Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
82eqjqLrzE.exe

Overview

General Information

Sample name:82eqjqLrzE.exe
renamed because original name is a hash value
Original sample name:a7f9f165cd238ccbe2ca5803fcd3209d.exe
Analysis ID:1586390
MD5:a7f9f165cd238ccbe2ca5803fcd3209d
SHA1:1c145bc3fa28fa807d3c831de524b5806e0de334
SHA256:f98a607f7aed8a5dd5950711a576fede3326857b4254de991abaf9a70e77be7b
Tags:AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
.NET source code contains very large strings
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 82eqjqLrzE.exe (PID: 7556 cmdline: "C:\Users\user\Desktop\82eqjqLrzE.exe" MD5: A7F9F165CD238CCBE2CA5803FCD3209D)
    • conhost.exe (PID: 7564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tempfile (PID: 7628 cmdline: "C:\Users\user\Desktop\tempfile" MD5: E00A1AB434452FD6F77C941C09F257D6)
  • 82eqjqLrzE.exe (PID: 7808 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe" MD5: A7F9F165CD238CCBE2CA5803FCD3209D)
    • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • tempfile (PID: 7876 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile" MD5: E00A1AB434452FD6F77C941C09F257D6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "144.91.79.54", "Ports": "32769", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "TestFile.exe", "Install_File": "MUNGSUVObzNmRlRHdEM2TFlxTUdENVRqYnF6T05oY2o="}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Desktop\tempfileJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    C:\Users\user\Desktop\tempfileJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\Desktop\tempfileWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0x9915:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0xac38:$a2: Stub.exe
      • 0xacc8:$a2: Stub.exe
      • 0x66ff:$a3: get_ActivatePong
      • 0x9b2d:$a4: vmware
      • 0x99a5:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x745a:$a6: get_SslClient
      C:\Users\user\Desktop\tempfilerat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
      • 0x66ff:$str01: get_ActivatePong
      • 0x745a:$str02: get_SslClient
      • 0x7476:$str03: get_TcpClient
      • 0x5d0e:$str04: get_SendSync
      • 0x5d5e:$str05: get_IsConnected
      • 0x648d:$str06: set_UseShellExecute
      • 0x9c4b:$str07: Pastebin
      • 0x9ccd:$str08: Select * from AntivirusProduct
      • 0xac38:$str09: Stub.exe
      • 0xacc8:$str09: Stub.exe
      • 0x9a25:$str10: timeout 3 > NUL
      • 0x9915:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
      • 0x99a5:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      C:\Users\user\Desktop\tempfileINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0x99a7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      Click to see the 5 entries

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000002.00000000.1718915320.0000000000F82000.00000002.00000001.01000000.00000006.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000002.00000000.1718915320.0000000000F82000.00000002.00000001.01000000.00000006.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0x97a7:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        00000002.00000002.4161978474.0000000003421000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
            • 0x5848d:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
            • 0x6391d:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
            • 0x6f8e5:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
            • 0x597b0:$a2: Stub.exe
            • 0x59840:$a2: Stub.exe
            • 0x64c40:$a2: Stub.exe
            • 0x64cd0:$a2: Stub.exe
            • 0x70c08:$a2: Stub.exe
            • 0x70c98:$a2: Stub.exe
            • 0x55277:$a3: get_ActivatePong
            • 0x60707:$a3: get_ActivatePong
            • 0x6c6cf:$a3: get_ActivatePong
            • 0x586a5:$a4: vmware
            • 0x63b35:$a4: vmware
            • 0x6fafd:$a4: vmware
            • 0x5851d:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            • 0x639ad:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            • 0x6f975:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            • 0x55fd2:$a6: get_SslClient
            • 0x61462:$a6: get_SslClient
            • 0x6d42a:$a6: get_SslClient
            Click to see the 10 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.82eqjqLrzE.exe.2c14bc0.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              3.2.82eqjqLrzE.exe.2514b78.2.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                0.2.82eqjqLrzE.exe.2c14bc0.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                • 0x7b15:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                • 0x8e38:$a2: Stub.exe
                • 0x8ec8:$a2: Stub.exe
                • 0x48ff:$a3: get_ActivatePong
                • 0x7d2d:$a4: vmware
                • 0x7ba5:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                • 0x565a:$a6: get_SslClient
                3.2.82eqjqLrzE.exe.2514b78.2.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                • 0x7b15:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                • 0x8e38:$a2: Stub.exe
                • 0x8ec8:$a2: Stub.exe
                • 0x48ff:$a3: get_ActivatePong
                • 0x7d2d:$a4: vmware
                • 0x7ba5:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                • 0x565a:$a6: get_SslClient
                0.2.82eqjqLrzE.exe.2c14bc0.0.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
                • 0x48ff:$str01: get_ActivatePong
                • 0x565a:$str02: get_SslClient
                • 0x5676:$str03: get_TcpClient
                • 0x3f0e:$str04: get_SendSync
                • 0x3f5e:$str05: get_IsConnected
                • 0x468d:$str06: set_UseShellExecute
                • 0x7e4b:$str07: Pastebin
                • 0x7ecd:$str08: Select * from AntivirusProduct
                • 0x8e38:$str09: Stub.exe
                • 0x8ec8:$str09: Stub.exe
                • 0x7c25:$str10: timeout 3 > NUL
                • 0x7b15:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
                • 0x7ba5:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                Click to see the 54 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Execution of Suspicious File Type Extension
                Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: "C:\Users\user\Desktop\tempfile", CommandLine: "C:\Users\user\Desktop\tempfile", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\tempfile, NewProcessName: C:\Users\user\Desktop\tempfile, OriginalFileName: C:\Users\user\Desktop\tempfile, ParentCommandLine: "C:\Users\user\Desktop\82eqjqLrzE.exe", ParentImage: C:\Users\user\Desktop\82eqjqLrzE.exe, ParentProcessId: 7556, ParentProcessName: 82eqjqLrzE.exe, ProcessCommandLine: "C:\Users\user\Desktop\tempfile", ProcessId: 7628, ProcessName: tempfile
                Sigma detected: Startup Folder File Write
                Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\82eqjqLrzE.exe, ProcessId: 7556, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T01:12:07.785445+010020355951Domain Observed Used for C2 Detected144.91.79.5432769192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T01:12:07.785445+010020356071Domain Observed Used for C2 Detected144.91.79.5432769192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T01:12:07.785445+010028424781Malware Command and Control Activity Detected144.91.79.5432769192.168.2.449730TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 82eqjqLrzE.exeAvira: detected
                Antivirus detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileAvira: detection malicious, Label: TR/Dropper.Gen
                Source: C:\Users\user\Desktop\tempfileAvira: detection malicious, Label: TR/Dropper.Gen
                Found malware configuration
                Source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "144.91.79.54", "Ports": "32769", "Version": "0.5.8", "Autorun": "false", "Install_Folder": "TestFile.exe", "Install_File": "MUNGSUVObzNmRlRHdEM2TFlxTUdENVRqYnF6T05oY2o="}
                Multi AV Scanner detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeReversingLabs: Detection: 71%
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeVirustotal: Detection: 72%Perma Link
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileReversingLabs: Detection: 95%
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileVirustotal: Detection: 77%Perma Link
                Source: C:\Users\user\Desktop\tempfileReversingLabs: Detection: 95%
                Source: C:\Users\user\Desktop\tempfileVirustotal: Detection: 77%Perma Link
                Multi AV Scanner detection for submitted file
                Source: 82eqjqLrzE.exeVirustotal: Detection: 72%Perma Link
                Source: 82eqjqLrzE.exeReversingLabs: Detection: 83%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\tempfileJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: 82eqjqLrzE.exeJoe Sandbox ML: detected
                Source: 82eqjqLrzE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 82eqjqLrzE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 144.91.79.54:32769 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 144.91.79.54:32769 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 144.91.79.54:32769 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 144.91.79.54:32769 -> 192.168.2.4:49730
                Connects to many ports of the same IP (likely port scanning)
                Source: global trafficTCP traffic: 144.91.79.54 ports 2,3,6,7,9,32769
                Yara detected Generic Downloader
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.tempfile.f80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: C:\Users\user\Desktop\tempfile, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, type: DROPPED
                Source: global trafficTCP traffic: 192.168.2.4:49730 -> 144.91.79.54:32769
                Source: Joe Sandbox ViewIP Address: 144.91.79.54 144.91.79.54
                Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: unknownTCP traffic detected without corresponding DNS query: 144.91.79.54
                Source: tempfile, 00000002.00000002.4164826482.00000000057A5000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.2.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: tempfile, 00000002.00000002.4164826482.00000000057A5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabo
                Source: tempfile, 00000002.00000002.4160266032.0000000001577000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enE
                Source: tempfile, 00000002.00000002.4161978474.0000000003421000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c14bc0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2514b78.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c20050.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.252bfd0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c2c018.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2520008.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.tempfile.f80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.1718915320.0000000000F82000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4161978474.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 82eqjqLrzE.exe PID: 7556, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: tempfile PID: 7628, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 82eqjqLrzE.exe PID: 7808, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\Desktop\tempfile, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, type: DROPPED

