Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EEdSGSana5.exe

Overview

General Information

Sample name:EEdSGSana5.exe
renamed because original name is a hash value
Original sample name:a3b822deae3813848f93cff1574bd5d4.exe
Analysis ID:1586391
MD5:a3b822deae3813848f93cff1574bd5d4
SHA1:9693180d30287003fc390088830421a919f8dc96
SHA256:61ea1e0cc88a7c1f5e26752f6ade2701ec8487a816a2cf2788482f480c7b8831
Tags:AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
.NET source code contains potential unpacker
AI detected suspicious sample
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • EEdSGSana5.exe (PID: 2576 cmdline: "C:\Users\user\Desktop\EEdSGSana5.exe" MD5: A3B822DEAE3813848F93CFF1574BD5D4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "85.239.237.148", "Ports": "1998", "Version": "| clay_root", "Autorun": "false", "Install_Folder": "MHpqMDZCRDJPeEk4aVlhbkhSUWhtZnRCMFFFdGxqb0Y=", "Install_File": "kzR43JPSfAtRb6GHpwzULrOrGI6SgCm4g36tTJuWqFRH6j2AB+EFrCmOOVldMcSTAETqI3wIDLvzKwvwhl6s1Tj5H+Lv10IaiXwQ6WcvKD+ilaylrDauiSEPIOMweir2", "AES_key": "0zj06BD2OxI8iYanHRQhmftB0QEtljoF", "Mutex": "QJWIQLh5a26TeZVVjby0WePC7Go/71fke7sdnlitoI1EJRGE/XrUjFa6WARsWtHYbYd3Pipoha6PVrlMv4AoV4u7qW8PRcO6NxDnZ587/P/t2Dv9bs6bQrNYTlwJsXgdpSLIw8lJZDGDF7l3IRMPGk3U13+xrosmp0F+8cRIZuCEZDhi6OD/zJ8hXYK+asPyX3on+g8Y9OgzpZ2smq2fxmtVIFEilA89t5Yml3AeFFThv2EZ6f/tbEJK6QXXmLzhaAeVzSumvVpHLOJqKNfii5ELhXya5fdf6SjYODOddgGLrKUSUJzmuyQ2M/HcWjazHxM1qSun1CMmw7ubrzBa7BXeD0tgAKVQdZbxqwAWfXb8Yjt+j55zLwL9AY6Kba57ErIuLluOXVyj5BtMSdNq4znERQWqKy9ee4KrINZezDk9C4G3bk+R/bs7oT/gUV8MKg2zSgGGrY5Wk29AkaKHHPtHdq3T+vf77a9Ov9KjseyOc+CzRttZXZMG66yW4ksGZMK+xx7C0s1vvEZygeOMjRXS8IMDykNuBnD0iujUkJz3dzeF0FpVjhwdXCCol29Uy/thzeDqnSw0lHCP0bWjvl+8If+fQLEfHUooQbNv5TT8Xoz5S7VTbPQWFSWtmCqZF2zAa6RiQVoexo3SFuzhvY738Ahm8e4QnFe055Tb/Ug=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
EEdSGSana5.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    EEdSGSana5.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      EEdSGSana5.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xd0f8:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0x10038:$a2: Stub.exe
      • 0x100c8:$a2: Stub.exe
      • 0x9a4f:$a3: get_ActivatePong
      • 0xd310:$a4: vmware
      • 0xd188:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0xa976:$a6: get_SslClient
      EEdSGSana5.exerat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
      • 0x9a4f:$str01: get_ActivatePong
      • 0xa976:$str02: get_SslClient
      • 0xa992:$str03: get_TcpClient
      • 0x8f62:$str04: get_SendSync
      • 0x9010:$str05: get_IsConnected
      • 0x9788:$str06: set_UseShellExecute
      • 0xd41e:$str07: Pastebin
      • 0xeab6:$str08: Select * from AntivirusProduct
      • 0x10038:$str09: Stub.exe
      • 0x100c8:$str09: Stub.exe
      • 0xd208:$str10: timeout 3 > NUL
      • 0xd0f8:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
      • 0xd188:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      EEdSGSana5.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xd18a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0xcef8:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0x10238:$a2: Stub.exe
        • 0x102c8:$a2: Stub.exe
        • 0x984f:$a3: get_ActivatePong
        • 0xd110:$a4: vmware
        • 0xcf88:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0xa776:$a6: get_SslClient
        00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0xcf8a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        00000000.00000002.4489374594.0000000002D91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: EEdSGSana5.exe PID: 2576JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Click to see the 1 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.EEdSGSana5.exe.9d0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.0.EEdSGSana5.exe.9d0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.0.EEdSGSana5.exe.9d0000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                • 0xd0f8:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                • 0x10038:$a2: Stub.exe
                • 0x100c8:$a2: Stub.exe
                • 0x9a4f:$a3: get_ActivatePong
                • 0xd310:$a4: vmware
                • 0xd188:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                • 0xa976:$a6: get_SslClient
                0.0.EEdSGSana5.exe.9d0000.0.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
                • 0x9a4f:$str01: get_ActivatePong
                • 0xa976:$str02: get_SslClient
                • 0xa992:$str03: get_TcpClient
                • 0x8f62:$str04: get_SendSync
                • 0x9010:$str05: get_IsConnected
