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:30.309748888 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:30.355581045 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:30.480840921 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:30.527461052 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:36.559372902 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:36.564172983 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:36.564220905 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:36.569019079 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:36.955445051 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:37.011881113 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:37.137607098 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:37.139430046 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:37.144244909 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:37.144311905 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:37.149163961 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:47.981197119 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:47.986202955 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:47.986294031 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:47.991111994 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:48.379364014 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:48.433773994 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:48.559349060 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:48.561248064 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:48.566272974 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:48.566334963 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:48.571129084 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:58.762243032 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:58.767062902 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:58.768408060 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:58.773245096 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:59.169384003 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:59.215111971 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:58:59.340723038 CET160549730213.142.159.59192.168.2.4
                          Jan 3, 2025 23:58:59.386872053 CET497301605192.168.2.4213.142.159.59
                          Jan 3, 2025 23:59:00.309608936 CET160549730213.142.159.59192.168.2.4

                          DNS Answers

                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Jan 3, 2025 23:57:04.369658947 CET1.1.1.1192.168.2.40xd82aNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                          Jan 3, 2025 23:57:04.369658947 CET1.1.1.1192.168.2.40xd82aNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:17:56:51
                          Start date:03/01/2025
                          Path:C:\Users\user\Desktop\a36r7SLgH7.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\a36r7SLgH7.exe"
                          Imagebase:0xef0000
                          File size:78'336 bytes
                          MD5 hash:7C41073A0F6D04187987594FE990242D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1693214929.00000000032F1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1649159114.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                          • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1649159114.0000000000EF2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1693214929.0000000003455000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:17:56:56
                          Start date:03/01/2025
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"' & exit
                          Imagebase:0x240000
                          File size:236'544 bytes
                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:2
                          Start time:17:56:56
                          Start date:03/01/2025
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:17:56:56
                          Start date:03/01/2025
                          Path:C:\Windows\SysWOW64\cmd.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp25F4.tmp.bat""
                          Imagebase:0x240000
                          File size:236'544 bytes
                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:17:56:56
                          Start date:03/01/2025
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:17:56:56
                          Start date:03/01/2025
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:schtasks /create /f /sc onlogon /rl highest /tn "Windows Command Processor" /tr '"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"'
                          Imagebase:0x7c0000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:6
                          Start time:17:56:56
                          Start date:03/01/2025
                          Path:C:\Windows\SysWOW64\timeout.exe
                          Wow64 process (32bit):true
                          Commandline:timeout 3
                          Imagebase:0x1b0000
                          File size:25'088 bytes
                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:7
                          Start time:17:56:57
                          Start date:03/01/2025
                          Path:C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"
                          Imagebase:0xf60000
                          File size:78'336 bytes
                          MD5 hash:7C41073A0F6D04187987594FE990242D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2899718572.00000000032C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000007.00000002.2899718572.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000007.00000002.2899718572.0000000003271000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, Author: Joe Security
                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, Author: Joe Security
                          • Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, Author: Sekoia.io
                          • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe, Author: ditekSHen
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 79%, ReversingLabs
                          Reputation:low
                          Has exited:false

                          General

                          Target ID:8
                          Start time:17:56:59
                          Start date:03/01/2025
                          Path:C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Local\Temp\Windows Command Processor.exe"
                          Imagebase:0xc30000
                          File size:78'336 bytes
                          MD5 hash:7C41073A0F6D04187987594FE990242D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 01690EBA Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID: (oq$Tekq