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 3.2.82eqjqLrzE.exe.2520008.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 3.2.82eqjqLrzE.exe.2520008.3.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 3.2.82eqjqLrzE.exe.2520008.3.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 2.0.tempfile.f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 2.0.tempfile.f80000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 2.0.tempfile.f80000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000002.00000000.1718915320.0000000000F82000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: 82eqjqLrzE.exe PID: 7556, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: tempfile PID: 7628, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: 82eqjqLrzE.exe PID: 7808, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: C:\Users\user\Desktop\tempfile, type: DROPPEDMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: C:\Users\user\Desktop\tempfile, type: DROPPEDMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: C:\Users\user\Desktop\tempfile, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, type: DROPPEDMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, type: DROPPEDMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                .NET source code contains very large strings
                Source: 82eqjqLrzE.exe, -----------------------------------------.csLong String: Length: 12292
                Source: 82eqjqLrzE.exe, -----------------------------------------.csLong String: Length: 12292
                Source: 82eqjqLrzE.exe, -----------------------------------------.csLong String: Length: 12296
                Source: 82eqjqLrzE.exe, -----------------------------------------.csLong String: Length: 12292
                Source: 82eqjqLrzE.exe, -----------------------------------------.csLong String: Length: 12292
                Source: 82eqjqLrzE.exe.0.dr, -----------------------------------------.csLong String: Length: 12292
                Source: 82eqjqLrzE.exe.0.dr, -----------------------------------------.csLong String: Length: 12292
                Source: 82eqjqLrzE.exe.0.dr, -----------------------------------------.csLong String: Length: 12296
                Source: 82eqjqLrzE.exe.0.dr, -----------------------------------------.csLong String: Length: 12292
                Source: 82eqjqLrzE.exe.0.dr, -----------------------------------------.csLong String: Length: 12292
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeCode function: 0_2_00007FFD9BAA0AD50_2_00007FFD9BAA0AD5
                Source: C:\Users\user\Desktop\tempfileCode function: 2_2_033C65C02_2_033C65C0
                Source: C:\Users\user\Desktop\tempfileCode function: 2_2_033C5CF02_2_033C5CF0
                Source: C:\Users\user\Desktop\tempfileCode function: 2_2_033C59A82_2_033C59A8
                Source: C:\Users\user\Desktop\tempfileCode function: 2_2_033CA8782_2_033CA878
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeCode function: 3_2_00007FFD9BAA0D133_2_00007FFD9BAA0D13
                Source: 82eqjqLrzE.exe, 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs 82eqjqLrzE.exe
                Source: 82eqjqLrzE.exe, 00000000.00000000.1714077602.0000000000842000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamecrypted.exe4 vs 82eqjqLrzE.exe
                Source: 82eqjqLrzE.exe, 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs 82eqjqLrzE.exe
                Source: 82eqjqLrzE.exeBinary or memory string: OriginalFilenamecrypted.exe4 vs 82eqjqLrzE.exe
                Source: 82eqjqLrzE.exe.0.drBinary or memory string: OriginalFilenamecrypted.exe4 vs 82eqjqLrzE.exe
                Source: 82eqjqLrzE.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 3.2.82eqjqLrzE.exe.2520008.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 3.2.82eqjqLrzE.exe.2520008.3.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 3.2.82eqjqLrzE.exe.2520008.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 2.0.tempfile.f80000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 2.0.tempfile.f80000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 2.0.tempfile.f80000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000002.00000000.1718915320.0000000000F82000.00000002.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: 82eqjqLrzE.exe PID: 7556, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: tempfile PID: 7628, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: 82eqjqLrzE.exe PID: 7808, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: C:\Users\user\Desktop\tempfile, type: DROPPEDMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: C:\Users\user\Desktop\tempfile, type: DROPPEDMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: C:\Users\user\Desktop\tempfile, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, type: DROPPEDMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, type: DROPPEDMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 82eqjqLrzE.exe, -----------------------------------------.csCryptographic APIs: 'CreateDecryptor'
                Source: 82eqjqLrzE.exe.0.dr, -----------------------------------------.csCryptographic APIs: 'CreateDecryptor'
                Source: 82eqjqLrzE.exe, -----------------------------------------.csBase64 encoded string: 'p9xVpcIA39/rd7ijA8V38TU6ZO8Jn/h0q+qI5Zb4UZcPQV8ac+XQoHwciTqebZxKoOa8jmTf3S/BSFXAyOyCVSRlEh8vp5pQoEb0VSCk5VzLgW+8lO5d5oaHe/2uK0guH5jlHY4a94Fs7FS+9XCFbSY8GdaVtYZN7DkFCJSJnLn6a4/cuNsbGHUZH9dvHSm8Jw1C4nvcyWzbie7Ha/U5ypPEZqjHnKNCR36mGWBV4/ByAtLdI+pK+ut+Ca2e4QXyFQ8MIKJ8Bt7v7K5QmkbCD2QY7vpBzc9Fam6/tz0/Od73WCEs5yCVvrdgST2UbhzEPixGDVMqOBLDzIvndnwMHMBJ/51g1NFz6nVY57CXNrNG+ErlhL5B40cbpRROeotwASwt45PJmMdW2qlAmiIwd5w5Rtf/Ed7MMRHw3kP3DtbbP/2qjVtsOyM/DaxS82/iKLu8PeRMO5eNwyZRB0dG6qNLjryPR4NvqsZuS3BAEo57gH+jreT3/Zz6R3gDSJcimn8/LXvrQHVICz9t6wpwjGeiy+gjqJPKBVAxGBr+aplKGRNbba4GaLUnOu1CFPSM6MhjsEW7CJgK5PL+4kYwdY2Cbc9zIsctxraXKNkKIzdYN5NhP9YvuGSykPwUAichkvpkS9TjlPyWwLkfzxlhFGB1e2cvcM9SII+qPFkWxTUZh110PJPsXWH9qO5E/YvGXY19NCxnWbm79L+UYRiGMEjOYnnhqRViV7YdDT+g7s3aa9Bl37/42rC9LT++liLgb0xBeDjD/8Jr/r1ouRY2VZZ0YxiCXCNismk043JKKKj482iGz6xZ8HMGboEoQPtqOcYXHHdvxvYkiLAh477a5P3ujkNr++dZWif7thRhmtu3ToUcQPbUOIeVMEZ50e3Lj6o5sCg0+O4+q+n5pANHY565RHTjwaxfA4bTfqtFJeB/50mI8RS9+XyBZcT/lfDj+d5i2XYJpucnPNGNlI9W2fHbeJNe8EmGt0KlPMvvyf42qf5rt7zdtMK0ThafSHRbwZp1f9NF3h131bwqm/b7yWtAwnfZ9LdTA9HEJaWURRcg+CxJjczGDy9JtVGAc30VZIhycIZl0+HR5ZTgtFMXkXPRCP2cJQhLmzH3IdVCVZN0zthZJBWS3bxszUM7rWF4REgOkfW5se7AdxRftbthbz/ojwlpBFhhzv/9hAa/FjFueSne7S+kkW2KjJTrfCsnk8L1oMq4ZnX98EEXoER99QyD7TAJmjW3eNE3BeiO/xnKTYgw+wDDyXFUT+CqB3WDC/HHdsmUxThToYiSk+GBvlfZKL1KD3GZepCLe7JB6eAadHdI+nBDa3eWw+qBU6w9Ru+WrEh1u09mnvri/Qsex9BDqo0OTzCl1aCtNMVcegz4wzOdRIFLMDX2CqcYbqWvfO3b/sf3ouCPqtaa+2foLLTCuV9Iy9IqdzjTtiLsVm17NPwUmHISYYHijXdZKY19+VgpeNpRE6Kp7G9hPYvOU71GhUOiABtxCpo0TmlkNGfzJSNq+7x6rw8twpQU/3K9ZTAOYu5dJZpOs7FaSImJkd/qamGL2VUwLKw+OWcP37rxLxyM9Jp3uiDjTtGIRLvZlGmybtjuqk/nFH5g6o7DPmt0kD70IndD0aQucK01RdyBaMk0Rkd+/NCXYV8mOc+ErZo43pSSVIdgE/xSa0i+jzyO5p4rfPXz96s4h8n4FzXm2u1cEtz2Faeu5JOeFkmwQ+/hNYWWfhQfuk8lpSqI9UIy4XmfKLMERs38V9l40VkTf0GkmOUCv/dlnk8MQxJabW3Wm+3rudwgjQTcZ+zTXO0NyMy9AqX9DUFGkghNy1tuXzYbHcc0QBfpyjllTaEYrEQLwQffCIQHaIuxTlq31Islkr/DxG8z3feEm57gAbyLe80o9Vc19Of29GHI0mS00+YrYopJHBL1wYb1W52FO3R8acwwjfT/uW6+Z5Ak3I3rMsCIYDGLPMQFA0OmA4atptgahFf6BcFB9u3npquuR0J603W3+hDr8kwS884gt5H57CC+FXPZFL+UfffLJwJhyM075WCBdLAjvijthKG+yfKcKKxhUHuAfbLttszxvGAnB89RFiWYKNEiI2H2oeq2AcD/1oFFtJQHH2oxOhgcG1pC0ePF6OYGMfjAe5tivM+RGrTnt9cP4sJuvk96GspMh31QlLgIwtUlR4AkrLi1IUVwCsTQFWH/CT8B45nc0YidWQZ+1SHY9IxzCMZ/YnTLLCfAZNiibFrafpSMGLPMqC114QKu7IwuBLSfi/5le2hNZ2MJsggJakCFF8IrlI+mxruTYL1mWO64xmNwn2gPCYTb+mT+MobkymTDG+wrOx/Nb2g1hcBlhcmrKu7kTuHuFR19aYq72NJLDRP+hZtDdMNAY1V7ZwNjr8vLQ/7qNcAIuFlxIUhbWVobxUBtW7jXDli4rmXI9/a7e6NB281OIZPv4auoXkpKEPnuMRBjPR0hlDCehLWPDZoIBl/mVFZGnmNVvLaGG5SN1Sn4N0NlpXuHes2olGHe+NYjjRTZkMr6LK7u+D1wHvyDLxeNqM0gLTbAoALmgLEsCKc8LMquTfPqhrITuWJKRmyxwwz4lNTia727xgx3sYiDk/wFWtR1jAksZW6IGN0YvT9bGR06heXzvmLLXSN18O2R87wphTAUZh2wMJw3NTEGc5WLnAof+MDDnjUpL5J14TXesDoTYij1TPeVepUEWGQeMRlyX8L7XVz0T61zm7CCPodE3vWm7enTNnp2/v8KVa3OAZdXsV5M3NANoJC1sDoAAyNJsVOX7fE+zcZp1SDPxogd9ugpD+1XF5J8pZagh1Z4HU9d9z6H/YgpLK4yOqxniZf2FVHaXYT0o/3Oxe/2l8HBmFMiKslUyVGNfgEeq3zs+XvC0ebBQPReptNtcFZtOqQsuSraOhS9BEpMs53AMAZAj1KlHpIeFCZfzQOqfb2k0aP7P9Nwh7TwuUq12JLtJB1uIPHe+8Lkwfg/JNU
                Source: 82eqjqLrzE.exe.0.dr, -----------------------------------------.csBase64 encoded string: 'p9xVpcIA39/rd7ijA8V38TU6ZO8Jn/h0q+qI5Zb4UZcPQV8ac+XQoHwciTqebZxKoOa8jmTf3S/BSFXAyOyCVSRlEh8vp5pQoEb0VSCk5VzLgW+8lO5d5oaHe/2uK0guH5jlHY4a94Fs7FS+9XCFbSY8GdaVtYZN7DkFCJSJnLn6a4/cuNsbGHUZH9dvHSm8Jw1C4nvcyWzbie7Ha/U5ypPEZqjHnKNCR36mGWBV4/ByAtLdI+pK+ut+Ca2e4QXyFQ8MIKJ8Bt7v7K5QmkbCD2QY7vpBzc9Fam6/tz0/Od73WCEs5yCVvrdgST2UbhzEPixGDVMqOBLDzIvndnwMHMBJ/51g1NFz6nVY57CXNrNG+ErlhL5B40cbpRROeotwASwt45PJmMdW2qlAmiIwd5w5Rtf/Ed7MMRHw3kP3DtbbP/2qjVtsOyM/DaxS82/iKLu8PeRMO5eNwyZRB0dG6qNLjryPR4NvqsZuS3BAEo57gH+jreT3/Zz6R3gDSJcimn8/LXvrQHVICz9t6wpwjGeiy+gjqJPKBVAxGBr+aplKGRNbba4GaLUnOu1CFPSM6MhjsEW7CJgK5PL+4kYwdY2Cbc9zIsctxraXKNkKIzdYN5NhP9YvuGSykPwUAichkvpkS9TjlPyWwLkfzxlhFGB1e2cvcM9SII+qPFkWxTUZh110PJPsXWH9qO5E/YvGXY19NCxnWbm79L+UYRiGMEjOYnnhqRViV7YdDT+g7s3aa9Bl37/42rC9LT++liLgb0xBeDjD/8Jr/r1ouRY2VZZ0YxiCXCNismk043JKKKj482iGz6xZ8HMGboEoQPtqOcYXHHdvxvYkiLAh477a5P3ujkNr++dZWif7thRhmtu3ToUcQPbUOIeVMEZ50e3Lj6o5sCg0+O4+q+n5pANHY565RHTjwaxfA4bTfqtFJeB/50mI8RS9+XyBZcT/lfDj+d5i2XYJpucnPNGNlI9W2fHbeJNe8EmGt0KlPMvvyf42qf5rt7zdtMK0ThafSHRbwZp1f9NF3h131bwqm/b7yWtAwnfZ9LdTA9HEJaWURRcg+CxJjczGDy9JtVGAc30VZIhycIZl0+HR5ZTgtFMXkXPRCP2cJQhLmzH3IdVCVZN0zthZJBWS3bxszUM7rWF4REgOkfW5se7AdxRftbthbz/ojwlpBFhhzv/9hAa/FjFueSne7S+kkW2KjJTrfCsnk8L1oMq4ZnX98EEXoER99QyD7TAJmjW3eNE3BeiO/xnKTYgw+wDDyXFUT+CqB3WDC/HHdsmUxThToYiSk+GBvlfZKL1KD3GZepCLe7JB6eAadHdI+nBDa3eWw+qBU6w9Ru+WrEh1u09mnvri/Qsex9BDqo0OTzCl1aCtNMVcegz4wzOdRIFLMDX2CqcYbqWvfO3b/sf3ouCPqtaa+2foLLTCuV9Iy9IqdzjTtiLsVm17NPwUmHISYYHijXdZKY19+VgpeNpRE6Kp7G9hPYvOU71GhUOiABtxCpo0TmlkNGfzJSNq+7x6rw8twpQU/3K9ZTAOYu5dJZpOs7FaSImJkd/qamGL2VUwLKw+OWcP37rxLxyM9Jp3uiDjTtGIRLvZlGmybtjuqk/nFH5g6o7DPmt0kD70IndD0aQucK01RdyBaMk0Rkd+/NCXYV8mOc+ErZo43pSSVIdgE/xSa0i+jzyO5p4rfPXz96s4h8n4FzXm2u1cEtz2Faeu5JOeFkmwQ+/hNYWWfhQfuk8lpSqI9UIy4XmfKLMERs38V9l40VkTf0GkmOUCv/dlnk8MQxJabW3Wm+3rudwgjQTcZ+zTXO0NyMy9AqX9DUFGkghNy1tuXzYbHcc0QBfpyjllTaEYrEQLwQffCIQHaIuxTlq31Islkr/DxG8z3feEm57gAbyLe80o9Vc19Of29GHI0mS00+YrYopJHBL1wYb1W52FO3R8acwwjfT/uW6+Z5Ak3I3rMsCIYDGLPMQFA0OmA4atptgahFf6BcFB9u3npquuR0J603W3+hDr8kwS884gt5H57CC+FXPZFL+UfffLJwJhyM075WCBdLAjvijthKG+yfKcKKxhUHuAfbLttszxvGAnB89RFiWYKNEiI2H2oeq2AcD/1oFFtJQHH2oxOhgcG1pC0ePF6OYGMfjAe5tivM+RGrTnt9cP4sJuvk96GspMh31QlLgIwtUlR4AkrLi1IUVwCsTQFWH/CT8B45nc0YidWQZ+1SHY9IxzCMZ/YnTLLCfAZNiibFrafpSMGLPMqC114QKu7IwuBLSfi/5le2hNZ2MJsggJakCFF8IrlI+mxruTYL1mWO64xmNwn2gPCYTb+mT+MobkymTDG+wrOx/Nb2g1hcBlhcmrKu7kTuHuFR19aYq72NJLDRP+hZtDdMNAY1V7ZwNjr8vLQ/7qNcAIuFlxIUhbWVobxUBtW7jXDli4rmXI9/a7e6NB281OIZPv4auoXkpKEPnuMRBjPR0hlDCehLWPDZoIBl/mVFZGnmNVvLaGG5SN1Sn4N0NlpXuHes2olGHe+NYjjRTZkMr6LK7u+D1wHvyDLxeNqM0gLTbAoALmgLEsCKc8LMquTfPqhrITuWJKRmyxwwz4lNTia727xgx3sYiDk/wFWtR1jAksZW6IGN0YvT9bGR06heXzvmLLXSN18O2R87wphTAUZh2wMJw3NTEGc5WLnAof+MDDnjUpL5J14TXesDoTYij1TPeVepUEWGQeMRlyX8L7XVz0T61zm7CCPodE3vWm7enTNnp2/v8KVa3OAZdXsV5M3NANoJC1sDoAAyNJsVOX7fE+zcZp1SDPxogd9ugpD+1XF5J8pZagh1Z4HU9d9z6H/YgpLK4yOqxniZf2FVHaXYT0o/3Oxe/2l8HBmFMiKslUyVGNfgEeq3zs+XvC0ebBQPReptNtcFZtOqQsuSraOhS9BEpMs53AMAZAj1KlHpIeFCZfzQOqfb2k0aP7P9Nwh7TwuUq12JLtJB1uIPHe+8Lkwfg/JNU