                • 0x9788:$str06: set_UseShellExecute
                • 0xd41e:$str07: Pastebin
                • 0xeab6:$str08: Select * from AntivirusProduct
                • 0x10038:$str09: Stub.exe
                • 0x100c8:$str09: Stub.exe
                • 0xd208:$str10: timeout 3 > NUL
                • 0xd0f8:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
                • 0xd188:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                0.0.EEdSGSana5.exe.9d0000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                • 0xd18a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T01:12:06.587053+010020355951Domain Observed Used for C2 Detected85.239.237.1481998192.168.2.549704TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T01:12:06.587053+010020356071Domain Observed Used for C2 Detected85.239.237.1481998192.168.2.549704TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-09T01:12:06.587053+010028424781Malware Command and Control Activity Detected85.239.237.1481998192.168.2.549704TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: EEdSGSana5.exeAvira: detected
                Found malware configuration
                Source: EEdSGSana5.exeMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "85.239.237.148", "Ports": "1998", "Version": "| clay_root", "Autorun": "false", "Install_Folder": "MHpqMDZCRDJPeEk4aVlhbkhSUWhtZnRCMFFFdGxqb0Y=", "Install_File": "kzR43JPSfAtRb6GHpwzULrOrGI6SgCm4g36tTJuWqFRH6j2AB+EFrCmOOVldMcSTAETqI3wIDLvzKwvwhl6s1Tj5H+Lv10IaiXwQ6WcvKD+ilaylrDauiSEPIOMweir2", "AES_key": "0zj06BD2OxI8iYanHRQhmftB0QEtljoF", "Mutex": "QJWIQLh5a26TeZVVjby0WePC7Go/71fke7sdnlitoI1EJRGE/XrUjFa6WARsWtHYbYd3Pipoha6PVrlMv4AoV4u7qW8PRcO6NxDnZ587/P/t2Dv9bs6bQrNYTlwJsXgdpSLIw8lJZDGDF7l3IRMPGk3U13+xrosmp0F+8cRIZuCEZDhi6OD/zJ8hXYK+asPyX3on+g8Y9OgzpZ2smq2fxmtVIFEilA89t5Yml3AeFFThv2EZ6f/tbEJK6QXXmLzhaAeVzSumvVpHLOJqKNfii5ELhXya5fdf6SjYODOddgGLrKUSUJzmuyQ2M/HcWjazHxM1qSun1CMmw7ubrzBa7BXeD0tgAKVQdZbxqwAWfXb8Yjt+j55zLwL9AY6Kba57ErIuLluOXVyj5BtMSdNq4znERQWqKy9ee4KrINZezDk9C4G3bk+R/bs7oT/gUV8MKg2zSgGGrY5Wk29AkaKHHPtHdq3T+vf77a9Ov9KjseyOc+CzRttZXZMG66yW4ksGZMK+xx7C0s1vvEZygeOMjRXS8IMDykNuBnD0iujUkJz3dzeF0FpVjhwdXCCol29Uy/thzeDqnSw0lHCP0bWjvl+8If+fQLEfHUooQbNv5TT8Xoz5S7VTbPQWFSWtmCqZF2zAa6RiQVoexo3SFuzhvY738Ahm8e4QnFe055Tb/Ug=", "Certificate": "false", "ServerSignature": "true", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}
                Multi AV Scanner detection for submitted file
                Source: EEdSGSana5.exeReversingLabs: Detection: 73%
                Source: EEdSGSana5.exeVirustotal: Detection: 68%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: EEdSGSana5.exeJoe Sandbox ML: detected
                Source: EEdSGSana5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: EEdSGSana5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 85.239.237.148:1998 -> 192.168.2.5:49704
                Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 85.239.237.148:1998 -> 192.168.2.5:49704
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 85.239.237.148:1998 -> 192.168.2.5:49704
                Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 85.239.237.148:1998 -> 192.168.2.5:49704
                Yara detected Generic Downloader
                Source: Yara matchFile source: EEdSGSana5.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.EEdSGSana5.exe.9d0000.0.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.5:49704 -> 85.239.237.148:1998
                Source: Joe Sandbox ViewASN Name: CASABLANCA-ASInternetCollocationProviderCZ CASABLANCA-ASInternetCollocationProviderCZ
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: unknownTCP traffic detected without corresponding DNS query: 85.239.237.148
                Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: EEdSGSana5.exe, 00000000.00000002.4488721390.0000000000F6B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabCq
                Source: EEdSGSana5.exe, 00000000.00000002.4488721390.0000000000F5A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en=EYp
                Source: EEdSGSana5.exe, 00000000.00000002.4489374594.0000000002D91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: EEdSGSana5.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.EEdSGSana5.exe.9d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4489374594.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: EEdSGSana5.exe PID: 2576, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: EEdSGSana5.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: EEdSGSana5.exe, type: SAMPLEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: EEdSGSana5.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.0.EEdSGSana5.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0.0.EEdSGSana5.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 0.0.EEdSGSana5.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: EEdSGSana5.exe PID: 2576, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: C:\Users\user\Desktop\EEdSGSana5.exeCode function: 0_2_07261B100_2_07261B10