                            • API String ID: 0-1772506348
                            • Opcode ID: 9770d3f3b801b61fceae8e36ad692a00eb53c90ddaa2bbb92bddf9db070c2bb7
                            • Instruction ID: 051d411056a46e6be84591bf7add768ecc4155230a47db87abea14af28b4121f
                            • Opcode Fuzzy Hash: 9770d3f3b801b61fceae8e36ad692a00eb53c90ddaa2bbb92bddf9db070c2bb7
                            • Instruction Fuzzy Hash: E6516B30B101059FCB54DF6DC458AAEBBF6FF89710F2581AAE806DB3A5CA75DC018B90
                            Function 01690D20 Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hoq$dLqq
                            • API String ID: 0-1323869633
                            • Opcode ID: b5a6cd27765aa059653594fada3e3561c33bab4cf21af7d76f2dd3d7952c2fea
                            • Instruction ID: f16748ca7b365002cee2fc61a2094728da51db64ac926b4621085327049b7912
                            • Opcode Fuzzy Hash: b5a6cd27765aa059653594fada3e3561c33bab4cf21af7d76f2dd3d7952c2fea
                            • Instruction Fuzzy Hash: 7851D131B002048FCB14CF6CD858AAEBBFABF88310F1545AAE405EB3A5CB359C45CB90
                            Function 01691339 Relevance: 1.4, Strings: 1, Instructions: 118COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID: LRkq
                            • API String ID: 0-1052062081
                            • Opcode ID: f5ab517a7d5075f71aa4fd49affd8144d1e6e40fe97ca7b79b0302e22d5a8546
                            • Instruction ID: 57507afc70445574cfdefb244690bde7675c905c94feb4a7f93776fdf7ea5643
                            • Opcode Fuzzy Hash: f5ab517a7d5075f71aa4fd49affd8144d1e6e40fe97ca7b79b0302e22d5a8546
                            • Instruction Fuzzy Hash: 2C31D271F002168FCB54AB7C99549AEBBFAEFC9220B14417ED516DB3A9DE318C028790
                            Function 01690D10 Relevance: 1.3, Strings: 1, Instructions: 90COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID: dLqq
                            • API String ID: 0-4255564529
                            • Opcode ID: 74841cf11249d82c1f6beb13e7e0ddf63c4922e62a076e6286bcbedb1f483673
                            • Instruction ID: 23df798b6d6d74f28bcc1c21e0bf8f5acf9f4acd5b543fd459166bcf6a15804f
                            • Opcode Fuzzy Hash: 74841cf11249d82c1f6beb13e7e0ddf63c4922e62a076e6286bcbedb1f483673
                            • Instruction Fuzzy Hash: 48318F71A002059FDB14DF69C858BAEBBF6FF88300F14856AE406AB361CB75ED45CB90
                            Function 01690E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hoq
                            • API String ID: 0-3049094369
                            • Opcode ID: 48857036c159328fe826641eed9228aa757aac9c9be3554e1c8927d48d44a5a2
                            • Instruction ID: 84050a6f570867747c27e8d8a570f457ffb40a8bba62976c927ea51c4bc14ac1
                            • Opcode Fuzzy Hash: 48857036c159328fe826641eed9228aa757aac9c9be3554e1c8927d48d44a5a2
                            • Instruction Fuzzy Hash: D201F4307043914FC7999B3CA42446E3FEAAFC622032604BBD149CF3AACE298C068350
                            Function 01691C94 Relevance: .4, Instructions: 444COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8ab478b25c352e94f526843fe1adbd2d6364dd795e72fcb77735d8c882dd770a
                            • Instruction ID: 68393c4b3bf39afbf35e8e41c683ac835b64dbad63f45a5fe5590f636f9915a7
                            • Opcode Fuzzy Hash: 8ab478b25c352e94f526843fe1adbd2d6364dd795e72fcb77735d8c882dd770a
                            • Instruction Fuzzy Hash: 72C12A74700205CFCB44EB68D958A6DB7F6FF89710B2144A9E906EB3A5CB35EC42CB91
                            Function 01691EAC Relevance: .2, Instructions: 169COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc7f78b0975e93a426785fce5bdc62103463586f1d2e370e91f71eb32dde15a1
                            • Instruction ID: 21c997128185ebe7d5fcb44046ab4b44464282e51723af6348b6d3d133791d5e
                            • Opcode Fuzzy Hash: dc7f78b0975e93a426785fce5bdc62103463586f1d2e370e91f71eb32dde15a1
                            • Instruction Fuzzy Hash: 48612A78700205CFCB44DB68D958A6DB7F6FF89710B2144A8E9069B3B5CB75EC41CB61
                            Function 01690AA0 Relevance: .1, Instructions: 120COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1814ebc238b91a2530106c6abbfc28648fdabd995ba2ff11d12220a4c8a76646
                            • Instruction ID: 2aa0c9146a4ce4cb831e5cf64337a5e4a140f6ff6f0157a367ee154d4b05f989
                            • Opcode Fuzzy Hash: 1814ebc238b91a2530106c6abbfc28648fdabd995ba2ff11d12220a4c8a76646
                            • Instruction Fuzzy Hash: C751D3B0611201CFCB15DB28F59C959B762FBC83A53918639D801CB368EB39AD4ADF80
                            Function 016911D0 Relevance: .1, Instructions: 114COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9f5c3241edd80038f2410a117cf87bda9f3310e2bfd4ebd60908ebd8275f247
                            • Instruction ID: 3a929f2445e4022c05ed97fbc6f14fb3997e6c9a4213704d4ca26f8c8ae42e0e
                            • Opcode Fuzzy Hash: f9f5c3241edd80038f2410a117cf87bda9f3310e2bfd4ebd60908ebd8275f247
                            • Instruction Fuzzy Hash: FB4194B0E0020AAFCB44EBB9C94466EBBFAFFC5310F20856AD449D7355DA359D428790
                            Function 01690998 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c14a1c8b9d6f20be6993239227a0c8a1b26281ade5909822b8727b292ed835a8
                            • Instruction ID: 5bbebc345f91e8b8f020a4affe25c054fcd8ccc4a6dc111d00fdb529bb87ad55
                            • Opcode Fuzzy Hash: c14a1c8b9d6f20be6993239227a0c8a1b26281ade5909822b8727b292ed835a8
                            • Instruction Fuzzy Hash: CF215C70B102029FDF649B7CAD1827E3BACAF44351B02563DFC16C5246EB389945DB91
                            Function 016909A8 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d35c92d149b38a9cb1f743e0667473d960a31df429b4346280d18c5e435e011
                            • Instruction ID: 99c3c38785ca3dcc97f2df2937a54d8dcccc16ca3e986c41f38319d81fd21f6b
                            • Opcode Fuzzy Hash: 1d35c92d149b38a9cb1f743e0667473d960a31df429b4346280d18c5e435e011
                            • Instruction Fuzzy Hash: CA216D707102038FEF64AB7DAD1826E3BACAF04241B41463DFD16C625AFF288944DBA1
                            Function 01691431 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d95e64ea57695407dd1717d04ddde53bf982b6e13c5888c841fcb92f34a6f871
                            • Instruction ID: e8fdd5396f086c300f886c20c96cca832cc3af0767bca14bed4b77976f0f521a
                            • Opcode Fuzzy Hash: d95e64ea57695407dd1717d04ddde53bf982b6e13c5888c841fcb92f34a6f871
                            • Instruction Fuzzy Hash: DA11A070B01205CFCB54DBBCD81456E77F5EF8966475104B9D405CB314EB359C02CB90