                Source: tempfile.0.dr, Settings.csBase64 encoded string: 'hVXlqXz77IfksXChB0M4FG1wS+EfTd+kAocBN4DBlsjZQ8/fBGfRmboE/VBRfr89+vKoAp0HCyFsU8CN0KxxGg==', 'iZxh+vB4k04PE6LOSX9NLWN2pcEJGxF8QAQK9S3a0U1qjNg/4qkJe20vIypyLde/nlD4Iwd+49+yDUVEjh+gUw==', '/WDdD0pvfjNN75fAU13GldHdrntzpTtFzlt6XrnqY7WxhBXKMu2yAMELv0jcPwU/m7KhukN+xj93J9k44WMSOw==', 'zWl11kMUJNAdPpTZCEgJx95bL0FFEtynXJA/8UKGQJNAEXrzSHxGJK6Q3bdz7iXcg5omevOzM7aNBzVl6Mg8RA==', '/qTcxLo7f6YFq+hN+JQojNJeJSYMZNllAB8IbAuVNxD3oyn22oqbd8yrz8IpSRMVKY6RgCU31mhH1Qr1GQZV7A==', 'zr8iN2mKtjuJmwLNauAjNKu0XcrDf2AatD/xZ+UkRy3wwu7Zc6VUMBAAfzaj7QztQ9dZtBz86T2K49s9F7RHXA==', 'gjw4Zrp9HwJHkk56Rh8R1gD0IlshCR2G0R4m5tTPktq1j6APSPCli1Mg0xuqqJxD1aSw1eO+ukzAufKwnvtLBw=='
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, Settings.csBase64 encoded string: 'hVXlqXz77IfksXChB0M4FG1wS+EfTd+kAocBN4DBlsjZQ8/fBGfRmboE/VBRfr89+vKoAp0HCyFsU8CN0KxxGg==', 'iZxh+vB4k04PE6LOSX9NLWN2pcEJGxF8QAQK9S3a0U1qjNg/4qkJe20vIypyLde/nlD4Iwd+49+yDUVEjh+gUw==', '/WDdD0pvfjNN75fAU13GldHdrntzpTtFzlt6XrnqY7WxhBXKMu2yAMELv0jcPwU/m7KhukN+xj93J9k44WMSOw==', 'zWl11kMUJNAdPpTZCEgJx95bL0FFEtynXJA/8UKGQJNAEXrzSHxGJK6Q3bdz7iXcg5omevOzM7aNBzVl6Mg8RA==', '/qTcxLo7f6YFq+hN+JQojNJeJSYMZNllAB8IbAuVNxD3oyn22oqbd8yrz8IpSRMVKY6RgCU31mhH1Qr1GQZV7A==', 'zr8iN2mKtjuJmwLNauAjNKu0XcrDf2AatD/xZ+UkRy3wwu7Zc6VUMBAAfzaj7QztQ9dZtBz86T2K49s9F7RHXA==', 'gjw4Zrp9HwJHkk56Rh8R1gD0IlshCR2G0R4m5tTPktq1j6APSPCli1Mg0xuqqJxD1aSw1eO+ukzAufKwnvtLBw=='
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, Settings.csBase64 encoded string: 'hVXlqXz77IfksXChB0M4FG1wS+EfTd+kAocBN4DBlsjZQ8/fBGfRmboE/VBRfr89+vKoAp0HCyFsU8CN0KxxGg==', 'iZxh+vB4k04PE6LOSX9NLWN2pcEJGxF8QAQK9S3a0U1qjNg/4qkJe20vIypyLde/nlD4Iwd+49+yDUVEjh+gUw==', '/WDdD0pvfjNN75fAU13GldHdrntzpTtFzlt6XrnqY7WxhBXKMu2yAMELv0jcPwU/m7KhukN+xj93J9k44WMSOw==', 'zWl11kMUJNAdPpTZCEgJx95bL0FFEtynXJA/8UKGQJNAEXrzSHxGJK6Q3bdz7iXcg5omevOzM7aNBzVl6Mg8RA==', '/qTcxLo7f6YFq+hN+JQojNJeJSYMZNllAB8IbAuVNxD3oyn22oqbd8yrz8IpSRMVKY6RgCU31mhH1Qr1GQZV7A==', 'zr8iN2mKtjuJmwLNauAjNKu0XcrDf2AatD/xZ+UkRy3wwu7Zc6VUMBAAfzaj7QztQ9dZtBz86T2K49s9F7RHXA==', 'gjw4Zrp9HwJHkk56Rh8R1gD0IlshCR2G0R4m5tTPktq1j6APSPCli1Mg0xuqqJxD1aSw1eO+ukzAufKwnvtLBw=='
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, Settings.csBase64 encoded string: 'hVXlqXz77IfksXChB0M4FG1wS+EfTd+kAocBN4DBlsjZQ8/fBGfRmboE/VBRfr89+vKoAp0HCyFsU8CN0KxxGg==', 'iZxh+vB4k04PE6LOSX9NLWN2pcEJGxF8QAQK9S3a0U1qjNg/4qkJe20vIypyLde/nlD4Iwd+49+yDUVEjh+gUw==', '/WDdD0pvfjNN75fAU13GldHdrntzpTtFzlt6XrnqY7WxhBXKMu2yAMELv0jcPwU/m7KhukN+xj93J9k44WMSOw==', 'zWl11kMUJNAdPpTZCEgJx95bL0FFEtynXJA/8UKGQJNAEXrzSHxGJK6Q3bdz7iXcg5omevOzM7aNBzVl6Mg8RA==', '/qTcxLo7f6YFq+hN+JQojNJeJSYMZNllAB8IbAuVNxD3oyn22oqbd8yrz8IpSRMVKY6RgCU31mhH1Qr1GQZV7A==', 'zr8iN2mKtjuJmwLNauAjNKu0XcrDf2AatD/xZ+UkRy3wwu7Zc6VUMBAAfzaj7QztQ9dZtBz86T2K49s9F7RHXA==', 'gjw4Zrp9HwJHkk56Rh8R1gD0IlshCR2G0R4m5tTPktq1j6APSPCli1Mg0xuqqJxD1aSw1eO+ukzAufKwnvtLBw=='
                Source: tempfile.3.dr, Settings.csBase64 encoded string: 'hVXlqXz77IfksXChB0M4FG1wS+EfTd+kAocBN4DBlsjZQ8/fBGfRmboE/VBRfr89+vKoAp0HCyFsU8CN0KxxGg==', 'iZxh+vB4k04PE6LOSX9NLWN2pcEJGxF8QAQK9S3a0U1qjNg/4qkJe20vIypyLde/nlD4Iwd+49+yDUVEjh+gUw==', '/WDdD0pvfjNN75fAU13GldHdrntzpTtFzlt6XrnqY7WxhBXKMu2yAMELv0jcPwU/m7KhukN+xj93J9k44WMSOw==', 'zWl11kMUJNAdPpTZCEgJx95bL0FFEtynXJA/8UKGQJNAEXrzSHxGJK6Q3bdz7iXcg5omevOzM7aNBzVl6Mg8RA==', '/qTcxLo7f6YFq+hN+JQojNJeJSYMZNllAB8IbAuVNxD3oyn22oqbd8yrz8IpSRMVKY6RgCU31mhH1Qr1GQZV7A==', 'zr8iN2mKtjuJmwLNauAjNKu0XcrDf2AatD/xZ+UkRy3wwu7Zc6VUMBAAfzaj7QztQ9dZtBz86T2K49s9F7RHXA==', 'gjw4Zrp9HwJHkk56Rh8R1gD0IlshCR2G0R4m5tTPktq1j6APSPCli1Mg0xuqqJxD1aSw1eO+ukzAufKwnvtLBw=='
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, Settings.csBase64 encoded string: 'hVXlqXz77IfksXChB0M4FG1wS+EfTd+kAocBN4DBlsjZQ8/fBGfRmboE/VBRfr89+vKoAp0HCyFsU8CN0KxxGg==', 'iZxh+vB4k04PE6LOSX9NLWN2pcEJGxF8QAQK9S3a0U1qjNg/4qkJe20vIypyLde/nlD4Iwd+49+yDUVEjh+gUw==', '/WDdD0pvfjNN75fAU13GldHdrntzpTtFzlt6XrnqY7WxhBXKMu2yAMELv0jcPwU/m7KhukN+xj93J9k44WMSOw==', 'zWl11kMUJNAdPpTZCEgJx95bL0FFEtynXJA/8UKGQJNAEXrzSHxGJK6Q3bdz7iXcg5omevOzM7aNBzVl6Mg8RA==', '/qTcxLo7f6YFq+hN+JQojNJeJSYMZNllAB8IbAuVNxD3oyn22oqbd8yrz8IpSRMVKY6RgCU31mhH1Qr1GQZV7A==', 'zr8iN2mKtjuJmwLNauAjNKu0XcrDf2AatD/xZ+UkRy3wwu7Zc6VUMBAAfzaj7QztQ9dZtBz86T2K49s9F7RHXA==', 'gjw4Zrp9HwJHkk56Rh8R1gD0IlshCR2G0R4m5tTPktq1j6APSPCli1Mg0xuqqJxD1aSw1eO+ukzAufKwnvtLBw=='
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, Settings.csBase64 encoded string: 'hVXlqXz77IfksXChB0M4FG1wS+EfTd+kAocBN4DBlsjZQ8/fBGfRmboE/VBRfr89+vKoAp0HCyFsU8CN0KxxGg==', 'iZxh+vB4k04PE6LOSX9NLWN2pcEJGxF8QAQK9S3a0U1qjNg/4qkJe20vIypyLde/nlD4Iwd+49+yDUVEjh+gUw==', '/WDdD0pvfjNN75fAU13GldHdrntzpTtFzlt6XrnqY7WxhBXKMu2yAMELv0jcPwU/m7KhukN+xj93J9k44WMSOw==', 'zWl11kMUJNAdPpTZCEgJx95bL0FFEtynXJA/8UKGQJNAEXrzSHxGJK6Q3bdz7iXcg5omevOzM7aNBzVl6Mg8RA==', '/qTcxLo7f6YFq+hN+JQojNJeJSYMZNllAB8IbAuVNxD3oyn22oqbd8yrz8IpSRMVKY6RgCU31mhH1Qr1GQZV7A==', 'zr8iN2mKtjuJmwLNauAjNKu0XcrDf2AatD/xZ+UkRy3wwu7Zc6VUMBAAfzaj7QztQ9dZtBz86T2K49s9F7RHXA==', 'gjw4Zrp9HwJHkk56Rh8R1gD0IlshCR2G0R4m5tTPktq1j6APSPCli1Mg0xuqqJxD1aSw1eO+ukzAufKwnvtLBw=='
                Source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, Settings.csBase64 encoded string: 'hVXlqXz77IfksXChB0M4FG1wS+EfTd+kAocBN4DBlsjZQ8/fBGfRmboE/VBRfr89+vKoAp0HCyFsU8CN0KxxGg==', 'iZxh+vB4k04PE6LOSX9NLWN2pcEJGxF8QAQK9S3a0U1qjNg/4qkJe20vIypyLde/nlD4Iwd+49+yDUVEjh+gUw==', '/WDdD0pvfjNN75fAU13GldHdrntzpTtFzlt6XrnqY7WxhBXKMu2yAMELv0jcPwU/m7KhukN+xj93J9k44WMSOw==', 'zWl11kMUJNAdPpTZCEgJx95bL0FFEtynXJA/8UKGQJNAEXrzSHxGJK6Q3bdz7iXcg5omevOzM7aNBzVl6Mg8RA==', '/qTcxLo7f6YFq+hN+JQojNJeJSYMZNllAB8IbAuVNxD3oyn22oqbd8yrz8IpSRMVKY6RgCU31mhH1Qr1GQZV7A==', 'zr8iN2mKtjuJmwLNauAjNKu0XcrDf2AatD/xZ+UkRy3wwu7Zc6VUMBAAfzaj7QztQ9dZtBz86T2K49s9F7RHXA==', 'gjw4Zrp9HwJHkk56Rh8R1gD0IlshCR2G0R4m5tTPktq1j6APSPCli1Mg0xuqqJxD1aSw1eO+ukzAufKwnvtLBw=='
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: tempfile.3.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: tempfile.3.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: tempfile.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: tempfile.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.adwa.evad.winEXE@8/8@0/1
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileMutant created: NULL
                Source: C:\Users\user\Desktop\tempfileMutant created: \Sessions\1\BaseNamedObjects\E9IiT5JzUivo
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
                Source: 82eqjqLrzE.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 82eqjqLrzE.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 82eqjqLrzE.exeVirustotal: Detection: 72%
                Source: 82eqjqLrzE.exeReversingLabs: Detection: 83%
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeFile read: C:\Users\user\Desktop\82eqjqLrzE.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\82eqjqLrzE.exe "C:\Users\user\Desktop\82eqjqLrzE.exe"
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess created: C:\Users\user\Desktop\tempfile "C:\Users\user\Desktop\tempfile"
                Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe"
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile"
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess created: C:\Users\user\Desktop\tempfile "C:\Users\user\Desktop\tempfile"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile"Jump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\tempfileKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: 82eqjqLrzE.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 82eqjqLrzE.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeCode function: 0_2_00007FFD9BAA00BD pushad ; iretd 0_2_00007FFD9BAA00C1
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeCode function: 0_2_00007FFD9BAA0AB2 push ebx; retf 0_2_00007FFD9BAA0AB3
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeCode function: 3_2_00007FFD9BAA0C29 push edx; retf 3_2_00007FFD9BAA0C2B
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeCode function: 3_2_00007FFD9BAA00BD pushad ; iretd 3_2_00007FFD9BAA00C1
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeCode function: 3_2_00007FFD9BAA0AB2 push ebx; retf 3_2_00007FFD9BAA0AB3
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileJump to dropped file
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeJump to dropped file
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeFile created: C:\Users\user\Desktop\tempfileJump to dropped file
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeFile created: C:\Users\user\Desktop\tempfileJump to dropped file
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileJump to dropped file