                Source: EEdSGSana5.exe, 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs EEdSGSana5.exe
                Source: EEdSGSana5.exe, 00000000.00000002.4490468118.0000000005559000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs EEdSGSana5.exe
                Source: EEdSGSana5.exeBinary or memory string: OriginalFilenameStub.exe" vs EEdSGSana5.exe
                Source: EEdSGSana5.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: EEdSGSana5.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: EEdSGSana5.exe, type: SAMPLEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: EEdSGSana5.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.0.EEdSGSana5.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0.0.EEdSGSana5.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 0.0.EEdSGSana5.exe.9d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: EEdSGSana5.exe PID: 2576, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: EEdSGSana5.exe, RgqtGCemsXHkAvR.csBase64 encoded string: 'H1ztiGJ088icnnM/kcrhx0QTpdGB1FzF/g2dMQ0PxudCLTloBYJjaIwhTwSOdaBauWz4f1XyQGLV2PJxClWMDg==', 'UMXDeu5qPMBfJvLUcW1DXKIfoE+5gCxx5WjbJZ1YQSh+YG4DTQeYUbFGG56hTHZGgUXx8Slrwh7y/FGKtCsiUA==', 'k21LljoDYtAZSLwgikw1yZrrv4V+5OP2UMJwq2GqwHq6f84GcYPockWedNIdG55wNbUIgY9y8IR5UtXQHxRU0w==', 'kzR43JPSfAtRb6GHpwzULrOrGI6SgCm4g36tTJuWqFRH6j2AB+EFrCmOOVldMcSTAETqI3wIDLvzKwvwhl6s1Tj5H+Lv10IaiXwQ6WcvKD+ilaylrDauiSEPIOMweir2', 'QREWGera5kAUuwSj5LjpydpvLdSataxsQOrAnQdjUxWWWO2P8o8ml32pEC3BfDhovOcKEFN8EuieF0On4I7KWxxCN5i+SGpNUSc/bTcD9tXKcEyvsuVdfAOd8Nor80pzWyTUcA3WqCM3Wcd60nll9YgsOfZN2q3MAjiUYoNtWJR6rWOuNFjwXDcZ7UMLPOOUHiGY0G/G2ovT9ptqK4YFovibV6SKq7iBnWYsLg45OzmbCjHZgYpPBWPUYlBzId0EitKPWidEjSBxD4tGfuLyMtJUjPrKLHLV13S0vOOnYzp3v4NN4FffjIZbtOAQZ8NMVSuool6UttVKnKitBQO52k3lXRdogTKD2HtsPjtEhxZOjNxcISHt/TEOy+GfRAyAHfQhj32Oxl9SVI5RfKl16DWs5gtLfrVC3eSoSm7VcZJCQ7H+QZEeiR9BF3xpD9vgFy2HwGvBelesw9e3cjFQmA9AkTm+u6BFgyR+V35A2+lZFEvQeSrywewMeYiEy3l2voZISHp78A93OQDWauus0LQk3hSnCG550nVcGyGPAPMJ8bE1fZM1CRmCxCYjQJjtI3tCva6F2e5jE+CncaVncy+gJRy/8LOQeb8JO5WQqnPQrHYRMorxdkpNo6gDiW6WGXJsuN+ODN11D3riOZW6X6UkO/bVfbW0F09H4QkX35vTzDEGCrNwHNrW0FphLMmTAZwJBXZvz/Dpgg1HLF5k4VTtREkS0eAWaYaQ7FbbeDAhfh/J1dXhZN2XhokRQgwsTg2HDyl1oRTwGHHMZS9qG43p2sGmyamr630rXiHLI3OiD0ZquOSGlTdYLW5V7H6cpYDzW9x3QseXmT8amvLpU84O5tMIelnogVZr3UFacpUlrLEbugnkbKktIBDfMRw6mIvmdru+WHO9sRCADJYXb5Q0xf2wEFG/o0AqLNUeodmRVXDfd1J+jl3uKOhlM2I6LuV9mT8oEzfhgS45XvvCEQ==', 'IS4Icp4jBk040Px8W1KxwOULsxh1Nhq1eDW/z3jcbgDGkjp28WbEkdtdegvr7abv8zcrDn5KtpfuRQAeSHwQHQ==', 'LPDxd9VmrFUVIkt7WH46/oEndWiPr/i3KEx1J89NVoNdImbFupV8Guws0KSkmSH3jx6mq5wzaSHnj0QiHnxMbQ==', 'qoNMEITbJKTDMYNcQ1B0rcbPRwdIrrlFlSncI92YhQLaYIDNMFrvgUxTjd9BjK8MiP3e3TBjB33N6wX9xxtjLw==', 'YP33/ZARjsJYfZ/nWE7ES0x73lbh9yrXwRbbYftl8RHedMco+4+NZSGAHD+pU+B7++DOFaqw6jNQsJSU7Fv1VQaffkCNifnFH5RYWyRYSp8='
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@0/1
                Source: C:\Users\user\Desktop\EEdSGSana5.exeMutant created: NULL
                Source: C:\Users\user\Desktop\EEdSGSana5.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_63EADSGAS2FWAG2tSAGAWkPnk
                Source: EEdSGSana5.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: EEdSGSana5.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\EEdSGSana5.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: EEdSGSana5.exeReversingLabs: Detection: 73%
                Source: EEdSGSana5.exeVirustotal: Detection: 68%
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: EEdSGSana5.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: EEdSGSana5.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: EEdSGSana5.exe, VebzDmdkHSJub.cs.Net Code: GbWJroAuKRVm System.AppDomain.Load(byte[])
                Source: EEdSGSana5.exe, aDibMTPEsyuk.csHigh entropy of concatenated method names: 'pdnceHseSfW', 'exrcnOQluBpK', 'PuSUUsoJBYv', 'eMasTRDmDSI', 'nZAquEokqGswU', 'edDbIqdwZZ', 'kgwpOhotbmn', 'kpfKZopFuWcE', 'VvxBpswbejuoM', 'tzsQlAMskSTvVGC'
                Source: EEdSGSana5.exe, WkNVJXSuumRXDH.csHigh entropy of concatenated method names: 'XzapzHWictuCv', 'mwEwnVXPOM', 'bfbnCqjSEA', 'uWiQigRTxCoGa', 'nutMiXWDipaGqY', 'BMymZipETLcLh', 'HcnyOkQDniwED', 'rwYSGVaqXYxyU', 'SyxAjQZarrvTzNA', 'LgDZINWEsS'