                            Function 01691440 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a8ee454de2c2236b2191c53c1bb09ddfb205c38f0fb719462fe49ea02ec7962d
                            • Instruction ID: 29806a5a376df095bdd131500be92c605658011bd95180e2409fd6c5b6b2c883
                            • Opcode Fuzzy Hash: a8ee454de2c2236b2191c53c1bb09ddfb205c38f0fb719462fe49ea02ec7962d
                            • Instruction Fuzzy Hash: 95116D70B01206DFCB54EBBDD918A6A7BFAEF8D66476004B9D406DB354EA35DC02CB90
                            Function 01692200 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ea30aa3e85530a494199e7bb4285fa061ba0a8005533c7df89406e6f560a5360
                            • Instruction ID: fc8c47b562c9885355edfece235a4f2681f99ea7c735c1f0a0bc290abc294be9
                            • Opcode Fuzzy Hash: ea30aa3e85530a494199e7bb4285fa061ba0a8005533c7df89406e6f560a5360
                            • Instruction Fuzzy Hash: F4E086317452628FC705E7B8DC5A99D3BE9AF8A20035544EAD004CF7B2CA25EC0287E6
                            Function 01690E80 Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e3e884a2b13e15acf2bd88fa892af350dc6447f96cc67ce5d8e4e2a763ba7360
                            • Instruction ID: fd738178d9a2ca15a28c933b3870598b8e0c7deacdb64be53239198cbeb26c67
                            • Opcode Fuzzy Hash: e3e884a2b13e15acf2bd88fa892af350dc6447f96cc67ce5d8e4e2a763ba7360
                            • Instruction Fuzzy Hash: B2E0C2313002005FC358963EA88885BB7DFEFC81343250479F109CB329DD74CC014390
                            Function 01692195 Relevance: .0, Instructions: 23COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16bfa2af64eb5d7e0d2bc018e2321b942ffae001cacb58423afafb7ccf821616
                            • Instruction ID: 029e4d6c2aa3187cdeb6c6c719d05943ab752d2962bde5b9cbdb1d42b70022ab
                            • Opcode Fuzzy Hash: 16bfa2af64eb5d7e0d2bc018e2321b942ffae001cacb58423afafb7ccf821616
                            • Instruction Fuzzy Hash: 6FE09B302447914FCB25D378D0103DEBFE29F41314F00495DC2865B681CBB7B50543A2
                            Function 01692210 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1692756418.0000000001690000.00000040.00000800.00020000.00000000.sdmp, Offset: 01690000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_1690000_a36r7SLgH7.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0350d471bccdb2e4a3706eef136601c469686b464e2155ae85a4eef5ba86b9b9
                            • Instruction ID: 531ad3c3aa454bda3b5a39d2d202b1a170c18de3caab383c9766a39ac5a8e19e
                            • Opcode Fuzzy Hash: 0350d471bccdb2e4a3706eef136601c469686b464e2155ae85a4eef5ba86b9b9
                            • Instruction Fuzzy Hash: 06D0A932B000255BCA48A7FDE4088AE3BDEEFCA6107A000A9E105CF3A0CE25EC0043D8

                            Executed Functions

                            Function 030763E0 Relevance: .3, Instructions: 281COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 499d275723c999b06269e957c3907e7d0ac313bf2da7aebbea13d87d03fc62d8
                            • Instruction ID: 163feeed670b649e9e2841349e619cbfeb65143c52fc6310f77065b8e3fadd91
                            • Opcode Fuzzy Hash: 499d275723c999b06269e957c3907e7d0ac313bf2da7aebbea13d87d03fc62d8
                            • Instruction Fuzzy Hash: EBB17F70E0160DCFDB50CFA9C9857DEBBF2AF88354F188129D816EB294EB359845CB85
                            Function 03076CB0 Relevance: .3, Instructions: 266COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0aec1269c93fcd3aa1b9de532238c6b29d8b5aa059b0b82e11e8474f3d066432
                            • Instruction ID: 4d383bb8a70363f8a3261218ef02edf3b80697a9167492c99d9929f883fc7a3f
                            • Opcode Fuzzy Hash: 0aec1269c93fcd3aa1b9de532238c6b29d8b5aa059b0b82e11e8474f3d066432
                            • Instruction Fuzzy Hash: C4B19D70E1060DCFDB50CFA9C98179DBBF2BF88314F188529D816EB294EB359845CB95
                            Function 0307236F Relevance: 5.4, Strings: 4, Instructions: 450COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: akq$ akq$,$xoq
                            • API String ID: 0-3861859347
                            • Opcode ID: d1e8aba6f11e7216e09f508290ae263a5ed876e4831f5129012fd76edc04167f
                            • Instruction ID: b0ccaef581ef2dd0280ed788b57a56b7cfb690518e67bc1102f8176a6ca78d43
                            • Opcode Fuzzy Hash: d1e8aba6f11e7216e09f508290ae263a5ed876e4831f5129012fd76edc04167f
                            • Instruction Fuzzy Hash: 47029C34B012049FC715EB28D558B6EBBE6FF88310F248AA9D4059F3A5DB74EC85CB94
                            Function 030725AA Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: akq$ akq$xoq
                            • API String ID: 0-2188637935
                            • Opcode ID: 38582c8b88959ce398e7b41c4f43b4c277e1b5be4bbcdb2590747552222870ae
                            • Instruction ID: e2a75811b74e3edbdfd10ec63071eeb1958dddee318f907cc28b3b08408e2401
                            • Opcode Fuzzy Hash: 38582c8b88959ce398e7b41c4f43b4c277e1b5be4bbcdb2590747552222870ae
                            • Instruction Fuzzy Hash: CA619A74B023009FC724EF29D448B5ABBE2FB88314F248968D4459F3A5DBB5ED45CB84
                            Function 03070EBA Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: (oq$Tekq
                            • API String ID: 0-1772506348
                            • Opcode ID: a291ff7dceb5b16bf0bb8c03c52a977dd6f23925b1b0db9033e16d9cf5d93601
                            • Instruction ID: 47b7b40082ddf7d105ce5a7179b6e2f47a3f62a6a0c3cc446c49df56f7da2de4
                            • Opcode Fuzzy Hash: a291ff7dceb5b16bf0bb8c03c52a977dd6f23925b1b0db9033e16d9cf5d93601
                            • Instruction Fuzzy Hash: 3E517B34B111149FCB44DF69C498A9EBBF6EF89710F2581A9E906DB3A5CA74EC01CB84
                            Function 03070D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hoq$dLqq
                            • API String ID: 0-1323869633
                            • Opcode ID: e697f7a697cd4c1ea529f05f5cc4d0fc7183561eea0376110eabca03f2435d11
                            • Instruction ID: eac1feba3d678e7e70babb2cf50172977f2f2b9243991a68572ff479a4028c3f
                            • Opcode Fuzzy Hash: e697f7a697cd4c1ea529f05f5cc4d0fc7183561eea0376110eabca03f2435d11
                            • Instruction Fuzzy Hash: 4A41E230B052448FCB15DF69C894BAEBFF6EF89300F1845A9E401DB3A5CA759C05CB95
                            Function 03079960 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: $kq$$kq
                            • API String ID: 0-3550614674
                            • Opcode ID: 18e5d762a82e208b4198ac6fcd4093ba697e13cbdc49427f7669fab3dd1fb24a
                            • Instruction ID: 99c069ce02741ac8ef01991b4d76bb0b05cb17fd630a7e8f13ddbcc465ec8db1
                            • Opcode Fuzzy Hash: 18e5d762a82e208b4198ac6fcd4093ba697e13cbdc49427f7669fab3dd1fb24a