                Boot Survival

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c14bc0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2514b78.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c20050.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.252bfd0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c2c018.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2520008.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.tempfile.f80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.1718915320.0000000000F82000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4161978474.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 82eqjqLrzE.exe PID: 7556, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: tempfile PID: 7628, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 82eqjqLrzE.exe PID: 7808, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\Desktop\tempfile, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, type: DROPPED
                Drops PE files to the startup folder
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileJump to dropped file
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeJump to dropped file
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe\:Zone.Identifier:$DATAJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileJump to behavior
                Source: C:\Users\user\Desktop\tempfileRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\tempfileRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c14bc0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2514b78.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c20050.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.252bfd0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c2c018.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2520008.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.tempfile.f80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.1718915320.0000000000F82000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4161978474.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 82eqjqLrzE.exe PID: 7556, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: tempfile PID: 7628, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 82eqjqLrzE.exe PID: 7808, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\Desktop\tempfile, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, type: DROPPED
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: 82eqjqLrzE.exe, 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, tempfile, 00000002.00000000.1718915320.0000000000F82000.00000002.00000001.01000000.00000006.sdmp, 82eqjqLrzE.exe, 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, tempfile.3.dr, tempfile.0.drBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeMemory allocated: DA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeMemory allocated: 1ABA0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\tempfileMemory allocated: 31D0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\tempfileMemory allocated: 3420000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\tempfileMemory allocated: 3220000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeMemory allocated: 520000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeMemory allocated: 1A4A0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileMemory allocated: C40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileMemory allocated: 25F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileMemory allocated: 45F0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\tempfileThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeWindow / User API: threadDelayed 2276Jump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeWindow / User API: threadDelayed 7684Jump to behavior
                Source: C:\Users\user\Desktop\tempfileWindow / User API: threadDelayed 7159Jump to behavior
                Source: C:\Users\user\Desktop\tempfileWindow / User API: threadDelayed 2685Jump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exe TID: 7624Thread sleep time: -2276000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exe TID: 7624Thread sleep time: -7684000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\tempfile TID: 7716Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\tempfile TID: 7740Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\tempfile TID: 7748Thread sleep count: 7159 > 30Jump to behavior
                Source: C:\Users\user\Desktop\tempfile TID: 7748Thread sleep count: 2685 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe TID: 7864Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile TID: 7896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\tempfileFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\tempfileThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\AppData\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\Jump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                Source: tempfile.0.drBinary or memory string: vmware
                Source: tempfile, 00000002.00000002.4165413556.000000000586F000.00000004.00000020.00020000.00000000.sdmp, tempfile, 00000002.00000002.4165149998.000000000582E000.00000004.00000020.00020000.00000000.sdmp, tempfile, 00000002.00000002.4160266032.0000000001577000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\tempfileProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeMemory allocated: page read and write | page guardJump to behavior
                Source: tempfile, 00000002.00000002.4161978474.0000000003473000.00000004.00000800.00020000.00000000.sdmp, tempfile, 00000002.00000002.4161978474.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, tempfile, 00000002.00000002.4161978474.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\^q
                Source: tempfile, 00000002.00000002.4161978474.0000000003473000.00000004.00000800.00020000.00000000.sdmp, tempfile, 00000002.00000002.4161978474.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, tempfile, 00000002.00000002.4161978474.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: tempfile, 00000002.00000002.4161978474.0000000003473000.00000004.00000800.00020000.00000000.sdmp, tempfile, 00000002.00000002.4161978474.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, tempfile, 00000002.00000002.4161978474.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@\^q%
                Source: tempfile, 00000002.00000002.4161978474.00000000034AC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q|
                Source: tempfile, 00000002.00000002.4161978474.0000000003473000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^qPEG
                Source: tempfile, 00000002.00000002.4161978474.0000000003473000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^qpCG
                Source: tempfile, 00000002.00000002.4161978474.00000000034AC000.00000004.00000800.00020000.00000000.sdmp, tempfile, 00000002.00000002.4161978474.0000000003481000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerTe^q
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeQueries volume information: C:\Users\user\Desktop\82eqjqLrzE.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\tempfileQueries volume information: C:\Users\user\Desktop\tempfile VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\tempfileQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\tempfileQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfileQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\82eqjqLrzE.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c14bc0.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2514b78.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c20050.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.252bfd0.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.252bfd0.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c2c018.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2520008.3.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c2c018.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.0.tempfile.f80000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c20050.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.82eqjqLrzE.exe.2c14bc0.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2514b78.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.82eqjqLrzE.exe.2520008.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000002.00000000.1718915320.0000000000F82000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.4161978474.0000000003421000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 82eqjqLrzE.exe PID: 7556, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: tempfile PID: 7628, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: 82eqjqLrzE.exe PID: 7808, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\Desktop\tempfile, type: DROPPED
                Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, type: DROPPED
                Source: tempfile, 00000002.00000002.4165149998.000000000582E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\tempfileWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		2
                Process Injection                		11
                Masquerading                		OS Credential Dumping1
                Query Registry                		Remote Services11
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		12
                Registry Run Keys / Startup Folder                		1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		LSASS Memory221
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                DLL Side-Loading                		12
                Registry Run Keys / Startup Folder                		31
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                DLL Side-Loading                		2
                Process Injection                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                Obfuscated Files or Information                		Cached Domain Credentials1
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                DLL Side-Loading                		DCSync13
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                82eqjqLrzE.exe72%VirustotalBrowse
                82eqjqLrzE.exe83%ReversingLabsByteCode-MSIL.Dropper.Crysan
                82eqjqLrzE.exe100%AviraTR/Dropper.Gen
                82eqjqLrzE.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile100%AviraTR/Dropper.Gen
                C:\Users\user\Desktop\tempfile100%AviraTR/Dropper.Gen
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile100%Joe Sandbox ML
                C:\Users\user\Desktop\tempfile100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe71%ReversingLabsByteCode-MSIL.Dropper.Crysan
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe72%VirustotalBrowse
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile96%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile77%VirustotalBrowse
                C:\Users\user\Desktop\tempfile96%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat
                C:\Users\user\Desktop\tempfile77%VirustotalBrowse