                Boot Survival

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: EEdSGSana5.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.EEdSGSana5.exe.9d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4489374594.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: EEdSGSana5.exe PID: 2576, type: MEMORYSTR
                Source: C:\Users\user\Desktop\EEdSGSana5.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: EEdSGSana5.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.EEdSGSana5.exe.9d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4489374594.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: EEdSGSana5.exe PID: 2576, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: EEdSGSana5.exeBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\EEdSGSana5.exeMemory allocated: 1140000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeMemory allocated: 2D90000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeMemory allocated: 1360000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeWindow / User API: threadDelayed 6799Jump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeWindow / User API: threadDelayed 3048Jump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exe TID: 4752Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exe TID: 5536Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exe TID: 6620Thread sleep count: 6799 > 30Jump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exe TID: 6620Thread sleep count: 3048 > 30Jump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: EEdSGSana5.exeBinary or memory string: vmware
                Source: EEdSGSana5.exe, 00000000.00000002.4488721390.0000000000F6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0b,
                Source: EEdSGSana5.exe, 00000000.00000002.4491119644.00000000064D0000.00000004.00000020.00020000.00000000.sdmp, EEdSGSana5.exe, 00000000.00000002.4490340752.00000000052B6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeQueries volume information: C:\Users\user\Desktop\EEdSGSana5.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\EEdSGSana5.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: EEdSGSana5.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.EEdSGSana5.exe.9d0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4489374594.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: EEdSGSana5.exe PID: 2576, type: MEMORYSTR
                Source: EEdSGSana5.exe, 00000000.00000002.4488721390.0000000000FF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\Users\user\Desktop\EEdSGSana5.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		OS Credential Dumping1
                Query Registry                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		31
                Virtualization/Sandbox Evasion                		LSASS Memory121
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Obfuscated Files or Information                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Software Packing                		NTDS31
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                DLL Side-Loading                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                EEdSGSana5.exe74%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat
                EEdSGSana5.exe68%VirustotalBrowse
                EEdSGSana5.exe100%AviraTR/Dropper.Gen
                EEdSGSana5.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                No Antivirus matches

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.210.172
                		truefalse
                  		high

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameEEdSGSana5.exe, 00000000.00000002.4489374594.0000000002D91000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    85.239.237.148
                    		unknownCzech Republic
                    		15685CASABLANCA-ASInternetCollocationProviderCZtrue

                    General Information

                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1586391
                    Start date and time:2025-01-09 01:11:11 +01:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 6m 10s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:4
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:EEdSGSana5.exe
                    renamed because original name is a hash value
                    Original Sample Name:a3b822deae3813848f93cff1574bd5d4.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@1/2@0/1
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 15
                    • Number of non-executed functions: 1
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                    • Excluded IPs from analysis (whitelisted): 199.232.210.172, 52.149.20.212, 13.107.246.45, 20.12.23.50
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    19:12:07API Interceptor8673447x Sleep call for process: EEdSGSana5.exe modified

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    bg.microsoft.map.fastly.netMagicleap-bonus disbursment.pdfGet hashmaliciousUnknownBrowse
                    • 199.232.210.172
                    eqRHH2whJu.exeGet hashmaliciousUnknownBrowse
                    • 199.232.210.172
                    Selvi Payroll Benefits & Bonus Agreementfdp.pdfGet hashmaliciousUnknownBrowse
                    • 199.232.214.172
                    atomxml.ps1Get hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                    • 199.232.210.172
                    proforma invoice pdf.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                    • 199.232.214.172
                    Payment-Order #24560274 for 8,380 USD.exeGet hashmaliciousXWormBrowse
                    • 199.232.214.172
                    PEDIDO DE COMPRAS OC 1203 CRI234.xlsx.exeGet hashmaliciousAsyncRAT, PureLog StealerBrowse
                    • 199.232.210.172
                    invoice-1623385214.pdf.jsGet hashmaliciousPureLog Stealer, RHADAMANTHYS, zgRATBrowse
                    • 199.232.214.172
                    PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                    • 199.232.210.172
                    PO#3311-20250108003.xlsGet hashmaliciousUnknownBrowse
                    • 199.232.214.172

                    ASNs

                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    CASABLANCA-ASInternetCollocationProviderCZnklm68k.elfGet hashmaliciousUnknownBrowse
                    • 77.78.112.33
                    x86.elfGet hashmaliciousGafgyt, MiraiBrowse
                    • 81.0.213.110
                    la.bot.powerpc.elfGet hashmaliciousUnknownBrowse
                    • 77.78.100.63
                    iQPxJrxxaj.exeGet hashmaliciousPikaBotBrowse
                    • 85.239.243.155
                    iQPxJrxxaj.exeGet hashmaliciousPikaBotBrowse
                    • 85.239.243.155
                    xrrwwstCMd.docxGet hashmaliciousRemcosBrowse
                    • 85.239.241.184
                    Quotation-Invitation28252-09yzak_1_cdcon.pdfGet hashmaliciousUnknownBrowse
                    • 109.123.230.181
                    SecuriteInfo.com.Exploit.CVE-2017-11882.123.12187.29198.rtfGet hashmaliciousRemcosBrowse
                    • 85.239.241.184
                    FakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                    • 109.123.227.60
                    FakturaPDF.exeGet hashmaliciousNetSupport RATBrowse
                    • 109.123.227.60