                            • Instruction Fuzzy Hash: 9D418070B06906EFC358AF5A900852DBBB7FF947013388958E0068B799CB359C12CBC9
                            Function 0307A1C0 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: xoq
                            • API String ID: 0-2982640460
                            • Opcode ID: 0f20dad18e630b1f133371d6afc1f1365a97e0218430db0539051ef2cd8710e3
                            • Instruction ID: ffcc2fda9febe335779e9bde2a4715273b4b769d115b19bae3572990adb3f237
                            • Opcode Fuzzy Hash: 0f20dad18e630b1f133371d6afc1f1365a97e0218430db0539051ef2cd8710e3
                            • Instruction Fuzzy Hash: F091BC70A03220CFD724EF2AE40871977F2F7A8314F245559D88C9B38ADBB99A40CF95
                            Function 03079E98 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: Tekq
                            • API String ID: 0-2319236580
                            • Opcode ID: 389db5988a2a36881ddaa9e79881bb8325598d87453cb7ffd6e3227207cede11
                            • Instruction ID: 96342245a4c1c2e24921945724f6218f63d6830f422cab68b9e0358b09e67734
                            • Opcode Fuzzy Hash: 389db5988a2a36881ddaa9e79881bb8325598d87453cb7ffd6e3227207cede11
                            • Instruction Fuzzy Hash: 22516834B012059FD714DB29D858FA9BBB2FF88714F248199E9129B3E1CBB5AC41CB94
                            Function 03079949 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: $kq
                            • API String ID: 0-3037731980
                            • Opcode ID: 6d9b68649b0831b24ff0cdfc489b0856899d001145ae30d36c22e67191ec6e92
                            • Instruction ID: 25df54be7a3d222376cc2f69ae6987c56c7a7a1876eb146a8e5f8c9e56a1dbd0
                            • Opcode Fuzzy Hash: 6d9b68649b0831b24ff0cdfc489b0856899d001145ae30d36c22e67191ec6e92
                            • Instruction Fuzzy Hash: B341C470B0A946EFC3499F5A940812DBB77FF953057388599E0068B799CB359C13CBC9
                            Function 03073A08 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: |
                            • API String ID: 0-2343686810
                            • Opcode ID: de3367b2069d631374b3f6ca83689535e65efcfcc2ba094a5769f4481f8a96aa
                            • Instruction ID: b80cb5b83b1f4f345fb8a32b80ac25c90a794a8b2689c1b02be53623c7d2c884
                            • Opcode Fuzzy Hash: de3367b2069d631374b3f6ca83689535e65efcfcc2ba094a5769f4481f8a96aa
                            • Instruction Fuzzy Hash: 8131D134B002159FDB54DF78D914AAEBBF2EF89600F1085A9D546EB3A4EB35AD00CB90
                            Function 03071339 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: LRkq
                            • API String ID: 0-1052062081
                            • Opcode ID: f7cf2e39a97a577f4ef324b3a9655945a7c3c6fc58feff4c78b149de41f62634
                            • Instruction ID: bab6f77c0df138748f9c1610b650640d009a0195aee6057930b58749a2f4a629
                            • Opcode Fuzzy Hash: f7cf2e39a97a577f4ef324b3a9655945a7c3c6fc58feff4c78b149de41f62634
                            • Instruction Fuzzy Hash: 8831AE70F012168FCB59DB7885A1A6EBBF6AFC9200B1881A9E545DB3A5DE30DD01C794
                            Function 03070D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: dLqq
                            • API String ID: 0-4255564529
                            • Opcode ID: 8a619b9d22733ab85b10fb8fce08107fbbbdffdd2a3e49695ad32913ffe9b3aa
                            • Instruction ID: 221914658bf071206c984d072cf6b56110057b9642d2b017a5dcc264f14b0e8c
                            • Opcode Fuzzy Hash: 8a619b9d22733ab85b10fb8fce08107fbbbdffdd2a3e49695ad32913ffe9b3aa
                            • Instruction Fuzzy Hash: 4B318F75A012048FCB15DF69C498B9EBBF6FF88300F1885A9E402AB361CB74ED44CB91
                            Function 03079868 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: Tekq
                            • API String ID: 0-2319236580
                            • Opcode ID: e5820f5e99954b942e48b86b51a6e2df70c295eeeea5ff0adacb8cee7dfc2916
                            • Instruction ID: b594b6b967247901fd8bc3ce9ea66f02a484e78af15a4b0e856535afbef47507
                            • Opcode Fuzzy Hash: e5820f5e99954b942e48b86b51a6e2df70c295eeeea5ff0adacb8cee7dfc2916
                            • Instruction Fuzzy Hash: 1621AF35B011109FDB94DB68C858BAE7BF6BF88710F244069E402EB3A1CB709C018BA5
                            Function 03079878 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: Tekq
                            • API String ID: 0-2319236580
                            • Opcode ID: e3d096d6904179d7f40e9b85fb9b9030831faefb9d8cd493b8df25bad496c02b
                            • Instruction ID: 00ed92339eb5b8c4d4ba54253b8a8ec7f59382a5d9132d89c64f1a872d3fd20d
                            • Opcode Fuzzy Hash: e3d096d6904179d7f40e9b85fb9b9030831faefb9d8cd493b8df25bad496c02b
                            • Instruction Fuzzy Hash: F6216A35B111148FDB54EB68D518BAEBBF6BF88710F2441A9E502EB3A0CF749C00CBA5
                            Function 03079D80 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: Tekq
                            • API String ID: 0-2319236580
                            • Opcode ID: 3ae58743ca7c65c70753281da863bf8c99a3930a0a53b91ca79792e9fea03f78
                            • Instruction ID: ab630ea1713e63fedd5192bdbace57c565f87269b98c5390351ac8c01719747d
                            • Opcode Fuzzy Hash: 3ae58743ca7c65c70753281da863bf8c99a3930a0a53b91ca79792e9fea03f78
                            • Instruction Fuzzy Hash: 2F21AF30B502008FDB149F68C859BAEBFE6AF88714F244059E502EF3A1CBB59C41CB94
                            Function 03079D90 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: Tekq
                            • API String ID: 0-2319236580
                            • Opcode ID: d59da5dbb63263b8724c6383da730b261ee9c76ad7ce0dbb02c2a7209b678630
                            • Instruction ID: a5fdd504e635f63013ae206bbe4c308a5728e26539a3e5b1858da69ee6d79513
                            • Opcode Fuzzy Hash: d59da5dbb63263b8724c6383da730b261ee9c76ad7ce0dbb02c2a7209b678630
                            • Instruction Fuzzy Hash: 1B116D30B502048FDB14DB69C499BAEBBE6AF88B14F144069E502AF3A1CB75AC01CB94
                            Function 0307AD88 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: Tekq
                            • API String ID: 0-2319236580
                            • Opcode ID: 61941279b59524645a67897cca3b1404830d713e78ee90098dfa6114165c119f
                            • Instruction ID: 0c59f070cdae4a3fc072a2844eb241debc072d100ec2125e62115da80a0efc0b
                            • Opcode Fuzzy Hash: 61941279b59524645a67897cca3b1404830d713e78ee90098dfa6114165c119f