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.214.172
                		truefalse
                  		high
                  default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com
                  		217.20.57.23
                  		truefalse
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nametempfile, 00000002.00000002.4161978474.0000000003421000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      144.91.79.54
                      		unknownGermany
                      		51167CONTABODEtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1586390
                      Start date and time:2025-01-09 01:11:05 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 8m 10s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:9
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Sample name:82eqjqLrzE.exe
                      renamed because original name is a hash value
                      Original Sample Name:a7f9f165cd238ccbe2ca5803fcd3209d.exe
                      Detection:MAL
                      Classification:mal100.troj.adwa.evad.winEXE@8/8@0/1
                      EGA Information:
                      • Successful, ratio: 50%
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 70
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
                      • Excluded IPs from analysis (whitelisted): 199.232.214.172, 52.149.20.212, 13.107.246.45, 20.12.23.50
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target tempfile, PID 7628 because it is empty
                      • Execution Graph export aborted for target tempfile, PID 7876 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      00:12:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe
                      19:12:08API Interceptor2x Sleep call for process: tempfile modified
                      19:12:34API Interceptor17133314x Sleep call for process: 82eqjqLrzE.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      144.91.79.54Ref#501032.vbeGet hashmaliciousMassLogger RATBrowse
                      • 144.91.79.54/1211/file
                      Ref#150062.vbeGet hashmaliciousMassLogger RATBrowse
                      • 144.91.79.54/1211/file
                      BankInformation.vbeGet hashmaliciousAgentTeslaBrowse
                      • 144.91.79.54/1211/file
                      Ref#2073306.vbeGet hashmaliciousMicroClipBrowse
                      • 144.91.79.54/0911/file
                      SWIFTCOPY202973783.vbeGet hashmaliciousAgentTeslaBrowse
                      • 144.91.79.54/0911/file
                      Ref#130709.vbeGet hashmaliciousMassLogger RATBrowse
                      • 144.91.79.54/0911/file
                      MV EAGLE EYE RFQ-92008882920-PDF.vbsGet hashmaliciousUnknownBrowse
                      • 144.91.79.54/2210/file
                      Urgent Quotation documents One Pdf.vbsGet hashmaliciousAgentTeslaBrowse
                      • 144.91.79.54/2210/file
                      Chronopost_FormulaireAdresse.vbsGet hashmaliciousAsyncRATBrowse
                      • 144.91.79.54/2210/file
                      Ref#150689.vbeGet hashmaliciousAgentTeslaBrowse
                      • 144.91.79.54/1210/file

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      bg.microsoft.map.fastly.netEEdSGSana5.exeGet hashmaliciousAsyncRATBrowse
                      • 199.232.210.172
                      Magicleap-bonus disbursment.pdfGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      eqRHH2whJu.exeGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      Selvi Payroll Benefits & Bonus Agreementfdp.pdfGet hashmaliciousUnknownBrowse
                      • 199.232.214.172
                      atomxml.ps1Get hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                      • 199.232.210.172
                      proforma invoice pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                      • 199.232.214.172
                      Payment-Order #24560274 for 8,380 USD.exeGet hashmaliciousXWormBrowse
                      • 199.232.214.172
                      PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                      • 199.232.210.172
                      invoice-1623385214.pdf.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                      • 199.232.214.172
                      PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comSolara.exeGet hashmaliciousUnknownBrowse
                      • 217.20.57.35
                      Sales Acknowledgement - HES #982323.pdfGet hashmaliciousUnknownBrowse
                      • 84.201.210.39
                      file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zipGet hashmaliciousUnknownBrowse
                      • 217.20.57.36
                      Setup.exeGet hashmaliciousLummaCBrowse
                      • 217.20.57.18
                      Insomia.exeGet hashmaliciousLummaCBrowse
                      • 84.201.210.35
                      T1#U5b89#U88c5#U53052.0.6.msiGet hashmaliciousUnknownBrowse
                      • 84.201.210.34
                      dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                      • 84.201.210.22
                      Dd5DwDCHJD.exeGet hashmaliciousQuasarBrowse
                      • 217.20.57.35
                      46VHQmFDxC.exeGet hashmaliciousRedLineBrowse
                      • 217.20.57.43
                      Payment-Order #24560274 for 8,380 USD.exeGet hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse
                      • 217.20.57.35

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      CONTABODEDF2.exeGet hashmaliciousUnknownBrowse
                      • 173.249.2.110
                      Electrum-bch-4.4.2-x86_64.AppImage.elfGet hashmaliciousUnknownBrowse
                      • 173.249.11.35
                      bot.m68k.elfGet hashmaliciousMiraiBrowse
                      • 95.212.118.93
                      bot.mips.elfGet hashmaliciousMiraiBrowse
                      • 95.212.118.77
                      SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                      • 161.97.142.144
                      payload-c17f7df6-cf80-43d5-8c60-eca90366debb.exeGet hashmaliciousMetasploitBrowse
                      • 178.238.231.204
                      RFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                      • 161.97.142.144
                      ORDER-401.exeGet hashmaliciousFormBookBrowse
                      • 161.97.142.144
                      SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                      • 161.97.142.144
                      PO2412010.exeGet hashmaliciousFormBookBrowse
                      • 161.97.142.144

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Users\user\Desktop\tempfile
                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                      Category:dropped
                      Size (bytes):71954
                      Entropy (8bit):7.996617769952133
                      Encrypted:true
                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Users\user\Desktop\tempfile
                      File Type:data
                      Category:dropped
                      Size (bytes):328
                      Entropy (8bit):3.2441017925653757
                      Encrypted:false
                      SSDEEP:6:kK5lL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:2DImsLNkPlE99SNxAhUe/3
                      MD5:04EA33E30CC0CEDB01E5CC7D7D4597C5
                      SHA1:4998A99B4AA1D45B6D1DA482EFE0C5625A06232A
                      SHA-256:E2591A910603BAA9EE93668A51450C8F670F3B7C53C4549B443F32F04E01665D
                      SHA-512:8C3CA07B586AE8FC55A084322C7A7694CDC16EC442A7E4A0B89BB61C0B6E9B124D28C29C9570BFADD61322A8BA3933C829550CD96A66CAFB8FC7A306E108A21F
                      Malicious:false
                      Reputation:low
                      Preview:p...... ..........Y.+b..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\82eqjqLrzE.exe.log

                      Download File
                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe
                      File Type:CSV text
                      Category:dropped
                      Size (bytes):425
                      Entropy (8bit):5.357964438493834
                      Encrypted:false
                      SSDEEP:12:Q3La/KDLI4MWuPXcp1OKbbDLI4MWuPOKfSSI6Khav:ML9E4KQwKDE4KGKZI6Khk
                      MD5:D8F8A79B5C09FCB6F44E8CFFF11BF7CA
                      SHA1:669AFE705130C81BFEFECD7CC216E6E10E72CB81
                      SHA-256:91B010B5C9F022F3449F161425F757B276021F63B024E8D8ED05476509A6D406
                      SHA-512:C95CB5FC32843F555EFA7CCA5758B115ACFA365A6EEB3333633A61CA50A90FEFAB9B554C3776FFFEA860FEF4BF47A6103AFECF3654C780287158E2DBB8137767
                      Malicious:true
                      Reputation:moderate, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..

                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tempfile.log

                      Download File
                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile
                      File Type:CSV text
                      Category:dropped
                      Size (bytes):425
                      Entropy (8bit):5.353683843266035
                      Encrypted:false
                      SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                      MD5:859802284B12C59DDBB85B0AC64C08F0
                      SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                      SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                      SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe

                      Download File
                      Process:C:\Users\user\Desktop\82eqjqLrzE.exe
                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):165888
                      Entropy (8bit):4.701012294126888
                      Encrypted:false
                      SSDEEP:3072:OHUWEdcWRJy1kI4E/BaSv9krW5xpvp4mKawJ1X3zsIW0sk0Y1:OHUWEdcWRYcEUS7pviIAs19
                      MD5:A7F9F165CD238CCBE2CA5803FCD3209D
                      SHA1:1C145BC3FA28FA807D3C831DE524B5806E0DE334
                      SHA-256:F98A607F7AED8A5DD5950711A576FEDE3326857B4254DE991ABAF9A70E77BE7B
                      SHA-512:F352947E7E3F9FD7157539C2890FFBFCE6A933AF4DF047E47661C7BE8E66AFE7BA994910174641915C1FF6626FBAA897C020F662AC723BC8606CD0100A613ED7
                      Malicious:true
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 71%
                      • Antivirus: Virustotal, Detection: 72%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....zg.................~............... ........@.. ....................................@....................................W.................................................................................... ............... ..H............text...4}... ...~.................. ..`.rsrc...............................@..@.reloc..............................@..B........................H.......\...xn............................................................(0...*.0................(....r...p......%......(.....o......,d ..@. .`d.a%..^E....<...|.......d.......+zr/..p........%.r3..p.o....o....-. ....%+. .!..%&. A..$Za+........s....s....%.o.....o.... .aE.8y....(..... -&..Z d...a8a...*....0..Q........u......:.... 3... ....a%...^E....W...o.......................4...............8.....o....,. \..&%+. ..'.%&+...o..... ....Z .a..a+.(....-. ...%+. .eQ.%&. .B.:Za8m..

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe:Zone.Identifier

                      Download File
                      Process:C:\Users\user\Desktop\82eqjqLrzE.exe
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):26
                      Entropy (8bit):3.95006375643621
                      Encrypted:false
                      SSDEEP:3:ggPYV:rPYV
                      MD5:187F488E27DB4AF347237FE461A079AD
                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                      Malicious:true
                      Preview:[ZoneTransfer]....ZoneId=0

                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile

                      Download File
                      Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:dropped
                      Size (bytes):46080
                      Entropy (8bit):5.445512357577953
                      Encrypted:false
                      SSDEEP:768:Nu2/0TckJ26WUsFvgmo2q7MKjPGaG6PIyzjbFgX3iE8ealLUbsC1h4tBDZOx:Nu2/0TceH2ZKTkDy3bCXSTOsC1SdOx
                      MD5:E00A1AB434452FD6F77C941C09F257D6
                      SHA1:19E5BB008A1C4560C60F503E03C51A5934DB1015
                      SHA-256:DA22AB3197CE1C6B427ECD1111166020C8FEBA35D4153296D439F56C7B4502E8
                      SHA-512:D3AD25EED77E5E55C44C623FA2A48E9C3705DA0D14696A4D9A6297D471EB3E594F6E5CF4871F3A9B258C274EFFC44936160BD06420152D7BBD53CC89B7420EA2
                      Malicious:true
                      Yara Hits:
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, Author: Joe Security
                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, Author: Joe Security
                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, Author: unknown
                      • Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, Author: Sekoia.io
                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, Author: ditekSHen
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 96%
                      • Antivirus: Virustotal, Detection: 77%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-e................................. ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y...l.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*VrP%.p~....(o....#...*.s...

                      C:\Users\user\Desktop\tempfile

                      Download File
                      Process:C:\Users\user\Desktop\82eqjqLrzE.exe
                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Category:modified
                      Size (bytes):46080
                      Entropy (8bit):5.445512357577953
                      Encrypted:false
                      SSDEEP:768:Nu2/0TckJ26WUsFvgmo2q7MKjPGaG6PIyzjbFgX3iE8ealLUbsC1h4tBDZOx:Nu2/0TceH2ZKTkDy3bCXSTOsC1SdOx
                      MD5:E00A1AB434452FD6F77C941C09F257D6
                      SHA1:19E5BB008A1C4560C60F503E03C51A5934DB1015
                      SHA-256:DA22AB3197CE1C6B427ECD1111166020C8FEBA35D4153296D439F56C7B4502E8
                      SHA-512:D3AD25EED77E5E55C44C623FA2A48E9C3705DA0D14696A4D9A6297D471EB3E594F6E5CF4871F3A9B258C274EFFC44936160BD06420152D7BBD53CC89B7420EA2
                      Malicious:true
                      Yara Hits:
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\Desktop\tempfile, Author: Joe Security
                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\Desktop\tempfile, Author: Joe Security
                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\Desktop\tempfile, Author: unknown
                      • Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\Desktop\tempfile, Author: Sekoia.io
                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\Desktop\tempfile, Author: ditekSHen
                      Antivirus:
                      • Antivirus: Avira, Detection: 100%
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      • Antivirus: ReversingLabs, Detection: 96%
                      • Antivirus: Virustotal, Detection: 77%, Browse
                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-e................................. ........@.. ....................... ............@.....................................K.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y...l.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*VrP%.p~....(o....#...*.s...

                      Static File Info

                      General

                      File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):4.701012294126888
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                      • Win32 Executable (generic) a (10002005/4) 49.78%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      • DOS Executable Generic (2002/1) 0.01%
                      File name:82eqjqLrzE.exe
                      File size:165'888 bytes
                      MD5:a7f9f165cd238ccbe2ca5803fcd3209d
                      SHA1:1c145bc3fa28fa807d3c831de524b5806e0de334
                      SHA256:f98a607f7aed8a5dd5950711a576fede3326857b4254de991abaf9a70e77be7b
                      SHA512:f352947e7e3f9fd7157539c2890ffbfce6a933af4df047e47661c7be8e66afe7ba994910174641915c1ff6626fbaa897c020f662ac723bc8606cd0100a613ed7
                      SSDEEP:3072:OHUWEdcWRJy1kI4E/BaSv9krW5xpvp4mKawJ1X3zsIW0sk0Y1:OHUWEdcWRYcEUS7pviIAs19
                      TLSH:C0F3132839EA705EF173EE759FD43CA6DA5EB673270B541A1053038A8B1ED43CE9143A
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....zg.................~............... ........@.. ....................................@................................