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                    Download File
                    Process:C:\Users\user\Desktop\EEdSGSana5.exe
                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                    Category:dropped
                    Size (bytes):71954
                    Entropy (8bit):7.996617769952133
                    Encrypted:true
                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                    Download File
                    Process:C:\Users\user\Desktop\EEdSGSana5.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):328
                    Entropy (8bit):3.2330967911189217
                    Encrypted:false
                    SSDEEP:6:kKJsglL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:O5DImsLNkPlE99SNxAhUe/3
                    MD5:59A244A265DA2991E3BEE722EF9F811A
                    SHA1:C06EDBF29A4880D5B924850FFC6EF0F993C28C9C
                    SHA-256:BE995EDE900F038E871D336C96D0F151A4E5FF968A4089726060EB04CFE788DD
                    SHA-512:137EA3D9D4C35D7592EAF93D9F786C884A918DAC5CD6B5A56E2D86006184E0A143944AD4ECBC1F92BB24678CAC06EE5C36A013945F87EBA9BF8B2BC91A0F9F6D
                    Malicious:false
                    Reputation:low
                    Preview:p...... ..........c.+b..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                    Entropy (8bit):5.503990984630609
                    TrID:
                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    • Win32 Executable (generic) a (10002005/4) 49.78%
                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                    • Generic Win/DOS Executable (2004/3) 0.01%
                    • DOS Executable Generic (2002/1) 0.01%
                    File name:EEdSGSana5.exe
                    File size:67'584 bytes
                    MD5:a3b822deae3813848f93cff1574bd5d4
                    SHA1:9693180d30287003fc390088830421a919f8dc96
                    SHA256:61ea1e0cc88a7c1f5e26752f6ade2701ec8487a816a2cf2788482f480c7b8831
                    SHA512:1ce7d2b71f6f3b24088750e0e1607cb9006bdeb207315e8fa28fbc6686672d02cc80a96d881c7533989e78beb8d180682e95ac1867d1d87d021cba790414295c
                    SSDEEP:1536:t2w3dvk1EkwgcKu5UYFI9lVqb46tj6OsbDd8rfTGSx:t2Udvk1EkIKu5UYFIbVqb46tqunhx
                    TLSH:5C6307053BE99029F3BE8F7469F6658446F9F5AF2902D51D1CC450CE0632B829A81FFB
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Jd................................. ... ....@.. .......................`............`................................

                    File Icon

                    Icon Hash:00928e8e8686b000

                    Static PE Info

                    General

                    Entrypoint:0x411a2e
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Time Stamp:0x644ACFBA [Thu Apr 27 19:40:42 2023 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                    Entrypoint Preview

                    Instruction
                    jmp dword ptr [00402000h]
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al
                    add byte ptr [eax], al

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x119d40x57.text
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x7ff.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x20000xfa340xfc00c913022831794b6a14a146cbf23d2b6aFalse0.4954272073412698data5.542886767246923IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rsrc0x120000x7ff0x80033cdbc5c50f34a35b4f0e61582ac7f11False0.41650390625data4.884866150337139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .reloc0x140000xc0x2003307fac5880b3b0d8599f5c16faf07daFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    RT_VERSION0x120a00x2ccdata0.43575418994413406
                    RT_MANIFEST0x1236c0x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277

                    Imports

                    DLLImport
                    mscoree.dll_CorExeMain

                    Network Behavior

                    Suricata IDS Alerts

                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                    2025-01-09T01:12:06.587053+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)185.239.237.1481998192.168.2.549704TCP
                    2025-01-09T01:12:06.587053+01002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)185.239.237.1481998192.168.2.549704TCP
                    2025-01-09T01:12:06.587053+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert185.239.237.1481998192.168.2.549704TCP
                    2025-01-09T01:12:06.587053+01002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)185.239.237.1481998192.168.2.549704TCP