                            • Instruction Fuzzy Hash: F311A035B016149FDB149B28C858BAEBBF6EF8D700F2400A8E502EB3A1CF759C01CB95
                            Function 030793B3 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: LRkq
                            • API String ID: 0-1052062081
                            • Opcode ID: c4420e1f38186a7cfbcc83226b5af54935b9212a454abd407b6ece5f11f5b0ca
                            • Instruction ID: c5ac429f1a02eed669bd89f3ebbf265add9065f3d43d0d98c10717473840e8d3
                            • Opcode Fuzzy Hash: c4420e1f38186a7cfbcc83226b5af54935b9212a454abd407b6ece5f11f5b0ca
                            • Instruction Fuzzy Hash: E101D634F021149FD744DB789806BEE77F5EF45600F1041A9E005EF290EB705E0187E9
                            Function 03070E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hoq
                            • API String ID: 0-3049094369
                            • Opcode ID: c87f86c3d13509ea8dceeb4f01baa10aa6e9a99290ada49f316fa7743d93c151
                            • Instruction ID: f1a0d21f7ccf2a484d3b2df3e6a41158deaebfb0fa8f95b1dda28bc9176b588a
                            • Opcode Fuzzy Hash: c87f86c3d13509ea8dceeb4f01baa10aa6e9a99290ada49f316fa7743d93c151
                            • Instruction Fuzzy Hash: 21F04C207096900FC396A73D586456E3FEBDFCB11031904F6E185CF39BDD298C0683A5
                            Function 030793C0 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: LRkq
                            • API String ID: 0-1052062081
                            • Opcode ID: f49352492a60ea05c689d5c9534857064b5651044d9d900d036d73565e9539ec
                            • Instruction ID: 1e183f53504bf5f4e858e981085e8104151b32462407cc39635c117f28342827
                            • Opcode Fuzzy Hash: f49352492a60ea05c689d5c9534857064b5651044d9d900d036d73565e9539ec
                            • Instruction Fuzzy Hash: D5016275F011159FCB44EB689905AEE77F5FF88600F1041A9E509DF290EB709E118B95
                            Function 03071DC0 Relevance: .3, Instructions: 293COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 769abb425eb66bc0e07539c512c35e43ff3d38e9fd0559d6a5fc358059948712
                            • Instruction ID: 6c06c9ad5f2c2dcc60fcddfd6c11e7fb7c688afd0a34122288f672a3d40d406c
                            • Opcode Fuzzy Hash: 769abb425eb66bc0e07539c512c35e43ff3d38e9fd0559d6a5fc358059948712
                            • Instruction Fuzzy Hash: C8C12D74B00204CFCB44EB68D558AADB7F6FF88310B2544A9E906AB3A5CB75DC41CB51
                            Function 030763D7 Relevance: .3, Instructions: 282COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c839aee5c98caa0ed8b8fa58e8f1942cc75d838c8e97acb3d0b2cdc25edb268d
                            • Instruction ID: 7f1501deb2ea9c5d16bc986d64a2f87828208d76c831d784eb909d69da0db5c2
                            • Opcode Fuzzy Hash: c839aee5c98caa0ed8b8fa58e8f1942cc75d838c8e97acb3d0b2cdc25edb268d
                            • Instruction Fuzzy Hash: 05B17E70E0160DCFDB50CFA8C9857DEBBF2AF48354F188129D816AB294EB369845CF95
                            Function 03076CA4 Relevance: .3, Instructions: 263COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b7f5aafee7c7ff2d73fc21a37801457c2e381f092ca2639f7eeadc4b5c956100
                            • Instruction ID: 9b12a85bac590ae67bea97da5b7015d92e259298a2ede72df1618c2407d2a0b7
                            • Opcode Fuzzy Hash: b7f5aafee7c7ff2d73fc21a37801457c2e381f092ca2639f7eeadc4b5c956100
                            • Instruction Fuzzy Hash: 04B18B70E1160DCFDB50CFA8C9817DDBBF2AF48314F188529E816EB294EB359885CB95
                            Function 0307A9C0 Relevance: .3, Instructions: 251COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e4c304fb30facdde0378ad9efea249e2385928652865371eacfb7f1b68832aeb
                            • Instruction ID: 9544f3ea33e8e1e41072029478b0f1cf9eb2ceb765eae55923286eb56b201f5e
                            • Opcode Fuzzy Hash: e4c304fb30facdde0378ad9efea249e2385928652865371eacfb7f1b68832aeb
                            • Instruction Fuzzy Hash: C8A1AF74B02315CFCB19EF38E15865DBBE2EFC8210B1485A9C8069B355EB34ED4ACB95
                            Function 03073248 Relevance: .2, Instructions: 249COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b041cd8ea55bf5253834e06fcd0100154d93eba50062ed38295615d59eabfc1f
                            • Instruction ID: a99e25f048927cd437af8aa11155faab591bb29417eed900ddb128f8fec43fd7
                            • Opcode Fuzzy Hash: b041cd8ea55bf5253834e06fcd0100154d93eba50062ed38295615d59eabfc1f
                            • Instruction Fuzzy Hash: 12A16E74701342CFCB05EF34E49895ABBB2FF85354B2086A9D5018B369DB38AD5ACBD1
                            Function 03073278 Relevance: .2, Instructions: 227COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f16e2fec91c6d7be232880a6f95b46fd189906d7f137efd02f308ea9b720b50
                            • Instruction ID: 980d8a1189ef3afd3a89fde384e9e9525f25c01fc3be863e9525f457c255d8a6
                            • Opcode Fuzzy Hash: 3f16e2fec91c6d7be232880a6f95b46fd189906d7f137efd02f308ea9b720b50
                            • Instruction Fuzzy Hash: BEA15F74701342CFCB05EF34E49895EBBB2FB85354B2086A8D5018B769DB38AD5ACBD1
                            Function 03079B10 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3c340d7a90ebe3711f69315cbbc517f8c37b2f610aa0525da122abea7727a60f
                            • Instruction ID: a1a6a0a12d6f808fa9ce1473752d639cadd71d044969476489d7412bc9b60284
                            • Opcode Fuzzy Hash: 3c340d7a90ebe3711f69315cbbc517f8c37b2f610aa0525da122abea7727a60f
                            • Instruction Fuzzy Hash: 77518A34A01256DFCB04DF68D998A6AFBB2FF45310F1184A9E401AF3A2D731ED41CBA5
                            Function 03073AE0 Relevance: .1, Instructions: 122COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a13220ce40c86da2d10662bb7e9f78045a5014630314ecf9461a129534a857f3
                            • Instruction ID: db903c56122032b823161141a6f91ce95c21f76111ea7c4f8e7941b2c84f7804
                            • Opcode Fuzzy Hash: a13220ce40c86da2d10662bb7e9f78045a5014630314ecf9461a129534a857f3
                            • Instruction Fuzzy Hash: FB41C078B012488FDB14EBB9D4546AFBBE6EFC8210F24846DD14A9B340CF359C068B95
                            Function 03070AA0 Relevance: .1, Instructions: 118COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ba255aa69fbdc02df22ed63a7b2692a58ecdf8ac671a6f63c654afa876d2e260
                            • Instruction ID: cf8e7c015add298db7f15d145d740bda64b2124970fd2c01488ee1c318032b75
                            • Opcode Fuzzy Hash: ba255aa69fbdc02df22ed63a7b2692a58ecdf8ac671a6f63c654afa876d2e260
                            • Instruction Fuzzy Hash: 23510A70701211CFC715EF38F998949BB72FB893457208668D8418B369DB39ED8AEF94