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0x429d2e
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows cui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x677A178D [Sun Jan 5 05:24:29 2025 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x29cd40x57.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2a0000x4ce.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2c0000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000x27d340x27e006fd6a89147e334d58a092dc406a58571False0.4611456700626959data4.71157345448764IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0x2a0000x4ce0x600e0651b41454eeaafc4724e6f2ade55adFalse0.37109375data3.714878526660704IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x2c0000xc0x200074a5de55ee9576330fd10e81f16f9b5False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0x2a0a00x244data0.46379310344827585
                      RT_MANIFEST0x2a2e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2025-01-09T01:12:07.785445+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)1144.91.79.5432769192.168.2.449730TCP
                      2025-01-09T01:12:07.785445+01002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1144.91.79.5432769192.168.2.449730TCP
                      2025-01-09T01:12:07.785445+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert1144.91.79.5432769192.168.2.449730TCP
                      2025-01-09T01:12:07.785445+01002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)1144.91.79.5432769192.168.2.449730TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 9, 2025 01:12:06.894884109 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:06.899795055 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:06.899872065 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:06.911355972 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:06.916177988 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:07.773891926 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:07.773912907 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:07.773988962 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:07.780664921 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:07.785444975 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:08.119621992 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:08.161653996 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:09.530853033 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:09.535696030 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:09.535753965 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:09.540537119 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:20.459564924 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:20.464396000 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:20.464481115 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:20.469291925 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:20.836832047 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:20.880465031 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:20.973927975 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:20.980290890 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:20.985109091 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:20.985179901 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:20.989937067 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:31.603703976 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:31.608586073 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:31.608637094 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:31.613460064 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:31.917157888 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:31.958831072 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:32.052136898 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:32.054626942 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:32.059462070 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:32.059539080 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:32.064315081 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:37.888434887 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:37.942950010 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:38.020536900 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:38.067976952 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:42.537250042 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:42.542078018 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:42.542154074 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:42.546921015 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:42.849859953 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:42.896203995 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:42.989778042 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:42.991966963 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:42.996745110 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:42.996808052 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:43.001614094 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:53.474693060 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:53.479569912 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:53.479674101 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:53.484460115 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:53.788991928 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:53.833609104 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:53.927279949 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:53.933944941 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:53.939265013 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:12:53.943223000 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:12:53.948466063 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:04.412240982 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:04.417140007 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:04.417187929 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:04.421935081 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:04.726695061 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:04.771226883 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:04.864733934 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:04.866553068 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:04.871438980 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:04.871495962 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:04.876282930 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:07.896157980 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:07.942994118 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:08.037034988 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:08.083614111 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:15.473613024 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:15.478468895 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:15.480015039 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:15.484817982 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:15.861032009 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:15.927393913 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:16.005645990 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:16.013487101 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:16.018281937 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:16.018476009 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:16.023255110 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:26.396616936 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:26.401484966 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:26.401649952 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:26.406636953 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:26.709477901 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:26.818049908 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:26.849942923 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:26.852344990 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:26.857063055 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:26.857177973 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:26.861957073 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:37.334465027 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:37.339250088 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:37.339293957 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:37.344055891 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:37.647033930 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:37.787350893 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:37.787404060 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:37.790471077 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:37.795227051 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:37.795280933 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:37.800144911 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:37.928080082 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:38.132013083 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:48.271766901 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:48.277209044 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:48.277321100 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:48.282818079 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:48.654002905 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:48.787575960 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:48.787694931 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:48.791596889 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:48.796485901 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:48.796586037 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:48.801665068 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:59.209356070 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:59.214287996 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:59.214340925 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:59.219192982 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:59.531395912 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:59.630609989 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:59.663156986 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:59.665410995 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:59.670284033 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:13:59.670332909 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:13:59.675200939 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:07.896071911 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:08.038207054 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:08.038278103 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:10.146626949 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:10.151475906 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:10.151633978 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:10.156398058 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:10.458687067 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:10.600749016 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:10.600922108 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:10.617568970 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:10.622354031 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:10.626362085 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:10.631234884 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:21.084403992 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:21.089279890 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:21.089324951 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:21.094127893 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:21.396090031 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:21.521251917 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:21.538326979 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:21.540626049 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:21.545510054 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:21.545551062 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:21.550288916 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:32.022145987 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:32.027128935 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:32.027179956 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:32.031996965 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:32.335024118 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:32.475902081 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:32.478321075 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:32.487704039 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:32.492554903 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:32.494520903 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:32.499284029 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:37.885566950 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:37.927544117 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:38.022809029 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:38.132091999 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:42.959676027 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:42.964492083 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:42.966207981 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:42.971020937 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:43.275506020 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:43.318372011 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:43.413683891 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:43.416313887 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:43.421247005 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:43.421291113 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:43.426064968 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:53.896805048 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:54.130707026 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:54.169630051 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:54.169640064 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:54.176229000 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:54.181036949 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:54.348670006 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:54.492039919 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:54.492214918 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:54.494781971 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:54.499532938 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:14:54.500185013 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:14:54.504925966 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:04.834259033 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:04.910016060 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:04.910271883 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:04.915165901 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:05.218869925 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:05.333827019 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:05.351450920 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:05.354310989 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:05.359124899 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:05.359179020 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:05.364012003 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:07.891531944 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:08.021339893 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:08.023272991 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:08.130714893 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:08.379235029 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:08.380264997 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:15.771889925 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:15.796900034 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:15.796957016 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:15.801800013 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:16.109621048 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:16.242414951 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:16.242561102 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:16.245491028 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:16.250323057 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:16.252197027 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:16.256912947 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:26.712163925 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:26.717019081 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:26.720230103 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:26.725027084 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:27.241530895 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:27.318252087 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:27.398804903 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:27.401338100 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:27.406178951 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:27.406235933 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:27.410978079 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:37.646950006 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:37.651779890 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:37.651829004 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:37.656620979 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:37.890053988 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:38.021517992 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:38.021575928 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:38.113146067 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:38.115794897 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:38.121345997 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:38.121392012 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:38.126192093 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:48.584275007 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:48.589099884 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:48.592278957 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:48.597176075 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:48.896827936 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:49.023195982 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:49.039680004 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:49.045759916 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:49.050574064 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:49.056278944 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:49.061086893 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:59.522310972 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:59.528582096 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:59.528629065 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:59.534931898 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:59.836376905 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:59.927671909 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:59.977319956 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:59.979165077 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:59.984020948 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:15:59.984066010 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:15:59.988809109 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:07.397181034 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:07.403696060 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:07.403764963 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:07.410160065 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:07.709892035 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:07.755820036 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:07.853389978 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:07.854120016 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:07.858889103 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:07.858939886 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:07.863709927 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:07.993304968 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:08.037065029 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:18.334356070 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:18.339293003 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:18.339370012 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:18.344208002 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:18.647821903 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:18.695369005 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:18.790345907 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:18.791945934 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:18.796706915 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:18.800306082 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:18.806152105 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:29.271929026 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:29.277002096 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:29.277060986 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:29.281827927 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:29.587631941 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:29.630870104 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:29.743761063 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:29.744582891 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:29.749370098 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:29.749475002 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:29.754245043 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:37.900665998 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:37.943378925 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:38.071027040 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:38.115250111 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:40.209381104 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:40.214298964 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:40.214358091 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:40.219153881 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:40.523188114 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:40.568397999 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:40.665716887 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:40.666539907 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:40.671406984 CET3276949730144.91.79.54192.168.2.4
                      Jan 9, 2025 01:16:40.671503067 CET4973032769192.168.2.4144.91.79.54
                      Jan 9, 2025 01:16:40.676311970 CET3276949730144.91.79.54192.168.2.4

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Jan 9, 2025 01:12:08.280997992 CET1.1.1.1192.168.2.40x3145No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                      Jan 9, 2025 01:12:08.280997992 CET1.1.1.1192.168.2.40x3145No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                      Jan 9, 2025 01:12:19.943397045 CET1.1.1.1192.168.2.40xda79No error (0)edge.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comdefault.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.comCNAME (Canonical name)IN (0x0001)false
                      Jan 9, 2025 01:12:19.943397045 CET1.1.1.1192.168.2.40xda79No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.23A (IP address)IN (0x0001)false
                      Jan 9, 2025 01:12:19.943397045 CET1.1.1.1192.168.2.40xda79No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.36A (IP address)IN (0x0001)false
                      Jan 9, 2025 01:12:19.943397045 CET1.1.1.1192.168.2.40xda79No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.42A (IP address)IN (0x0001)false
                      Jan 9, 2025 01:12:19.943397045 CET1.1.1.1192.168.2.40xda79No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.38A (IP address)IN (0x0001)false
                      Jan 9, 2025 01:12:19.943397045 CET1.1.1.1192.168.2.40xda79No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.21A (IP address)IN (0x0001)false
                      Jan 9, 2025 01:12:19.943397045 CET1.1.1.1192.168.2.40xda79No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com217.20.57.41A (IP address)IN (0x0001)false
                      Jan 9, 2025 01:12:19.943397045 CET1.1.1.1192.168.2.40xda79No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.19A (IP address)IN (0x0001)false
                      Jan 9, 2025 01:12:19.943397045 CET1.1.1.1192.168.2.40xda79No error (0)default.qdr.p1.ds-c7110-microsoft.global.dns.qwilted-cds.cqloud.com84.201.210.38A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Target ID:0
                      Start time:19:12:01
                      Start date:08/01/2025
                      Path:C:\Users\user\Desktop\82eqjqLrzE.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\Desktop\82eqjqLrzE.exe"
                      Imagebase:0x840000
                      File size:165'888 bytes
                      MD5 hash:A7F9F165CD238CCBE2CA5803FCD3209D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.4161121191.0000000002BC8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:1
                      Start time:19:12:01
                      Start date:08/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:false

                      General

                      Target ID:2
                      Start time:19:12:02
                      Start date:08/01/2025
                      Path:C:\Users\user\Desktop\tempfile
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\tempfile"
                      Imagebase:0xf80000
                      File size:46'080 bytes
                      MD5 hash:E00A1AB434452FD6F77C941C09F257D6
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000000.1718915320.0000000000F82000.00000002.00000001.01000000.00000006.sdmp, Author: Joe Security
                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000002.00000000.1718915320.0000000000F82000.00000002.00000001.01000000.00000006.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000002.00000002.4161978474.0000000003421000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\Desktop\tempfile, Author: Joe Security
                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\Desktop\tempfile, Author: Joe Security
                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\Desktop\tempfile, Author: unknown
                      • Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\Desktop\tempfile, Author: Sekoia.io
                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\Desktop\tempfile, Author: ditekSHen
                      Antivirus matches:
                      • Detection: 100%, Avira
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 96%, ReversingLabs
                      • Detection: 77%, Virustotal, Browse
                      Reputation:low
                      Has exited:false

                      General

                      Target ID:3
                      Start time:19:12:14
                      Start date:08/01/2025
                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe
                      Wow64 process (32bit):false
                      Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\82eqjqLrzE.exe"
                      Imagebase:0xa0000
                      File size:165'888 bytes
                      MD5 hash:A7F9F165CD238CCBE2CA5803FCD3209D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000003.00000002.1906014341.00000000024C6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                      Antivirus matches:
                      • Detection: 100%, Avira
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 71%, ReversingLabs
                      • Detection: 72%, Virustotal, Browse
                      Reputation:low
                      Has exited:true

                      General

                      Target ID:4
                      Start time:19:12:14
                      Start date:08/01/2025
                      Path:C:\Windows\System32\conhost.exe
                      Wow64 process (32bit):false
                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Imagebase:0x7ff7699e0000
                      File size:862'208 bytes
                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Reputation:high
                      Has exited:true

                      General

                      Target ID:5
                      Start time:19:12:15
                      Start date:08/01/2025
                      Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile"
                      Imagebase:0x2e0000
                      File size:46'080 bytes
                      MD5 hash:E00A1AB434452FD6F77C941C09F257D6
                      Has elevated privileges:false
                      Has administrator privileges:false
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, Author: Joe Security
                      • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, Author: Joe Security
                      • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, Author: unknown
                      • Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, Author: Sekoia.io
                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tempfile, Author: ditekSHen
                      Antivirus matches:
                      • Detection: 100%, Avira
                      • Detection: 100%, Joe Sandbox ML
                      • Detection: 96%, ReversingLabs
                      • Detection: 77%, Virustotal, Browse
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:26.8%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:6
                        Total number of Limit Nodes:0

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_00007FFD9BAA1016 1 Function_00007FFD9BAA0518 2 Function_00007FFD9BAA0398 3 Function_00007FFD9BAA111A 4 Function_00007FFD9BAA1699 5 Function_00007FFD9BAA0590 6 Function_00007FFD9BAA180F 7 Function_00007FFD9BAA118F 8 Function_00007FFD9BAA0B8F 8->1 31 Function_00007FFD9BAA04E8 8->31 9 Function_00007FFD9BAA1094 10 Function_00007FFD9BAA0108 11 Function_00007FFD9BAA028A 12 Function_00007FFD9BAA000C 13 Function_00007FFD9BAA098B 14 Function_00007FFD9BAA037D 15 Function_00007FFD9BAA177F 16 Function_00007FFD9BAA0102 17 Function_00007FFD9BAA0402 18 Function_00007FFD9BAA1A02 67 Function_00007FFD9BAA0630 18->67 19 Function_00007FFD9BAA0282 20 Function_00007FFD9BAA1203 21 Function_00007FFD9BAA1075 22 Function_00007FFD9BAA1979 23 Function_00007FFD9BAA1A6E 23->67 24 Function_00007FFD9BAA0D6D 25 Function_00007FFD9BAA0EF0 26 Function_00007FFD9BAA02F2 27 Function_00007FFD9BAA0272 28 Function_00007FFD9BAA12F1 28->4 74 Function_00007FFD9BAA17B1 28->74 76 Function_00007FFD9BAA1725 28->76 29 Function_00007FFD9BAA1571 29->4 29->74 29->76 30 Function_00007FFD9BAA16F3 32 Function_00007FFD9BAA0DE9 33 Function_00007FFD9BAA1CDE 37 Function_00007FFD9BAA1DE0 33->37 34 Function_00007FFD9BAA13DD 34->4 34->74 34->76 35 Function_00007FFD9BAA05E0 36 Function_00007FFD9BAA04E0 38 Function_00007FFD9BAA01E2 39 Function_00007FFD9BAA02E2 40 Function_00007FFD9BAA0462 41 Function_00007FFD9BAA0AD5 41->1 41->31 58 Function_00007FFD9BAA0540 41->58 68 Function_00007FFD9BAA0530 41->68 42 Function_00007FFD9BAA03D8 43 Function_00007FFD9BAA0C59 43->36 44 Function_00007FFD9BAA1059 45 Function_00007FFD9BAA12DB 46 Function_00007FFD9BAA1350 47 Function_00007FFD9BAA0C4F 48 Function_00007FFD9BAA10D2 49 Function_00007FFD9BAA0252 50 Function_00007FFD9BAA02D2 51 Function_00007FFD9BAA0BD2 51->1 51->31 52 Function_00007FFD9BAA1651 52->4 52->74 52->76 53 Function_00007FFD9BAA1E51 54 Function_00007FFD9BAA1546 54->4 54->74 54->76 55 Function_00007FFD9BAA1848 56 Function_00007FFD9BAA0A49 57 Function_00007FFD9BAA00BD 59 Function_00007FFD9BAA0242 60 Function_00007FFD9BAA0442 61 Function_00007FFD9BAA01C2 62 Function_00007FFD9BAA02C2 63 Function_00007FFD9BAA1438 63->4 63->74 63->76 64 Function_00007FFD9BAA10B8 65 Function_00007FFD9BAA1637 65->4 65->74 65->76 66 Function_00007FFD9BAA012D 69 Function_00007FFD9BAA05B0 70 Function_00007FFD9BAA0432 71 Function_00007FFD9BAA0232 72 Function_00007FFD9BAA03B2 73 Function_00007FFD9BAA0AB2 75 Function_00007FFD9BAA12B3 77 Function_00007FFD9BAA0328 78 Function_00007FFD9BAA05AA 79 Function_00007FFD9BAA0BAA 79->1 79->31 80 Function_00007FFD9BAA151E 80->4 80->74 80->76 81 Function_00007FFD9BAA0620 82 Function_00007FFD9BAA199F 82->81 83 Function_00007FFD9BAA0222 84 Function_00007FFD9BAA0422 85 Function_00007FFD9BAA1321 85->4 85->74 85->76

                        Executed Functions

                        Function 00007FFD9BAA0AD5 Relevance: .1, Instructions: 113COMMON
                        Download Yara Rule

                        Control-flow Graph

                        Memory Dump Source
                        • Source File: 00000000.00000002.4162059624.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ffd9baa0000_82eqjqLrzE.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bb2f7199e4aadc0debc50a53fee330d718b65c3845bb0b60ebd2204b61e420ae
                        • Instruction ID: 8c2505475e6a354b2714d5e5d59e0823f091f9ae903c530f9213799cb3ef8063
                        • Opcode Fuzzy Hash: bb2f7199e4aadc0debc50a53fee330d718b65c3845bb0b60ebd2204b61e420ae
                        • Instruction Fuzzy Hash: 6A310B31B4E3890FD36D6AB44C765B6BB96EB83620B0641BED08AC71B3ED5864034395
                        Function 00007FFD9BAA0DE9 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 7ffd9baa0de9-7ffd9baa0ebc GetConsoleWindow 4 7ffd9baa0ebe 0->4 5 7ffd9baa0ec4-7ffd9baa0eeb 0->5 4->5
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4162059624.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ffd9baa0000_82eqjqLrzE.jbxd
                        Similarity
                        • API ID: ConsoleWindow
                        • String ID:
                        • API String ID: 2863861424-0
                        • Opcode ID: e2181d39daf349ddb53a1968370397acf141dda706cec05b971ee493883133e3
                        • Instruction ID: 7f4d8a305a33f975eacdec4ee7cd75edf6dcf254836226a0c4a20e410f5117e3
                        • Opcode Fuzzy Hash: e2181d39daf349ddb53a1968370397acf141dda706cec05b971ee493883133e3
                        • Instruction Fuzzy Hash: 7C41067190DB888FDB26DB688855AE5BFF0EF57320F05429FD089C71A3D664680ACB51
                        Function 00007FFD9BAA1CDE Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.4162059624.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_7ffd9baa0000_82eqjqLrzE.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: bec11941ff2cf8a681dad1451e0e53fef2931fd4a52f4987c46d5eddade04341
                        • Instruction ID: a794bbbd41723373121bd84f170aa7f024c17ff0ef49b775f7e096094c135cfe
                        • Opcode Fuzzy Hash: bec11941ff2cf8a681dad1451e0e53fef2931fd4a52f4987c46d5eddade04341
                        • Instruction Fuzzy Hash: 5B315C30A1CB188FDB58DB58D846BE8B7F1FB99321F10429AD04DA7251CB34A981CFC2