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    Jan 9, 2025 01:12:05.943320990 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:05.948375940 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:05.948492050 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:05.970240116 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:05.974976063 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:06.531447887 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:06.531466961 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:06.531585932 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:06.582242012 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:06.587053061 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:06.744151115 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:06.788450003 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:08.342669964 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:08.347573042 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:08.347676039 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:08.352538109 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:15.195656061 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:15.200546980 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:15.200650930 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:15.205411911 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:15.499784946 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:15.554238081 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:15.623338938 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:15.633553028 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:15.638350010 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:15.638446093 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:15.643238068 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:22.054759026 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:22.059554100 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:22.059603930 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:22.064368963 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:22.325158119 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:22.366564035 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:22.453727007 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:22.455663919 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:22.460545063 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:22.462605000 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:22.467376947 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:28.913953066 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:28.918776989 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:28.918920994 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:28.923687935 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:29.182019949 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:29.225987911 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:29.313621998 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:29.316962957 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:29.321748018 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:29.321841955 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:29.326610088 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:31.135413885 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:31.179078102 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:31.265554905 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:31.319685936 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:35.773310900 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:35.778080940 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:35.778148890 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:35.782994032 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:36.040693998 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:36.085362911 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:36.154723883 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:36.156318903 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:36.161118031 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:36.161181927 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:36.165998936 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:42.632642031 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:42.637444019 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:42.637537956 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:42.642386913 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:42.903625965 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:42.944674015 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:43.033574104 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:43.035259962 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:43.040093899 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:43.040205002 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:43.044970036 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:49.492033958 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:49.496825933 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:49.496906042 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:49.501719952 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:49.760436058 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:49.804079056 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:49.889712095 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:49.891231060 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:49.896095991 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:49.896146059 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:49.901000023 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:56.381014109 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:56.385803938 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:56.385885954 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:56.390633106 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:56.649029016 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:56.694694042 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:56.777647018 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:56.779428959 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:56.784225941 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:12:56.784281015 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:12:56.789089918 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:01.229070902 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:01.272799015 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:01.509164095 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:01.554122925 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:03.226305962 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:03.231086969 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:03.231169939 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:03.236015081 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:03.495773077 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:03.538450956 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:03.608161926 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:03.609817028 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:03.614630938 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:03.614732027 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:03.619520903 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:10.085772991 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:10.090636015 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:10.090754032 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:10.095629930 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:10.258936882 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:10.304059982 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:10.393655062 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:10.425170898 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:10.430094004 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:10.430187941 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:10.435044050 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:16.945003986 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:16.949779034 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:16.949867010 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:16.955713987 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:17.214862108 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:17.258073092 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:17.341638088 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:17.345475912 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:17.350359917 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:17.354044914 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:17.358867884 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:23.804543018 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:23.809448004 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:23.809541941 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:23.814388990 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:24.080055952 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:24.132199049 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:24.213494062 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:24.223340034 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:24.228207111 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:24.228264093 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:24.233092070 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:30.666141987 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:30.671089888 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:30.671397924 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:30.676258087 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:31.008443117 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:31.054076910 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:31.166098118 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:31.171525002 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:31.176235914 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:31.176369905 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:31.181109905 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:31.280658007 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:31.338319063 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:37.523492098 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:37.528239012 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:37.528306007 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:37.533102989 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:37.796591043 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:37.851035118 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:37.905869007 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:37.907660961 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:37.912492037 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:37.912549973 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:37.917292118 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:43.882705927 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:43.887499094 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:43.887552977 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:43.892388105 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:44.173779964 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:44.225944996 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:44.301527023 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:44.303186893 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:44.307971001 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:44.308043003 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:44.312848091 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:48.414100885 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:48.419416904 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:48.426289082 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:48.431736946 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:48.684778929 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:48.725944042 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:48.817666054 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:48.823751926 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:48.828593969 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:48.828712940 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:48.833493948 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:52.288997889 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:52.293855906 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:52.293941021 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:52.298706055 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:52.565957069 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:52.616594076 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:52.702990055 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:52.713529110 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:52.718276024 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:52.724069118 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:52.728817940 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:52.741869926 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:52.746679068 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:52.748135090 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:52.752876043 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:52.986898899 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:53.040040970 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:53.124984980 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:53.136040926 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:53.140893936 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:53.140965939 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:53.145817041 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:54.648328066 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:54.653245926 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:54.654309988 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:54.659080982 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:54.919425964 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:54.964086056 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:55.059916019 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:55.065325022 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:55.070182085 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:55.070295095 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:55.075098991 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:59.523449898 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:59.528223038 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:59.528270006 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:59.533133984 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:59.797034979 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:59.850944042 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:59.929691076 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:59.931433916 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:59.936245918 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:13:59.936305046 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:13:59.941098928 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:01.138389111 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:01.182228088 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:01.265604019 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:01.319711924 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:06.403412104 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:06.408189058 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:06.408922911 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:06.413769007 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:06.671406031 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:06.772840977 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:06.798309088 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:06.799995899 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:06.804853916 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:06.804964066 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:06.809720039 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:09.554667950 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:09.775082111 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:09.776786089 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:09.777277946 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:09.779903889 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:09.782015085 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:10.040127039 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:10.177437067 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:10.177561998 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:10.179821014 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:10.184614897 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:10.184756041 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:10.189516068 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:12.163789034 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:12.168606997 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:12.168694019 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:12.173504114 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:12.485476971 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:12.613538980 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:12.613683939 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:12.615437984 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:12.620259047 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:12.620320082 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:12.625113964 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:19.023394108 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:19.028269053 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:19.028346062 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:19.033160925 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:19.293457985 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:19.335309982 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:19.425508022 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:19.427563906 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:19.432466030 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:19.432526112 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:19.437280893 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:25.882610083 