                            Function 030711D0 Relevance: .1, Instructions: 114COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c34798b384ca48727ac9837553dc5d1594bc107da64420b9964747fb6855a801
                            • Instruction ID: b79f5ad0de78ed22aa8b074a267c84c300a416ba65c01a8da5123c2cde4617d2
                            • Opcode Fuzzy Hash: c34798b384ca48727ac9837553dc5d1594bc107da64420b9964747fb6855a801
                            • Instruction Fuzzy Hash: 9041B270E01208AFCB04EBB989546AEFBFAFF88300F2485A9D449D7345DA349E528794
                            Function 030748F4 Relevance: .1, Instructions: 96COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 374ffb5bcaa57a63dac93454beda7aca4759512ea5e8bbd7e5e2ac66d66227ce
                            • Instruction ID: 5595c2aad523deff12288a7e3928f280763a4d2a9b02cb520908d48069b1fe80
                            • Opcode Fuzzy Hash: 374ffb5bcaa57a63dac93454beda7aca4759512ea5e8bbd7e5e2ac66d66227ce
                            • Instruction Fuzzy Hash: 1A4100B0D01349EFCB10DFAAC984ADEBFF5BF48310F248429E409AB254DB75A945CB94
                            Function 03074900 Relevance: .1, Instructions: 90COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 64a7468f94a1d691f4af940a6c93ac4914d7054dcabbfc523b53408b4b64f70b
                            • Instruction ID: 61d9340aa7b2d0d953a9cab92b305b42abd0bfc66bf894ee40264304f32fde19
                            • Opcode Fuzzy Hash: 64a7468f94a1d691f4af940a6c93ac4914d7054dcabbfc523b53408b4b64f70b
                            • Instruction Fuzzy Hash: E041FEB0D00249DFCB10CFAAC984A9EBFF5BF48310F14842AE809AB214DB75A945CB94
                            Function 03070998 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dc7a94bf7b5f1913ecb694482f9340f4a2fc6f972fc133e6352d5d5a98b9d3bc
                            • Instruction ID: a4194f192e78da2732b2109a8c9de2978a0436309946dfa2c4949101c84cf2bb
                            • Opcode Fuzzy Hash: dc7a94bf7b5f1913ecb694482f9340f4a2fc6f972fc133e6352d5d5a98b9d3bc
                            • Instruction Fuzzy Hash: A021A130F03242EFDBA4EB79E94867EBBE8EF15241F184A6CD803C2144EB349548CB58
                            Function 030796DB Relevance: .1, Instructions: 74COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f4de8a344e724d96f056f4b116e666eecf71846271d4f126769855b440c67c8d
                            • Instruction ID: 3bf331fd555fc512c250f00facf2bc73a7067b08e6b00b3d8a4582107f2210ec
                            • Opcode Fuzzy Hash: f4de8a344e724d96f056f4b116e666eecf71846271d4f126769855b440c67c8d
                            • Instruction Fuzzy Hash: BC218138B02214CFCB14EB78D5646EE77BBEF89614F144468C406AB365DF359C42CBA5
                            Function 0307A9B0 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dfcfe562a660b49af5c2331fc704181042ddeff8a9885d2f74b81f1fbf83f7e8
                            • Instruction ID: 298ac970d9794172fdcf9683eb591870b343312db05a83c0c4083553fa591890
                            • Opcode Fuzzy Hash: dfcfe562a660b49af5c2331fc704181042ddeff8a9885d2f74b81f1fbf83f7e8
                            • Instruction Fuzzy Hash: DE215C34B023505FCB15EB78E56415E7FDADBC411071445E9C446C738AEF249D0A87E6
                            Function 030709A8 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3790ffa596d6414f449f1e77b9618002042f17477989188f49746b6c2ff51811
                            • Instruction ID: 7af181ab532e42c776d9c26893954e5040c9b0c78987efaeda450c2156053a68
                            • Opcode Fuzzy Hash: 3790ffa596d6414f449f1e77b9618002042f17477989188f49746b6c2ff51811
                            • Instruction Fuzzy Hash: 15214F70F13207AFDBA4FB79E95867EBBE8AB15241F145629D806C1144EF248508CB6D
                            Function 0307A0E3 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 241e3b74f6242872195423f8ae94d010c1bc93cd445b6a1ceaa0e2ae718288f5
                            • Instruction ID: e47970f67a3b66c439769a059520d2cafec4cea501877f4c65e197bf5334515f
                            • Opcode Fuzzy Hash: 241e3b74f6242872195423f8ae94d010c1bc93cd445b6a1ceaa0e2ae718288f5
                            • Instruction Fuzzy Hash: AE110334A023458FCB01EB78D4106DEBFF1EFC1210B1086A9C0459F395EB759A4ACBDA
                            Function 03071431 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0f31224a099cea91d73f9746ae9e7709fd5efc46ee108885f7c63d683b46737e
                            • Instruction ID: e49362a397767e9bab8c9ac9119bb64430dd5c6a1f08b87e2bd6aedf452f7c79
                            • Opcode Fuzzy Hash: 0f31224a099cea91d73f9746ae9e7709fd5efc46ee108885f7c63d683b46737e
                            • Instruction Fuzzy Hash: 6611CE70B01251DFCB54EBBDD45866ABBF5EF8920071408B8D445DB355EA35CC02CB94
                            Function 0307A0F0 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 40a2d417fe85491ef10a9968273f8d3103105eaf92bd3506920d1ecea3225fd7
                            • Instruction ID: bca37c910d47f5b5f52ced7700e2ad4c316fed53ae8023d05ae582d22af2552f
                            • Opcode Fuzzy Hash: 40a2d417fe85491ef10a9968273f8d3103105eaf92bd3506920d1ecea3225fd7
                            • Instruction Fuzzy Hash: A0119174A023059FCB41EB78E41469EBBE1EFC1350F1086A9C0059F395EB759A4A8BD6
                            Function 03071440 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c8553c1c994c731f49b522ff55c4d4ed3798d2b4abd3e2bb47d275752b5a42ed
                            • Instruction ID: 6ea22fd2dbfad52977e49c000a2fdf69dbbb35cf73f33266c3115bf8267e4d4f
                            • Opcode Fuzzy Hash: c8553c1c994c731f49b522ff55c4d4ed3798d2b4abd3e2bb47d275752b5a42ed
                            • Instruction Fuzzy Hash: 2D116170B01205DFCB58EBBDD50866A7BFAFF8865471404B8D405DB354EA35DC41CB94
                            Function 03073AD1 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 67b3ba3cb871297ef03d1878fd240463f353463caa36f9a5d193d6e6925e59df
                            • Instruction ID: 2bee2c3e8a73e99fd40cac13f7e1aea7132db3f12e5917682b786bd3343ca919
                            • Opcode Fuzzy Hash: 67b3ba3cb871297ef03d1878fd240463f353463caa36f9a5d193d6e6925e59df
                            • Instruction Fuzzy Hash: D901B1383053408FC71AAB7895642BE7BE7AFCA21472448BDD14ACB352CF759C46A7A1
                            Function 03079448 Relevance: .0, Instructions: 46COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f819b501137c2405bb56321a14748fdb8b7a1927eab33c6fcb3c2fbde45fe98
                            • Instruction ID: 2afa7f52bf9475c6c22d2c56ca1f5dd6c61ae7fa5f4a1537a8f1ba44844dcb3f
                            • Opcode Fuzzy Hash: 3f819b501137c2405bb56321a14748fdb8b7a1927eab33c6fcb3c2fbde45fe98
                            • Instruction Fuzzy Hash: 0C1130B4801248CFCB20CF9AC844BDEBBF8EB48324F208419D428A7610C735A944CFA5
                            Function 03079450 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dff9bda9294b0a54f13835a0e924700896421677bf854a64555ce4ca900a69e9