                        Executed Functions

                        Function 033C5CF0 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: \VLm
                        • API String ID: 0-2808160488
                        • Opcode ID: 72a9cdb20ecde26408d778cefeb9f46baf99d94ecc72b3dbba0430c19fbb2be2
                        • Instruction ID: f0bded495f227961e9afb66f91407ff577aa546c3e66ac896c3c272f843ee7d9
                        • Opcode Fuzzy Hash: 72a9cdb20ecde26408d778cefeb9f46baf99d94ecc72b3dbba0430c19fbb2be2
                        • Instruction Fuzzy Hash: 08B15C70E20259CFDB14CFA9C9957DEBBF2AF89304F18812DD815AB254EB74A845CB81
                        Function 033C65C0 Relevance: .3, Instructions: 266COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 96ec5e4799e932c56666e743f7f96505472f6b60a61d3004dd4bb7558185d280
                        • Instruction ID: bca6bde46b9884e53d813a4f74bc52782663111cb32bff43905763ccd7945777
                        • Opcode Fuzzy Hash: 96ec5e4799e932c56666e743f7f96505472f6b60a61d3004dd4bb7558185d280
                        • Instruction Fuzzy Hash: 81B15C74E20249CFDF10CFA9D88679DBBF2BF88314F18852DE415AB294EB749845CB81
                        Function 033C1727 Relevance: 5.4, Strings: 4, Instructions: 442COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: a^q$ a^q$,$xbq
                        • API String ID: 0-2180861429
                        • Opcode ID: f70934ecd1db43d16f4513eec57bd8f14208e14ee72e64834adb0c45002f4131
                        • Instruction ID: 9372e7176b059ac6d9c2152d8609036c52cd67d93927e3c64be6e1bc774f0669
                        • Opcode Fuzzy Hash: f70934ecd1db43d16f4513eec57bd8f14208e14ee72e64834adb0c45002f4131
                        • Instruction Fuzzy Hash: 9C027B74B002419FD718DF68D594B6ABBE2BF84304F248AA8E4059F3A5DF79DC85CB81
                        Function 033C1962 Relevance: 3.9, Strings: 3, Instructions: 183COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: a^q$ a^q$xbq
                        • API String ID: 0-2081302502
                        • Opcode ID: 5e740f1e3e64d3b2930878f6462325925e221c1fa62f89e13d713284efbf3f20
                        • Instruction ID: 8bb0e272a3350706cc6eccd3f5dff048555f7bd75c134bfb555e6f313e74d266
                        • Opcode Fuzzy Hash: 5e740f1e3e64d3b2930878f6462325925e221c1fa62f89e13d713284efbf3f20
                        • Instruction Fuzzy Hash: 4A618C78B002408FD718EF29D994B5A7BF2FF85704F108968D4059F3A5DBB9ED858B90
                        Function 033C9EE0 Relevance: 2.7, Strings: 2, Instructions: 213COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: xbq$+
                        • API String ID: 0-3688029685
                        • Opcode ID: 8b7a758ed01f22b514147f6e9d9e8724425222d489c10c5d40277dd875c414ad
                        • Instruction ID: ae986b5e74eecb427ca8bb7f944553e3f74bbb82114fc8aebfdd022d9c7b6c2d
                        • Opcode Fuzzy Hash: 8b7a758ed01f22b514147f6e9d9e8724425222d489c10c5d40277dd875c414ad
                        • Instruction Fuzzy Hash: A391A9B8D122588FDB14EF2AE6843143BF1F785715F04456DC8008B29ADBBE9F418B92
                        Function 033C0EBA Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: (bq$Te^q
                        • API String ID: 0-2856382362
                        • Opcode ID: f17bfddf349a6458eb76f1d7b6c031744e97cfdeccbf01fa27383a44beaed9df
                        • Instruction ID: fc6eb00651901d265135a561ad730b88a2b771c427228878aec995a3a13efbdc
                        • Opcode Fuzzy Hash: f17bfddf349a6458eb76f1d7b6c031744e97cfdeccbf01fa27383a44beaed9df
                        • Instruction Fuzzy Hash: 73519E34B101149FC744DF6DC898A9EBBF6EF89710F2581A9E805DB3A6CA75ED018B90
                        Function 033C0D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: Hbq$dLdq
                        • API String ID: 0-411705877
                        • Opcode ID: 48d790cc3f3058d4896c5e3bb5f8733a8cde5fe098fe90faa6937657f4ddfea7
                        • Instruction ID: ae50879f834af643c852ddd85b545426761de072ed2ded35cc3268df806ebc68
                        • Opcode Fuzzy Hash: 48d790cc3f3058d4896c5e3bb5f8733a8cde5fe098fe90faa6937657f4ddfea7
                        • Instruction Fuzzy Hash: 5741B4357042448FCB19DF79C898A9EBBF6EF89200F1485A9E405DB361CA75DD05CB90
                        Function 033C9278 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: $^q$$^q
                        • API String ID: 0-355816377
                        • Opcode ID: b9f2711751a4d3a13f6af216001bfc210067d12e0448138a607eaf6d8cab1975
                        • Instruction ID: a137467d9a46d6cf3fc71da4223e7bdf622531bde0484d6f8f63889e04d124b2
                        • Opcode Fuzzy Hash: b9f2711751a4d3a13f6af216001bfc210067d12e0448138a607eaf6d8cab1975
                        • Instruction Fuzzy Hash: 80415F70B28445CFC758AF5A958862DBBB6BF847017298899F0068B7D8CF36DC17CB85
                        Function 033C5CE4 Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: \VLm
                        • API String ID: 0-2808160488
                        • Opcode ID: 8dba0686ee85fb5946e0394615145a4790fca1190e3e51555309908ea50e90b2
                        • Instruction ID: e03d2288f6af457abe3ee929ba74451561dd1874dfdf518dbccd4b645d7d2de9
                        • Opcode Fuzzy Hash: 8dba0686ee85fb5946e0394615145a4790fca1190e3e51555309908ea50e90b2
                        • Instruction Fuzzy Hash: C8B17D71E20259CFEB14CFA9C9857DEBBF2AF89304F18812DD815A7254EB34AC45CB81
                        Function 033C9BB8 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: 462a23611c11e322cb67e0f56dc1b315970a06b158cc6aa9236d18f24963a12f
                        • Instruction ID: 4e9adcca39d600f1ef11dbfe87167370880816b2c2ab9c9bb8e3de3c28bbcce5
                        • Opcode Fuzzy Hash: 462a23611c11e322cb67e0f56dc1b315970a06b158cc6aa9236d18f24963a12f
                        • Instruction Fuzzy Hash: F1519D30610245DFE724DF29C998B69BBF6FF49714F158159E812AB3E1CB7AAC80CB40
                        Function 033C9261 Relevance: 1.4, Strings: 1, Instructions: 113COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: $^q
                        • API String ID: 0-388095546
                        • Opcode ID: 6e89a8a896e344b9347daf8da89ecd01c66270d5f8784f62e645d995894b2b12
                        • Instruction ID: b565fd14d664e2ca923d8619e4535d4967dfb24795343c6c9a567eadb232dc3b
                        • Opcode Fuzzy Hash: 6e89a8a896e344b9347daf8da89ecd01c66270d5f8784f62e645d995894b2b12
                        • Instruction Fuzzy Hash: EA418270A28484DFC3599F59858862DBBB6BB8470172A8899E046CB7D8CF36DC17CB85
                        Function 033C1339 Relevance: 1.3, Strings: 1, Instructions: 95COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: LR^q
                        • API String ID: 0-2625958711
                        • Opcode ID: 813721dbb7f3ef51a786d6e3cd2e4a3e71bd3bd17c2ce7466463d912cf3c2ea3
                        • Instruction ID: b8c0b6a0fdae75290a7ec4219b0ce0eab0101679c6b14e2f57d988464019d2f0
                        • Opcode Fuzzy Hash: 813721dbb7f3ef51a786d6e3cd2e4a3e71bd3bd17c2ce7466463d912cf3c2ea3
                        • Instruction Fuzzy Hash: 9D31B174F102568FDB04DB79899066EBBF6BFC9204B1440ADE549DB355EE30DD02C792
                        Function 033C0D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: dLdq
                        • API String ID: 0-3390252261
                        • Opcode ID: c7963bb7c2c06ce88bb563037626422e4d028a3a286d49dd342fd0f45b0ba8de
                        • Instruction ID: 12001e13f041b6c7023cca8f2a597cbd65e30cce45a41d6b06f7f0c25eddcc5f
                        • Opcode Fuzzy Hash: c7963bb7c2c06ce88bb563037626422e4d028a3a286d49dd342fd0f45b0ba8de
                        • Instruction Fuzzy Hash: BC317C75A00244CFCB18DF69C598B9EBBF6EF88300F188569D401AB361CB75ED45CB90
                        Function 033C9190 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: 2c668671407e20859b4ae7798de9dadca3866b23219109c915ecbe538d7e91f5
                        • Instruction ID: f77b88211763e989b7ef72796e63ea749a9d8ba64d8f368161c2488de1c5e22d
                        • Opcode Fuzzy Hash: 2c668671407e20859b4ae7798de9dadca3866b23219109c915ecbe538d7e91f5
                        • Instruction Fuzzy Hash: 5D2193357201548FCB44DB68C998BAD7BFAAF8C710F25415DE502EB3A0CF759C048B91
                        Function 033C3321 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: |
                        • API String ID: 0-2343686810
                        • Opcode ID: 3f30dfa7174e6ff6625e82a7dd1408fe3a533ea2f4955e683895151027799df4
                        • Instruction ID: 031e2863597a52da2b2bc99858c5c790c2a0df301bad730ba70c981b503b87f1
                        • Opcode Fuzzy Hash: 3f30dfa7174e6ff6625e82a7dd1408fe3a533ea2f4955e683895151027799df4
                        • Instruction Fuzzy Hash: 15119D75B102149FDB44DB78C945B6E7BF5AF88610F10846AE50ADB3A0DB39DD01CB85
                        Function 033C9697 Relevance: 1.3, Strings: 1, Instructions: 59COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: f6157aa1bdf21f3fc3d1fad317881e0f271823977bd82d2dfa782ac3f25256d0
                        • Instruction ID: 72a353b4590a651f3cd9865c9858fcdee1876de0feeb451a7505205b4705c39b
                        • Opcode Fuzzy Hash: f6157aa1bdf21f3fc3d1fad317881e0f271823977bd82d2dfa782ac3f25256d0
                        • Instruction Fuzzy Hash: 69118E74B50245CFDB04DF68C898B6EBBE6AF88710F25405EE502EF3A6CA759C01CB90
                        Function 033C96A8 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: 2d8003273576e31fa185a55457c76d865508e2f5ba7bcea0f4504b14f3b62ab6
                        • Instruction ID: 39e4717de90065a9a6d3786e2d0beaa981c152e76a5bfd36640257319767a02f
                        • Opcode Fuzzy Hash: 2d8003273576e31fa185a55457c76d865508e2f5ba7bcea0f4504b14f3b62ab6
                        • Instruction Fuzzy Hash: D6113D34B50244DFDB14DF69C898B6EBBE6AF88710F154059E902AF3A5CBB5AC01CB90
                        Function 033CA6A1 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: 061d72c92dc1bbe5db37853927d25e4ae23640ee19012ba7282a5753ba2fcb53
                        • Instruction ID: 5985386f52dc10aef5c32ce8e88a60e84fc143631c4800eebe9263851ff345e6
                        • Opcode Fuzzy Hash: 061d72c92dc1bbe5db37853927d25e4ae23640ee19012ba7282a5753ba2fcb53
                        • Instruction Fuzzy Hash: 2E11A176B101189FCB04DB58C959BAEBBF6AB8C700F204069F402EB3A1CF759D018BD1
                        Function 033C0E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: Hbq
                        • API String ID: 0-1245868
                        • Opcode ID: 56b58529a0b021c990c3459bd4b07952032401767ab871acb41967b321fea528
                        • Instruction ID: 3751d5b9c80db3430476a27a122c421665ffd04e68ffcd53810add62525a987c
                        • Opcode Fuzzy Hash: 56b58529a0b021c990c3459bd4b07952032401767ab871acb41967b321fea528
                        • Instruction Fuzzy Hash: 56F046713092841FC345AB3DA86446E7FEBEFCA11031948FAE149CF392DD288D0783A5
                        Function 033C8CD8 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: LR^q
                        • API String ID: 0-2625958711
                        • Opcode ID: 5e4f151c77197b47e8f33ca47fd2762bc301f954789841475e538390d1c53ec3
                        • Instruction ID: 68ed5f15032d99fef3f435294776920523d5ddbe2d40136874074f8fed6a7a54
                        • Opcode Fuzzy Hash: 5e4f151c77197b47e8f33ca47fd2762bc301f954789841475e538390d1c53ec3
                        • Instruction Fuzzy Hash: B401AD76F102159FDB44EBB8D9956AEB7B9FB88600F1040ADE509DF250EB709E018BC1
                        Function 033C887F Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: 4'^q
                        • API String ID: 0-1614139903
                        • Opcode ID: 4cdaeda49dac4859356f9e69b78d3a52faa8f80b0e77fbf29a2b9b2ef9afaa78
                        • Instruction ID: 3d6f5e94872dd5ffa6853d866fb32fc8197bf14784cc361cb481e0d761f7dc6c
                        • Opcode Fuzzy Hash: 4cdaeda49dac4859356f9e69b78d3a52faa8f80b0e77fbf29a2b9b2ef9afaa78
                        • Instruction Fuzzy Hash: 85F0F635B011089FCB04EAA8E9A469D77A9EFC2605F1440E9D0099F355CF259D0647C1
                        Function 033C65BF Relevance: .3, Instructions: 256COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 41215565ba6951be7d1b627fc7724988e66bd12cc2ab29aedcdec17330fa5de8
                        • Instruction ID: 43cfe8e5a6b6b2bc84eab5f0949bcf8486fb59551efe0be3f52679c127ef6db9
                        • Opcode Fuzzy Hash: 41215565ba6951be7d1b627fc7724988e66bd12cc2ab29aedcdec17330fa5de8
                        • Instruction Fuzzy Hash: D5A14C70E20249CFDF10CFA9D98679DBBF1BF48314F18852DE419AB294EB749895CB81
                        Function 033CA2D8 Relevance: .3, Instructions: 251COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 169a4e7e907ccfadd7444249176f8a5d53a0b2c450d1097cd62654332d1b47e2
                        • Instruction ID: ecb72a40cee8794dc66d49f4795013b9b98731487e6c89b5bf6803dd6971632d
                        • Opcode Fuzzy Hash: 169a4e7e907ccfadd7444249176f8a5d53a0b2c450d1097cd62654332d1b47e2
                        • Instruction Fuzzy Hash: E6A1DE78B102058FCB09EF38D69465EB7F2EF89200B508AADC806DB355DF799D46CB80
                        Function 033C2DA8 Relevance: .2, Instructions: 246COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: d5f018462d69be8391a2f628fbd700a36f44b455141fcae83ce589f32831a424
                        • Instruction ID: 99e7e848e0ff18a6d9e735add0ec977fed57233fe4c2bdc6bd8006bd0f80ad0f
                        • Opcode Fuzzy Hash: d5f018462d69be8391a2f628fbd700a36f44b455141fcae83ce589f32831a424
                        • Instruction Fuzzy Hash: 1E91CC31A102598FCB15EF68C58069EFBB2FF85310F148AA9D419EB355DB70ED86CB90
                        Function 033C2A20 Relevance: .2, Instructions: 231COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9fd8973a550287f81d40c6d61e5dbd4f1beb08a86c3bd190ca1f091bce3b858f
                        • Instruction ID: b02c0b29ae6304c166a38677901de958d814f148a6895e9107874a5340d6fdfa
                        • Opcode Fuzzy Hash: 9fd8973a550287f81d40c6d61e5dbd4f1beb08a86c3bd190ca1f091bce3b858f
                        • Instruction Fuzzy Hash: 02A1BDB46013019FDB15EF30D588A1E7BB2FF84710B5086A9D5068B359DF7ADE8ACB81
                        Function 033C2A30 Relevance: .2, Instructions: 227COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 44dead8c21012ab1f886675ffd6fba2f08455797e7b72d463b37551da38bd21c
                        • Instruction ID: 2cbe35587e070f542548c136eb7b22141bfd96bb8e31d3803e247dd38dff4a53
                        • Opcode Fuzzy Hash: 44dead8c21012ab1f886675ffd6fba2f08455797e7b72d463b37551da38bd21c
                        • Instruction Fuzzy Hash: 8BA19DB46012019FDB15EF30D548A1E7BB2FF84710B5086A9D5068B359DF7ADD8ACB81
                        Function 033C9429 Relevance: .2, Instructions: 211COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 136d980f0a0428e135a9ca58531d995430b54593e584ebb47db6703f838075fa
                        • Instruction ID: bcc2cae32e05abec4b170c83b3f928df2cdab7537652c9c5cc173291d76f5c7c
                        • Opcode Fuzzy Hash: 136d980f0a0428e135a9ca58531d995430b54593e584ebb47db6703f838075fa
                        • Instruction Fuzzy Hash: 92813674710641CFD714DF68C998A6ABBB2FF89311F1684A9E8069F7A6CB31EC41CB50
                        Function 033C436C Relevance: .1, Instructions: 123COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a9e67499d82aafb4214f5bcdcfe72c121e05bad4feb404f5c913a60472f9fc8d
                        • Instruction ID: 17a605edfbd8c271c2edbc3b2e791416ce9a981e634eeb192dcd1fafa927bdcf
                        • Opcode Fuzzy Hash: a9e67499d82aafb4214f5bcdcfe72c121e05bad4feb404f5c913a60472f9fc8d
                        • Instruction Fuzzy Hash: 415167B5C10289CFDB11DFA9C9A47DEBFB4BF48314F24841DE40AAB250DB74598ACB90
                        Function 033C37F8 Relevance: .1, Instructions: 122COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 44adedaf10daba84b69cf9fec5a51bbb6dd8f67bfe66ad639a2217877a5573f4
                        • Instruction ID: 744f759f125909e433957c4892f21902a2579a5349e8a6a14583069fa5fa7319
                        • Opcode Fuzzy Hash: 44adedaf10daba84b69cf9fec5a51bbb6dd8f67bfe66ad639a2217877a5573f4
                        • Instruction Fuzzy Hash: C641A075B043888FCB24EB7994947AEBBE6EBC9214F14846DD14ADB340CF349C058B95
                        Function 033C0AA0 Relevance: .1, Instructions: 118COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 39fd24dcb07c5aa2cd8c4a928ea1f73196f4b41bee3a0f44dbfa5cfff53b5c2c
                        • Instruction ID: 99cabdd981948ddcfce59c8fa42f0a6a922fb3a5bbad680cd20d24d8859c8408
                        • Opcode Fuzzy Hash: 39fd24dcb07c5aa2cd8c4a928ea1f73196f4b41bee3a0f44dbfa5cfff53b5c2c
                        • Instruction Fuzzy Hash: 1951F874202206DFD725EF34EA945597773FF853057908A68D8098B369EB3EAD86CF80
                        Function 033C11D0 Relevance: .1, Instructions: 114COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fd72dd314ceadcbc0ab72c77286ce38b1917d29f0449ceb066302dff15328967
                        • Instruction ID: d9754f7bd491471b088374e800b3a1e20f32f1dc458d6c707dc05d356f4a6a69
                        • Opcode Fuzzy Hash: fd72dd314ceadcbc0ab72c77286ce38b1917d29f0449ceb066302dff15328967
                        • Instruction Fuzzy Hash: 3A418274F00209AFCB44EFB9C99466EFBFAEF89300F208569D449D7345DA359D428B91
                        Function 033C4210 Relevance: .1, Instructions: 90COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4e033729d0ce135db3a22e311ca14eb27b4ad39a4ddfdddc25f3fb34c1852524
                        • Instruction ID: 249934d73a1e7378ff2acfb331c6a9ed2aa89a7557ee715cd58770c8358638ef
                        • Opcode Fuzzy Hash: 4e033729d0ce135db3a22e311ca14eb27b4ad39a4ddfdddc25f3fb34c1852524
                        • Instruction Fuzzy Hash: DE41E1B0D0034DDFDB10DF9AC994ADEBFB5BF48314F148029E819AB254DB75A985CB90
                        Function 033C4207 Relevance: .1, Instructions: 90COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 30aed2ef713deb8a2de63178b2d5976e5cabbf34a7bf834f1ea3354498644e91
                        • Instruction ID: 658d7b5c7524bf5a3ae405ea9a06a6d96acb8b706a6989201ec4c53b0e7fda58
                        • Opcode Fuzzy Hash: 30aed2ef713deb8a2de63178b2d5976e5cabbf34a7bf834f1ea3354498644e91
                        • Instruction Fuzzy Hash: 124111B5D00349DFCB10DFA9C990ADEBFB5FF48310F14842AE819AB254DB349985CB80
                        Function 033C1030 Relevance: .1, Instructions: 77COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: adb0d9830e8a6f42c3f79c8da039ee90e165bf1a8a513e59b1675864b4f8b48c
                        • Instruction ID: 084be1ffbd331ae17b1f7ce4c9b64d4c75d605331a24d83a4c95f68ca6c8aaf3
                        • Opcode Fuzzy Hash: adb0d9830e8a6f42c3f79c8da039ee90e165bf1a8a513e59b1675864b4f8b48c
                        • Instruction Fuzzy Hash: AB212839B101549FD714DB69C994BAEBBF6FF88720F248198E801EB3A5CA759C00CB80
                        Function 033C0998 Relevance: .1, Instructions: 76COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cf0933a009b929787df24deb0ce0c8aa248f00e2cedb87f7a18039e3593c3385
                        • Instruction ID: f1cb9a49fed507ca50282b38daaac2afc7af82ca09a13c752649be9961e835c2
                        • Opcode Fuzzy Hash: cf0933a009b929787df24deb0ce0c8aa248f00e2cedb87f7a18039e3593c3385
                        • Instruction Fuzzy Hash: 65217F787212C3DFEB6CEFB5DE8872E7BA9AB51201708446DD807C5144EB38CE498B55
                        Function 0303D4A0 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161084233.000000000303D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0303D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_303d000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 24a39a9918bdf2d306f6805d79ae0c758f6849649e31f7e318a8d6f12da4b39c
                        • Instruction ID: 00a341db09347c14ec287880e454b70a896ce65aba951a0ffa35a9d04ffdd255
                        • Opcode Fuzzy Hash: 24a39a9918bdf2d306f6805d79ae0c758f6849649e31f7e318a8d6f12da4b39c
                        • Instruction Fuzzy Hash: 55213771545200DFDB05DF14D9C0B2BBFA9FF99318F24C5A9E90A0B256C336D456CBA2
                        Function 033C09A8 Relevance: .1, Instructions: 71COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1bf4ab86e2888e4c12fbfd963c90be6d8ff8ce89176a884a45fe469775c844fa
                        • Instruction ID: 7507404599bf3830469e6817f9894b47b7fbc0edfa6caa1939940ee45fbd34cc
                        • Opcode Fuzzy Hash: 1bf4ab86e2888e4c12fbfd963c90be6d8ff8ce89176a884a45fe469775c844fa
                        • Instruction Fuzzy Hash: 2C2130787212C3CFDF6CFFB5AE9872E7AA9AF41205704446D980BC5144EB28CE49CB56
                        Function 033C8FF3 Relevance: .1, Instructions: 71COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7afeb05741114ab2728b187d235ac3f11337824ac1230a67603132eb938d6bca
                        • Instruction ID: 5aafed52a079662f7ae92e858e2f238b7df0a935a5a398d62e2e86385c905cd8
                        • Opcode Fuzzy Hash: 7afeb05741114ab2728b187d235ac3f11337824ac1230a67603132eb938d6bca
                        • Instruction Fuzzy Hash: D2217835A00254CFDB29EB74C9946AEBBB6EF89204F14446CC402EB360DF7A9D42CB91
                        Function 033CA2C9 Relevance: .1, Instructions: 60COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 30a193565afb5c861c72272b9591d0a9d8a00fa7ad21609cc0191a2527234f19
                        • Instruction ID: 5342fe5be60cb25c6c7bd3670707b31c6addfb0dc32cf7c47090ea01cd187760
                        • Opcode Fuzzy Hash: 30a193565afb5c861c72272b9591d0a9d8a00fa7ad21609cc0191a2527234f19
                        • Instruction Fuzzy Hash: 0811E3797012144BDB18E778DA901AE77E6EBC8604B4086BDCD06C7349EF7A9D0A4BC6
                        Function 033C9E00 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 8600426b97e54cc14cb65c58353604730bedf8aa472b60a800aa9e5af7af82cb
                        • Instruction ID: ee602278a9329ebc8120f9f93b9bdf093b8ed2a0efbc12018e1b76df2f527755
                        • Opcode Fuzzy Hash: 8600426b97e54cc14cb65c58353604730bedf8aa472b60a800aa9e5af7af82cb
                        • Instruction Fuzzy Hash: 2E11D0B4A003559FCB00FB38D58069EBBF1EF81314B508AADC1059F345EB769E4A8BD5
                        Function 033C1431 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f06bdc9c6c85fffa4b84dd1d42a2fea2857944e408f8d387c19ddb8024a80ab0
                        • Instruction ID: 22426af72e2dc802d8db7d88ab72bf4f90fe3e060f4005d08ce9abe2fbe47f0a
                        • Opcode Fuzzy Hash: f06bdc9c6c85fffa4b84dd1d42a2fea2857944e408f8d387c19ddb8024a80ab0
                        • Instruction Fuzzy Hash: 53118E71E01246DFCB50EBB8D5846AABBF6EF8920571404BDD809CB351EA35CD82CB80
                        Function 0303D49B Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161084233.000000000303D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0303D000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_303d000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                        • Instruction ID: 1a14b7f9d8c4245a1232638661b2c91e3dfca69f6a62668fc768038bc51c977a
                        • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                        • Instruction Fuzzy Hash: 36110372804240CFCB02CF04D5C4B16BFB6FF85324F28C1A9D9090B256C336D45ACBA2
                        Function 033C1440 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fb5443bb5618bb6a3430d252cbdffc918d55e7d49b054fcdf8af0583167d4738
                        • Instruction ID: 7e761d93ad7fdc480ddba5c117ec860673413093e0475dfb3b83b82a4c2a5341
                        • Opcode Fuzzy Hash: fb5443bb5618bb6a3430d252cbdffc918d55e7d49b054fcdf8af0583167d4738
                        • Instruction Fuzzy Hash: 81118B70B01209DFCB54EFB9D944A6A7BFAAF8820575004BDD40ACB355EA36CC82CB90
                        Function 033C9E10 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6825273fa615e33e4f66e3096d014cb39da500aa34a2382bdc87863aa4dd69e0
                        • Instruction ID: a70e265f3577b19b9978942dc055682cc1d32f08b6a9109c01f46602faa7bd64
                        • Opcode Fuzzy Hash: 6825273fa615e33e4f66e3096d014cb39da500aa34a2382bdc87863aa4dd69e0
                        • Instruction Fuzzy Hash: C711CEB4A003558FCB00FB38D58069EBBE1EF81314B508AADC1059F385EB769E4A8BD5
                        Function 033C37E9 Relevance: .0, Instructions: 49COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a8d869531456b529f847b828138d1e001eba0427369c8e6ef1b1329e567cabb6
                        • Instruction ID: 093aec616d6f39570682789fcf78978307c7bbe41c0bc156c9e506a66ce53bba
                        • Opcode Fuzzy Hash: a8d869531456b529f847b828138d1e001eba0427369c8e6ef1b1329e567cabb6
                        • Instruction Fuzzy Hash: B30184393053804BCB19A6399AD477EB6D3ABC5255B04457DE14BCB755CF74CC068742
                        Function 033C8D68 Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 90533ef25dc64417e3cd21cff1a7887db9982fce85efa85f8aa8ebb3529b0529
                        • Instruction ID: c8d587f1b690b3e94dec4c8cd2422d614596764169a506ff933087af0e95137c
                        • Opcode Fuzzy Hash: 90533ef25dc64417e3cd21cff1a7887db9982fce85efa85f8aa8ebb3529b0529
                        • Instruction Fuzzy Hash: BB111EB5800288CFCB20DF9AC588BDEBBF4EB08324F20845AD559A7250C334A984CFA5
                        Function 033C8D60 Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 391bd7b7206a09b9b51d0756d272375bf4fb48977a52bce467a07706c01680a3
                        • Instruction ID: 413597bbdd47522989aeb71f5799b18b63bad7c5097b3f8ee2c58e604765839e
                        • Opcode Fuzzy Hash: 391bd7b7206a09b9b51d0756d272375bf4fb48977a52bce467a07706c01680a3
                        • Instruction Fuzzy Hash: 151100BA800248CFDB10CF99C588BDEFBF4AB08324F20845AD569B7250C334A984CFA4
                        Function 033C25F1 Relevance: .0, Instructions: 28COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 884c4b3641b88bffc2536b92503140417fe7efb42f7dfc22f4a78261a612d1f0
                        • Instruction ID: 8adfa5a015ea71a6b334161a1cef21c1800f8eb1495e27c50f83161df87c1d3c
                        • Opcode Fuzzy Hash: 884c4b3641b88bffc2536b92503140417fe7efb42f7dfc22f4a78261a612d1f0
                        • Instruction Fuzzy Hash: 14F0A5B155E3C08FD3038B28D864851BFB4AE6760134A00DBD484CB6A3D2199D1ADB22
                        Function 033C0A73 Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5c6712329d52f37086d5f4b9085dc80a94571c6ab2463f630a0ee2ce1d51defd
                        • Instruction ID: 4fde642d773023860573878649a3a46865d53485695cd1a7638337486e0fe85b
                        • Opcode Fuzzy Hash: 5c6712329d52f37086d5f4b9085dc80a94571c6ab2463f630a0ee2ce1d51defd
                        • Instruction Fuzzy Hash: 46C0126C1151C6CFDB18B7649B4D61C29186742301F00005BA042044458F688E444716
                        Function 033C0A8F Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 68e43f4460fe87982752f55f5de24544c509be205c05cc5701ec1b155e3c2b7c
                        • Instruction ID: d621c099e0da29588262c6460e9d1d8658b18cfd7b7ab54795a27d45cbe02003
                        • Opcode Fuzzy Hash: 68e43f4460fe87982752f55f5de24544c509be205c05cc5701ec1b155e3c2b7c
                        • Instruction Fuzzy Hash: 63C012AC1262C6CFD718B7A49B8D62C2918AB82301F00009AA0420448A8FA88E08471A
                        Function 033C2600 Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000002.00000002.4161794244.00000000033C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 033C0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_2_2_33c0000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: a1e5a11e2fac5343e74e2b19d30e2edfe631b472eedd1ad027847e6543229d5f
                        • Instruction ID: 7971ef95a3226b55ff0d46bb6253b0aca705c5b206a666b5cef276056fe12924
                        • Opcode Fuzzy Hash: a1e5a11e2fac5343e74e2b19d30e2edfe631b472eedd1ad027847e6543229d5f
                        • Instruction Fuzzy Hash: D2C048352602088F8244EEA9E688C12B7A8FF58A003810099E9058B722CB26FC10DA61