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:25.887397051 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:25.887469053 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:25.892244101 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:26.151173115 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:26.195131063 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:26.281610966 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:26.289635897 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:26.294526100 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:26.295332909 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:26.300086021 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:31.132697105 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:31.179112911 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:31.261538029 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:31.304078102 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:32.742094994 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:32.746929884 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:32.747062922 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:32.751837015 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:33.012881041 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:33.054188013 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:33.126446962 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:33.128752947 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:33.133548975 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:33.133630037 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:33.138464928 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:39.210876942 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:39.215696096 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:39.215795040 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:39.220603943 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:39.479393005 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:39.524106979 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:39.610064983 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:39.616708040 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:39.621555090 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:39.624156952 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:39.628982067 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:39.945147038 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:39.950031042 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:39.950103998 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:39.954874039 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:40.212357998 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:40.257224083 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:40.341583014 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:40.345860958 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:40.350667953 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:40.350776911 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:40.355592966 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:44.070215940 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:44.075057983 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:44.075155020 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:44.079992056 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:44.356833935 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:44.398185968 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:44.485599041 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:44.487617016 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:44.492414951 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:44.492503881 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:44.497263908 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:50.929832935 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:50.934665918 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:50.934818983 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:50.939675093 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:51.210800886 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:51.257200956 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:51.337460995 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:51.339257956 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:51.344110966 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:51.344165087 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:51.348956108 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:52.304589033 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:52.309448957 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:52.309632063 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:52.314502001 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:52.571885109 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:52.616648912 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:52.701514959 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:52.703566074 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:52.708333015 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:52.708389997 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:52.713182926 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:58.695342064 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:58.700145006 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:58.700222015 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:58.705095053 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:58.972848892 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:59.022821903 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:59.108506918 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:59.111001968 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:59.115770102 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:59.115825891 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:59.120573997 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:59.351552010 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:59.356376886 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:59.356547117 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:59.361294031 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:59.655715942 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:59.710350990 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:59.785469055 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:59.787405014 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:59.792196035 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:14:59.792251110 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:14:59.797096014 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:01.222783089 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:01.269593000 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:01.269706011 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:06.214257002 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:06.219060898 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:06.219176054 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:06.223942995 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:06.503370047 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:06.554076910 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:06.626728058 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:06.630448103 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:06.635212898 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:06.635277987 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:06.640028000 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:13.070216894 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:13.075007915 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:13.075064898 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:13.079859018 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:13.339786053 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:13.382199049 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:13.469733000 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:13.471441984 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:13.476201057 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:13.476268053 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:13.481061935 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:14.476457119 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:14.481292009 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:14.481419086 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:14.486164093 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:14.757570982 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:14.804088116 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:15.795093060 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:15.795284033 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:15.795558929 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:15.795943022 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:15.796036005 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:15.796036005 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:15.796168089 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:15.817831039 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:15.822699070 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:15.822921991 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:15.827646017 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:21.341079950 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:21.345824957 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:21.345889091 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:21.350696087 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:21.612896919 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:21.663477898 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:21.735862017 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:21.742645979 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:21.747459888 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:21.747576952 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:21.752357960 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:23.289072037 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:23.293891907 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:23.293998003 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:23.298765898 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:23.570158005 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:23.616710901 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:23.697552919 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:23.701515913 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:23.706305981 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:23.706381083 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:23.711153030 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.148405075 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:30.153250933 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.153367996 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:30.158143997 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.440839052 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.491920948 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:30.569482088 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.577385902 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:30.582201958 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.582336903 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:30.587192059 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.648293018 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:30.653091908 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.653161049 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:30.657984972 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.848974943 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.897854090 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:30.979842901 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.981643915 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:30.986500978 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:30.986556053 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:30.991401911 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:31.130453110 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:31.179089069 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:31.257496119 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:31.304138899 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:37.507709980 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:37.512563944 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:37.512612104 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:37.517393112 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:37.789544106 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:37.835336924 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:37.908080101 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:37.913978100 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:37.918790102 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:37.918876886 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:37.923655987 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:44.120187044 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:44.125015974 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:44.125149965 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:44.129955053 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:44.405888081 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:44.464211941 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:44.534518957 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:44.536920071 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:44.542355061 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:44.542629957 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:44.548372030 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:44.851794004 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:44.856622934 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:44.856714964 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:44.861480951 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:45.128366947 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:45.179220915 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:45.257461071 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:45.259334087 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:45.264175892 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:45.264239073 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:45.269011974 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:51.366949081 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:51.371823072 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:51.376223087 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:51.381061077 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:51.647281885 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:51.694720030 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:51.777497053 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:51.779141903 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:51.783929110 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:51.784032106 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:51.788835049 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:58.226520061 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:58.231347084 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:58.231451988 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:58.236224890 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:58.495218039 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:58.538481951 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:58.629616976 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:58.631937027 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:58.636780977 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:58.636838913 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:58.641653061 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:59.507615089 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:59.515055895 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:59.515393019 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:59.521691084 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:59.524327040 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:59.530729055 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:59.775930882 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:59.819708109 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:59.905493021 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:59.907883883 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:59.912743092 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:15:59.912787914 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:15:59.917557001 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:01.127085924 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:01.179099083 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:01.257620096 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:01.306241989 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:06.382812023 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:06.387697935 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:06.392307997 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:06.397070885 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:06.650469065 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:06.700237989 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:06.767993927 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:06.769886017 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:06.774661064 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:06.774734974 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:06.779500008 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:08.024199963 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:08.028990030 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:08.029078007 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:08.033905983 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:08.297427893 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:08.350987911 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:08.425565004 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:08.426328897 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:08.431107044 CET19984970485.239.237.148192.168.2.5
                    Jan 9, 2025 01:16:08.431178093 CET497041998192.168.2.585.239.237.148
                    Jan 9, 2025 01:16:08.435950994 CET19984970485.239.237.148192.168.2.5