                            • Instruction ID: ea901bb8c9900ad6b7161cb7fa51d28ce64dd5c737346870c85356710d4623a1
                            • Opcode Fuzzy Hash: dff9bda9294b0a54f13835a0e924700896421677bf854a64555ce4ca900a69e9
                            • Instruction Fuzzy Hash: 78111EB5900248CFCB20DF9AC488BDEBBF4EB48324F208419D468A7650C375A944CFA5
                            Function 0307936F Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad1e1af926d0ed3b035a4338b2dc236f52d63d3a8199f82edbf33f27ea7adfe1
                            • Instruction ID: e7d23a5ca1b6210a5c028dc71c3b640e30ea1e920744dd95b270a9020f4c3529
                            • Opcode Fuzzy Hash: ad1e1af926d0ed3b035a4338b2dc236f52d63d3a8199f82edbf33f27ea7adfe1
                            • Instruction Fuzzy Hash: 06E0922130D3915FC70297F498644897FEA9F8711471900EED0C0CF6A2CD598C028396
                            Function 03072202 Relevance: .0, Instructions: 19COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f1f2938123e441bbb7246c32173fcfcc8ef02bcc87954749ea4824686b1f2a51
                            • Instruction ID: 6672da26927a7f5a67fb3b96bdc71218087bfeed8fa6e7af7e78d2d5bf370e13
                            • Opcode Fuzzy Hash: f1f2938123e441bbb7246c32173fcfcc8ef02bcc87954749ea4824686b1f2a51
                            • Instruction Fuzzy Hash: 86D0E264D0530E5A8781EFB858406EEBBE9BB49110F5006AAD85CE6240EA304A228B96
                            Function 03072E3A Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 88b9e8a999974db795f1a10bfb5e00a21d4957449eb747b926dba0f353cccfcc
                            • Instruction ID: e0d963806d8fb9dc5814ca8393a53a78767782fe7ec3b7b9e32bd0bb18e18efb
                            • Opcode Fuzzy Hash: 88b9e8a999974db795f1a10bfb5e00a21d4957449eb747b926dba0f353cccfcc
                            • Instruction Fuzzy Hash: A3D09E751582945FC306D668E495CD17F78AF5E51031640D6E5808FA63C615E806DB62
                            Function 03070A73 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f8d5d76786a39b1f02f75f22531fe3c2118291ca832b19be4091cfd84a7f0174
                            • Instruction ID: 870894874bc23cc40062f74d90414cd9e73603e509653392dd6606128c6d360c
                            • Opcode Fuzzy Hash: f8d5d76786a39b1f02f75f22531fe3c2118291ca832b19be4091cfd84a7f0174
                            • Instruction Fuzzy Hash: B1C08C30A2724AEED730F760D90872C7B50A763301F14166AA002000998EF8144C871E
                            Function 03070A8F Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6615408c914fd0589474659bc461fd7ca58166c797aa568b1b2b809b95c91b6
                            • Instruction ID: aff8d4e9273fc54bda45598ab0b7cb4848dbaf98107ab45fbb9ca0f47602e74c
                            • Opcode Fuzzy Hash: e6615408c914fd0589474659bc461fd7ca58166c797aa568b1b2b809b95c91b6
                            • Instruction Fuzzy Hash: 55C08C30A27207EED330B7A0D90872C7B50AB63301F141665A402000998EF8140C831E
                            Function 03072E48 Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6d4b89afd30718acad300d49dfffc6fb31ef6a78f571f578cda4bdd3fda6bb54
                            • Instruction ID: f8985935940193b06d3bec5c09d2c30e651770640f79acab83f5f1b420569af3
                            • Opcode Fuzzy Hash: 6d4b89afd30718acad300d49dfffc6fb31ef6a78f571f578cda4bdd3fda6bb54
                            • Instruction Fuzzy Hash: 60C048352602088F8244EA99E588C12BBA8FF58A003410099E9018B722CB21FC14EA65

                            Non-executed Functions

                            Function 0307AF60 Relevance: 1.0, Instructions: 1027COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ad772a2f536330c6c52ee7534c1cd650e6cedc2ba5d64528f0012cb789c2765e
                            • Instruction ID: 3df0caecf56166b93fa8df2af6f7927519574e22791414fb4afea1574d61b687
                            • Opcode Fuzzy Hash: ad772a2f536330c6c52ee7534c1cd650e6cedc2ba5d64528f0012cb789c2765e
                            • Instruction Fuzzy Hash: 6B826A74B012058FDB14EF69C998B6EBBE2FF84300F2485A9D5068F3A9DB74DC498B54
                            Function 03076098 Relevance: .2, Instructions: 238COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.2899529660.0000000003070000.00000040.00000800.00020000.00000000.sdmp, Offset: 03070000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_3070000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fe3a85cc5c8fa552df7f50d413b6514252fbd2875b77588f73c2673389e6d792
                            • Instruction ID: 84585e9aa277b189038d19c555c9142d12ebab2a38de4edb6e426b83b88ffeef
                            • Opcode Fuzzy Hash: fe3a85cc5c8fa552df7f50d413b6514252fbd2875b77588f73c2673389e6d792
                            • Instruction Fuzzy Hash: FA918D70E0160DCFDF50CFA9C9947DDBBF2AF88314F188129E406AB294DB759945CB89

                            Executed Functions

                            Function 01360EBC Relevance: 2.7, Strings: 2, Instructions: 161COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767730135.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1360000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: (oq$Tekq
                            • API String ID: 0-1772506348
                            • Opcode ID: b2a00e6c0121c3a5cf7970eca6d4d76e554a45b46fcc29a235d079dd78870242
                            • Instruction ID: a855c273a590da1352aefc0be313fc48c5b9fd1235eba9e3fc2cf3ffa022d614
                            • Opcode Fuzzy Hash: b2a00e6c0121c3a5cf7970eca6d4d76e554a45b46fcc29a235d079dd78870242
                            • Instruction Fuzzy Hash: C0514A30B101148FCB54DF6DC458A5EBBFAFF89714F2580A9E906DB3A5DA75EC018B90
                            Function 01360D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767730135.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1360000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hoq$dLqq
                            • API String ID: 0-1323869633
                            • Opcode ID: 2ddcad048e8f93147ab78301fb2dc2190ae96ff0289f8196b441c752d2ffc232
                            • Instruction ID: de5422952e559ccde872683de3f2f908d8e2e61e018f34af85078097acfe1b7e
                            • Opcode Fuzzy Hash: 2ddcad048e8f93147ab78301fb2dc2190ae96ff0289f8196b441c752d2ffc232
                            • Instruction Fuzzy Hash: FA41AD317042048FDB19DF79C454A9EBBFAEF89304F1484AAE506EB3A5CB759C05CB90
                            Function 01361339 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767730135.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1360000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: LRkq
                            • API String ID: 0-1052062081
                            • Opcode ID: 598ddd1f77364892c8cda752bec815bf276301e8366b57393749a49f49253a57
                            • Instruction ID: 3b08cf46c93cf677f556fe023ce005e422a151a9d31df6bb5e694359ee65e879