                        Execution Graph

                        Execution Coverage:20.9%
                        Dynamic/Decrypted Code Coverage:100%
                        Signature Coverage:0%
                        Total number of Nodes:6
                        Total number of Limit Nodes:0

                        Callgraph

                        • Executed
                        • Not Executed
                        • Opacity -> Relevance
                        • Disassembly available
                        callgraph 0 Function_00007FFD9BAA0518 1 Function_00007FFD9BAA059A 2 Function_00007FFD9BAA1699 3 Function_00007FFD9BAA180F 4 Function_00007FFD9BAA0412 5 Function_00007FFD9BAA1A91 6 Function_00007FFD9BAA0D13 6->0 27 Function_00007FFD9BAA04E8 6->27 54 Function_00007FFD9BAA0540 6->54 67 Function_00007FFD9BAA0530 6->67 7 Function_00007FFD9BAA0B85 8 Function_00007FFD9BAA0108 9 Function_00007FFD9BAA0388 10 Function_00007FFD9BAA0E0A 10->0 10->27 11 Function_00007FFD9BAA000C 12 Function_00007FFD9BAA098B 13 Function_00007FFD9BAA02FD 14 Function_00007FFD9BAA177F 15 Function_00007FFD9BAA0102 16 Function_00007FFD9BAA1A02 66 Function_00007FFD9BAA0630 16->66 17 Function_00007FFD9BAA057A 18 Function_00007FFD9BAA1979 19 Function_00007FFD9BAA1A6E 19->66 20 Function_00007FFD9BAA036D 21 Function_00007FFD9BAA026D 22 Function_00007FFD9BAA0DEF 22->0 22->27 23 Function_00007FFD9BAA03F2 24 Function_00007FFD9BAA12F1 24->2 74 Function_00007FFD9BAA17B1 24->74 77 Function_00007FFD9BAA1725 24->77 25 Function_00007FFD9BAA1571 25->2 25->74 25->77 26 Function_00007FFD9BAA16F3 28 Function_00007FFD9BAA0B69 29 Function_00007FFD9BAA1CDE 31 Function_00007FFD9BAA1DE0 29->31 30 Function_00007FFD9BAA13DD 30->2 30->74 30->77 32 Function_00007FFD9BAA0BE2 33 Function_00007FFD9BAA01E2 34 Function_00007FFD9BAA0262 35 Function_00007FFD9BAA0462 36 Function_00007FFD9BAA12DB 36->2 36->74 36->77 37 Function_00007FFD9BAA1350 37->2 37->74 37->77 38 Function_00007FFD9BAA1150 39 Function_00007FFD9BAA05D0 40 Function_00007FFD9BAA0452 41 Function_00007FFD9BAA0252 42 Function_00007FFD9BAA1651 42->2 42->74 42->77 43 Function_00007FFD9BAA1E51 44 Function_00007FFD9BAA1546 44->2 44->74 44->77 45 Function_00007FFD9BAA1848 46 Function_00007FFD9BAA0BC8 47 Function_00007FFD9BAA03C8 48 Function_00007FFD9BAA054A 49 Function_00007FFD9BAA05CA 50 Function_00007FFD9BAA0A49 51 Function_00007FFD9BAA1049 52 Function_00007FFD9BAA033D 53 Function_00007FFD9BAA00BD 55 Function_00007FFD9BAA0242 56 Function_00007FFD9BAA01C2 57 Function_00007FFD9BAA04C2 58 Function_00007FFD9BAA1438 58->2 58->74 58->77 59 Function_00007FFD9BAA1637 59->2 59->74 59->77 60 Function_00007FFD9BAA053A 61 Function_00007FFD9BAA05BA 62 Function_00007FFD9BAA0EB9 63 Function_00007FFD9BAA0C2E 64 Function_00007FFD9BAA012D 65 Function_00007FFD9BAA03AD 68 Function_00007FFD9BAA0EAF 69 Function_00007FFD9BAA0432 70 Function_00007FFD9BAA0232 71 Function_00007FFD9BAA0E32 71->0 71->27 72 Function_00007FFD9BAA0AB2 73 Function_00007FFD9BAA04B2 75 Function_00007FFD9BAA12B3 75->2 75->74 75->77 76 Function_00007FFD9BAA0B26 78 Function_00007FFD9BAA0328 79 Function_00007FFD9BAA05AA 80 Function_00007FFD9BAA0C29 81 Function_00007FFD9BAA122C 81->2 81->74 81->77 82 Function_00007FFD9BAA151E 82->2 82->74 82->77 83 Function_00007FFD9BAA0620 84 Function_00007FFD9BAA0C9F 85 Function_00007FFD9BAA199F 85->83 86 Function_00007FFD9BAA0422 87 Function_00007FFD9BAA04A2 88 Function_00007FFD9BAA1321 88->2 88->74 88->77 89 Function_00007FFD9BAA0BA4

                        Executed Functions

                        Function 00007FFD9BAA1049 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 0 7ffd9baa1049-7ffd9baa111c GetConsoleWindow 4 7ffd9baa111e 0->4 5 7ffd9baa1124-7ffd9baa114b 0->5 4->5
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1906615773.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffd9baa0000_82eqjqLrzE.jbxd
                        Similarity
                        • API ID: ConsoleWindow
                        • String ID:
                        • API String ID: 2863861424-0
                        • Opcode ID: 2ab894fb408b306923a4d1936fe436ff0bb8e17a548b1a4774685a019c7c07b8
                        • Instruction ID: e98f2fbe621dfea4b52943bcf98a266649c296bb4c7c81801817f758b9ec486e
                        • Opcode Fuzzy Hash: 2ab894fb408b306923a4d1936fe436ff0bb8e17a548b1a4774685a019c7c07b8
                        • Instruction Fuzzy Hash: EF41F53190DB888FDB16DB688855AE5BFF0EF57320F08429FD089C71A3D764680ACB51
                        Function 00007FFD9BAA1CDE Relevance: 1.6, APIs: 1, Instructions: 97processCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1906615773.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffd9baa0000_82eqjqLrzE.jbxd
                        Similarity
                        • API ID: CreateProcess
                        • String ID:
                        • API String ID: 963392458-0
                        • Opcode ID: 1a45ed0e48866b15d9f9c397ee04cfe38c40d5485ce848cd19184225d182a078
                        • Instruction ID: a794bbbd41723373121bd84f170aa7f024c17ff0ef49b775f7e096094c135cfe
                        • Opcode Fuzzy Hash: 1a45ed0e48866b15d9f9c397ee04cfe38c40d5485ce848cd19184225d182a078
                        • Instruction Fuzzy Hash: 5B315C30A1CB188FDB58DB58D846BE8B7F1FB99321F10429AD04DA7251CB34A981CFC2
                        Function 00007FFD9BAA053A Relevance: 1.6, APIs: 1, Instructions: 89COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 14 7ffd9baa053a-7ffd9baa10e2 17 7ffd9baa10ea-7ffd9baa111c GetConsoleWindow 14->17 18 7ffd9baa111e 17->18 19 7ffd9baa1124-7ffd9baa114b 17->19 18->19
                        APIs
                        Memory Dump Source
                        • Source File: 00000003.00000002.1906615773.00007FFD9BAA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9BAA0000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_3_2_7ffd9baa0000_82eqjqLrzE.jbxd
                        Similarity
                        • API ID: ConsoleWindow
                        • String ID:
                        • API String ID: 2863861424-0
                        • Opcode ID: 9b3232e6986ad7c37dbaa825dcd647c356ba156d972774a4459d5d98d4dc85af
                        • Instruction ID: 985f70389e5f4800bc6b173905307017b51162b37ecbc2d25a62189cac09cb12
                        • Opcode Fuzzy Hash: 9b3232e6986ad7c37dbaa825dcd647c356ba156d972774a4459d5d98d4dc85af
                        • Instruction Fuzzy Hash: 69217771A0CA0C9FDB68DF98D846BF9B7E0EB59321F00422ED04ED3551DB74A405CB51

                        Executed Functions

                        Function 00C40EBC Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000005.00000002.1894238187.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_c40000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: (bq$Te^q
                        • API String ID: 0-2856382362
                        • Opcode ID: 76c8e1cacea081ed0f4d299caaaa3364f9de1557fd699eedb09477b14e9167fc
                        • Instruction ID: 4c6eb9c7be1b5d13c01e801774dd843a0df90a70f16957e8574088ab5713314a
                        • Opcode Fuzzy Hash: 76c8e1cacea081ed0f4d299caaaa3364f9de1557fd699eedb09477b14e9167fc
                        • Instruction Fuzzy Hash: 1B518A30B105149FCB54DF6DC498A6EBBF6FF89710F2581A9E906DB3A6CA71DD018B80
                        Function 00C40D20 Relevance: 2.6, Strings: 2, Instructions: 133COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000005.00000002.1894238187.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_c40000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: Hbq$dLdq
                        • API String ID: 0-411705877
                        • Opcode ID: 3d689aeb607f935d908c79e65663a29443a5b2ff6c3601996ffbb27797f35223
                        • Instruction ID: a8eaca422d5b5adb99c2a1c14b1cb54ad78f9d70f08eaf2a6b8767d06279ce60
                        • Opcode Fuzzy Hash: 3d689aeb607f935d908c79e65663a29443a5b2ff6c3601996ffbb27797f35223
                        • Instruction Fuzzy Hash: D841B1317042049FCB15DF69D458AAEBBF6FF89300F2444AAE505DB3A2CA759D05CB91
                        Function 00C41339 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000005.00000002.1894238187.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_c40000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: LR^q
                        • API String ID: 0-2625958711
                        • Opcode ID: 829e1e313e95f8570b127386bf2fa6a018f4346b911f0c0f237d64c7ac3cde54
                        • Instruction ID: 057aa8d74993d3d4d66633fc1b93dba6db6630560a278490d9c579f5eac43b14
                        • Opcode Fuzzy Hash: 829e1e313e95f8570b127386bf2fa6a018f4346b911f0c0f237d64c7ac3cde54
                        • Instruction Fuzzy Hash: D841FF35B002068FCB14AB7DD455A6EBBF6FFC9314B144169E98ADB3A5DE30CD428782
                        Function 00C40D10 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000005.00000002.1894238187.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_c40000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: dLdq
                        • API String ID: 0-3390252261
                        • Opcode ID: 307c46f5321e39ecfbbd0448dcb2a70408f34142315e25e24020b44f2db61e34
                        • Instruction ID: b6a8a8b58f3d52c1672394cef11a44ef11c8088792c5a6660a6c7b1e5f4dea87
                        • Opcode Fuzzy Hash: 307c46f5321e39ecfbbd0448dcb2a70408f34142315e25e24020b44f2db61e34
                        • Instruction Fuzzy Hash: 8C315B75A00204DFDB14DF69C448BAEBBF2FF89300F248569E501AB361CB75AD48CB91
                        Function 00C40E3F Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000005.00000002.1894238187.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_c40000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID: Hbq
                        • API String ID: 0-1245868
                        • Opcode ID: 714ba378e6eeac0ea2f5c5d5a33c69c8541e0532eeff63740cbfaa42d01acf73
                        • Instruction ID: aa7f2e00a9855922a72de35ab6d3067b3f54ef82a6d6aaf577a64bb7b6bf3931
                        • Opcode Fuzzy Hash: 714ba378e6eeac0ea2f5c5d5a33c69c8541e0532eeff63740cbfaa42d01acf73
                        • Instruction Fuzzy Hash: C4F0A4313086445FC345AB7DA81453E7FEBEFCA25031548F6E245CB3A2CD359C168355
                        Function 00C40AA0 Relevance: .1, Instructions: 118COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.1894238187.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_c40000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c7fcb7f1c3bbf115a4d7ad856c8c39f69e1dde9f9df7329bf0f9561dd6f34a15
                        • Instruction ID: 8797a1c7f6f57006024d21df2be1c4358ce6074ce0e368c25ded70ad74a56527
                        • Opcode Fuzzy Hash: c7fcb7f1c3bbf115a4d7ad856c8c39f69e1dde9f9df7329bf0f9561dd6f34a15
                        • Instruction Fuzzy Hash: B151B378101605DFDB06EB38E984D697BA2FBC93057508669D501CB37DEB31A94EEF80
                        Function 00C411D0 Relevance: .1, Instructions: 114COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.1894238187.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_c40000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 63ed9decb840f0d51559f9f5378d665b57c2bae41922114f942cad162f989d6e
                        • Instruction ID: e43f07d60473e682bd9d7570a1ce79176b8d7cfb33ebdba9653b873f7acf5fc1
                        • Opcode Fuzzy Hash: 63ed9decb840f0d51559f9f5378d665b57c2bae41922114f942cad162f989d6e
                        • Instruction Fuzzy Hash: A2419F70B00209AFCB04EFB9854866EBBFAFF89310F248569D449D7345DA309E428B91
                        Function 008ED3B4 Relevance: .1, Instructions: 75COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.1893898928.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_8ed000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: c3d2c4ba933ac4ce7271ab0eae346f640394be0908da69a1376764b0482d1d1d
                        • Instruction ID: 6906ea9e49a074e65d8b9bfa5a010c85206c6d7cf3a5f9386d994c0303bbb887
                        • Opcode Fuzzy Hash: c3d2c4ba933ac4ce7271ab0eae346f640394be0908da69a1376764b0482d1d1d
                        • Instruction Fuzzy Hash: 802125B1500384DFCB05DF15D9C0B27BF65FBA5318F20C569E8098B296C336E85AC6A2
                        Function 00C40998 Relevance: .1, Instructions: 74COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.1894238187.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_c40000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: e6f0932d8c4a7823e0c8430a5f65850a53f2f08827cf9fd101853cb0b058a81d
                        • Instruction ID: bd5a297dadb88831e3f4d6faa9adb7cc07ebe54b51c3763893d08a78dad70bfb
                        • Opcode Fuzzy Hash: e6f0932d8c4a7823e0c8430a5f65850a53f2f08827cf9fd101853cb0b058a81d
                        • Instruction Fuzzy Hash: DA216F30780702DFEB68AB75D948A3E3BA8FF55305B20542DDA07C6161EF30CA45EB56
                        Function 00C409A8 Relevance: .1, Instructions: 71COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.1894238187.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_c40000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9b3184da8c0baf1b0eac84661055a277fe71be62dd8f4348d9ad762ac81e9837
                        • Instruction ID: 09ea335a5ee17163f92bc251f55c5c2a79283a668d4b811adc1dc44f4bf81b22
                        • Opcode Fuzzy Hash: 9b3184da8c0baf1b0eac84661055a277fe71be62dd8f4348d9ad762ac81e9837
                        • Instruction Fuzzy Hash: EB216F307807038FEF64ABB5E918A3E3BA4BF50305720442D9B07C6151EE30CA45E766
                        Function 00C41431 Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.1894238187.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_c40000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4b6b73d8c6f36d08b427b036a97851b8bebb41dc63e4537ea93f9387bc1a69cb
                        • Instruction ID: e1cc4351a83b85976d893d84cbde37aa8f6197c337309b07510718daea6b4085
                        • Opcode Fuzzy Hash: 4b6b73d8c6f36d08b427b036a97851b8bebb41dc63e4537ea93f9387bc1a69cb
                        • Instruction Fuzzy Hash: CD118B75A00205CFCB50EBB9D404A6A7BF2FF8932571418B9D80ACB365EB30CD82DB80
                        Function 008ED3AF Relevance: .1, Instructions: 56COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.1893898928.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_8ed000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                        • Instruction ID: cf4033ebe3626a525a648de6ae96e6ab85c7a2258b37b74dbbb74ac09b3f98f4
                        • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                        • Instruction Fuzzy Hash: 0111B176504380CFCB16CF10D5C4B16BF71FBA4318F24C5A9D8494B656C336E85ACBA1
                        Function 00C41440 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000005.00000002.1894238187.0000000000C40000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C40000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_5_2_c40000_tempfile.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 633cbc8367a98c587038a221816ee1c1ce3aaf8239f7558bb5c206d88ca3b03d
                        • Instruction ID: b5f41431e7d8a08592a7e896d48774a573b75120a027136f8fb43c34754ee538
                        • Opcode Fuzzy Hash: 633cbc8367a98c587038a221816ee1c1ce3aaf8239f7558bb5c206d88ca3b03d
                        • Instruction Fuzzy Hash: 9E118074B00209DFCB54EBB9D504A6A7BF6FF8871571408B9D40ADB364EA31DD46CB90