                            • Opcode Fuzzy Hash: 598ddd1f77364892c8cda752bec815bf276301e8366b57393749a49f49253a57
                            • Instruction Fuzzy Hash: FB31C174F002168FCB55ABBC95549AEBBFAEFC9214B24816DE506DB3A9DE30CC418790
                            Function 01360D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767730135.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1360000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: dLqq
                            • API String ID: 0-4255564529
                            • Opcode ID: f4afaf1418c3eab9399fa0ce6b3d71dd9b942f70e58509ad0235bb2e61847111
                            • Instruction ID: 8074b3e195fc73b7c4ba1bd385db40c0fd5e601c70108d29242ee417a89af890
                            • Opcode Fuzzy Hash: f4afaf1418c3eab9399fa0ce6b3d71dd9b942f70e58509ad0235bb2e61847111
                            • Instruction Fuzzy Hash: 4731B071A002048FDB19DF69C488B9EBBF6FF48304F148569E406AB365CB75EC04CB90
                            Function 01360E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767730135.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1360000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hoq
                            • API String ID: 0-3049094369
                            • Opcode ID: d80cae504190c7ef247775dd712615f4410bc964581bdf1345aaa460cfa7c966
                            • Instruction ID: 3bb1d13dc149cd135a56554d6c536501ce92715801c014d16f9289c782f0e63b
                            • Opcode Fuzzy Hash: d80cae504190c7ef247775dd712615f4410bc964581bdf1345aaa460cfa7c966
                            • Instruction Fuzzy Hash: ECF0C8303092505FC35A9B3D581542F7FEBEFC625432544BAE14ACB3AADE298C068391
                            Function 01360AA0 Relevance: .1, Instructions: 118COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767730135.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1360000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 34e6b858f3adcbda874fb0f323e4432c72d87c06f18d2d4ab52bfd41b3f2788a
                            • Instruction ID: 513acd3e84380c2369ad828833c77e33ad6a4c52f0c9362be0680cfaffb21c60
                            • Opcode Fuzzy Hash: 34e6b858f3adcbda874fb0f323e4432c72d87c06f18d2d4ab52bfd41b3f2788a
                            • Instruction Fuzzy Hash: AD51DA30D00209CFC719DF3AE548A59B7B6FB86306B108568D812CB369EB799D96DF80
                            Function 013611D0 Relevance: .1, Instructions: 114COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767730135.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1360000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ccaa508cb9eaaca6747987fba42da425d95c4283fec80c94fc70f1766be62afb
                            • Instruction ID: f8309ff5ee5797860c2b549fc75615c4a75df6259f35aac644c3cd6cbc099656
                            • Opcode Fuzzy Hash: ccaa508cb9eaaca6747987fba42da425d95c4283fec80c94fc70f1766be62afb
                            • Instruction Fuzzy Hash: DB417FB0A00209AFCB04EFB9C55466EBBFAFF88304F24C569D44AD7749DA35DD418B91
                            Function 0130D4A0 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767582343.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_130d000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 11cf5a8db83d5471f0d15d01af74645e1fa5557af74df9b8fc052da0912ce247
                            • Instruction ID: dae1f1623893e1d6ee78e3342d6a0821133ccbe30931601d2405a3f6d69c88b8
                            • Opcode Fuzzy Hash: 11cf5a8db83d5471f0d15d01af74645e1fa5557af74df9b8fc052da0912ce247
                            • Instruction Fuzzy Hash: C7210371504204DFDB06DF98D9D0B27BFE5FB8832CF20C169ED090A296C336D456CAA2
                            Function 01360998 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767730135.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1360000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 76ed83d0171fd872c4daef8a253be475cf339d34ee807da89eb66682944c9daf
                            • Instruction ID: 0ce380d1f42adf8d6189e31e0ef24404ef9427ac6505bb73e7cd633396f7a215
                            • Opcode Fuzzy Hash: 76ed83d0171fd872c4daef8a253be475cf339d34ee807da89eb66682944c9daf
                            • Instruction Fuzzy Hash: 27213E30B11306CFEB6D9F79D51A67E3BADAF46389B00862DF807C2159EB348950CB51
                            Function 013609A8 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767730135.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1360000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 159bc61d10e04ff3ccf6f15c9cce4dfc4f933bb46314d65c67f366a90104224a
                            • Instruction ID: c07bfd818e2ff20144053f6da51395eab8bf9c1d8d937cb4d1a98649cf57cb4d
                            • Opcode Fuzzy Hash: 159bc61d10e04ff3ccf6f15c9cce4dfc4f933bb46314d65c67f366a90104224a
                            • Instruction Fuzzy Hash: 292103307112068FFB6DAB79E51A76E7AADAB45389B008629B906C215DEF24C540CB51
                            Function 0130D49B Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767582343.000000000130D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0130D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_130d000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction ID: 7b0740e399e4ec3ebfd8c3385bc73a922475d29d60c7748bf74a754c28b5adad
                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction Fuzzy Hash: 2411AF76504240CFDB16CF98D5D4B16BFA1FB84328F24C5A9DD090B656C336D45ACBA2
                            Function 01361431 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767730135.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1360000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c931f26ec722b9ae67910ef76d76e3357c859ff81270309b7c1ad4fee8573505
                            • Instruction ID: 6ab71a62a2df9b2bdc9eafb447c8a394e17380194dd3f37e90b73c025251fd79
                            • Opcode Fuzzy Hash: c931f26ec722b9ae67910ef76d76e3357c859ff81270309b7c1ad4fee8573505
                            • Instruction Fuzzy Hash: 7D115A70A01245DFCB95EBBDD50966A7BF9EF8930872444B9D406DB324EA35CC42CB90
                            Function 01361440 Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1767730135.0000000001360000.00000040.00000800.00020000.00000000.sdmp, Offset: 01360000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_1360000_Windows Command Processor.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 83a976fdbb3f4f73cc753912bcc35c100a065c6cd0d397131c9a7dc2e7bfcd28
                            • Instruction ID: 933909e85d5693e04313f91532c0584915000a76252e0b0de284a80c4eba5d24
                            • Opcode Fuzzy Hash: 83a976fdbb3f4f73cc753912bcc35c100a065c6cd0d397131c9a7dc2e7bfcd28
                            • Instruction Fuzzy Hash: F2115B70E002099FCB95EBBED509A6A7BFAAF8921471044B8D406DB358EA35DC42CB90