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    Jan 9, 2025 01:12:07.006849051 CET1.1.1.1192.168.2.50xa2adNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                    Jan 9, 2025 01:12:07.006849051 CET1.1.1.1192.168.2.50xa2adNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                    Statistics

                    CPU Usage

                    Click to jump to process

                    Memory Usage

                    Click to jump to process

                    High Level Behavior Distribution

                    Click to dive into process behavior distribution

                    System Behavior

                    General

                    Target ID:0
                    Start time:19:12:00
                    Start date:08/01/2025
                    Path:C:\Users\user\Desktop\EEdSGSana5.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\EEdSGSana5.exe"
                    Imagebase:0x9d0000
                    File size:67'584 bytes
                    MD5 hash:A3B822DEAE3813848F93CFF1574BD5D4
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                    • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                    • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.2028836715.00000000009D2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.4489374594.0000000002D91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:false

                    Disassembly

                    Reset < >

                      Execution Graph

                      Execution Coverage:6.7%
                      Dynamic/Decrypted Code Coverage:100%
                      Signature Coverage:0%
                      Total number of Nodes:48
                      Total number of Limit Nodes:4
                      execution_graph 16099 1147fe0 DuplicateHandle 16100 1148076 16099->16100 16101 1147d98 16102 1147dde GetCurrentProcess 16101->16102 16104 1147e30 GetCurrentThread 16102->16104 16105 1147e29 16102->16105 16106 1147e66 16104->16106 16107 1147e6d GetCurrentProcess 16104->16107 16105->16104 16106->16107 16110 1147ea3 16107->16110 16108 1147ecb GetCurrentThreadId 16109 1147efc 16108->16109 16110->16108 16111 1142dc8 16112 1142e0c SetWindowsHookExW 16111->16112 16114 1142e52 16112->16114 16115 11485f8 16116 1148626 16115->16116 16119 1147c3c 16116->16119 16118 1148646 16118->16118 16120 1147c47 16119->16120 16121 1148ee4 16120->16121 16123 114ab68 16120->16123 16121->16118 16124 114ab89 16123->16124 16125 114abad 16124->16125 16128 114ad18 16124->16128 16132 114ad08 16124->16132 16125->16121 16129 114ad25 16128->16129 16130 114ad5e 16129->16130 16136 114931c 16129->16136 16130->16125 16133 114ad18 16132->16133 16134 114931c KiUserCallbackDispatcher 16133->16134 16135 114ad5e 16133->16135 16134->16135 16135->16125 16137 1149327 16136->16137 16139 114add0 16137->16139 16140 1149350 16137->16140 16141 114935b 16140->16141 16144 1149360 16141->16144 16143 114ae3f 16143->16139 16145 114936b 16144->16145 16150 114bd1c 16145->16150 16147 114c160 16147->16143 16148 114ab68 KiUserCallbackDispatcher 16148->16147 16149 114bf38 16149->16147 16149->16148 16151 114bd27 16150->16151 16152 114d74a 16151->16152 16154 114d798 16151->16154 16152->16149 16155 114d7eb 16154->16155 16156 114d7f6 KiUserCallbackDispatcher 16155->16156 16157 114d820 16155->16157 16156->16157 16157->16152

                      Executed Functions

                      Function 01147D92 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 01147E16
                      • GetCurrentThread.KERNEL32 ref: 01147E53
                      • GetCurrentProcess.KERNEL32 ref: 01147E90
                      • GetCurrentThreadId.KERNEL32 ref: 01147EE9
                      Memory Dump Source
                      • Source File: 00000000.00000002.4489108484.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1140000_EEdSGSana5.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: 0116dfda5f4ab1e8c4d7796b2605fae9c21e43783dae2d3044fee3127e21ed42
                      • Instruction ID: eb86672ac6e9ffc2e3d9145d91281ae3abb707a260fd2dffde81f6ac693a1de2
                      • Opcode Fuzzy Hash: 0116dfda5f4ab1e8c4d7796b2605fae9c21e43783dae2d3044fee3127e21ed42
                      • Instruction Fuzzy Hash: 4C5154B0D002098FDB18DFAAD548BEEBBF5EF48314F208859E409B7390D7359948CB66
                      Function 01147D98 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                      Download Yara Rule

                      Control-flow Graph

                      APIs
                      • GetCurrentProcess.KERNEL32 ref: 01147E16
                      • GetCurrentThread.KERNEL32 ref: 01147E53
                      • GetCurrentProcess.KERNEL32 ref: 01147E90
                      • GetCurrentThreadId.KERNEL32 ref: 01147EE9
                      Memory Dump Source
                      • Source File: 00000000.00000002.4489108484.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1140000_EEdSGSana5.jbxd
                      Similarity
                      • API ID: Current$ProcessThread
                      • String ID:
                      • API String ID: 2063062207-0
                      • Opcode ID: f2bdbc177b4e04457407801578dd14a033598a7cda9efe9706f2dcb5c74ba613
                      • Instruction ID: 18028ab85e2ded7154c3e37c0c15807cd699e0db401ca3d490aec4f913aa2d32
                      • Opcode Fuzzy Hash: f2bdbc177b4e04457407801578dd14a033598a7cda9efe9706f2dcb5c74ba613
                      • Instruction Fuzzy Hash: DB5154B0D002498FDB18DFAAD548BEEBBF5EF48314F208859E419B7390D7359948CB66
                      Function 07260040 Relevance: 1.6, Instructions: 1574COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4491618468.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7260000_EEdSGSana5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d5530b6b80ab157ff4f8e7a647e4f9084fb0772cb98dfac91ad0c47332d5d6f6
                      • Instruction ID: b426a74f389c018b70c0f8807f574364a2e6416bb20870f6764fe64c6d4865b3
                      • Opcode Fuzzy Hash: d5530b6b80ab157ff4f8e7a647e4f9084fb0772cb98dfac91ad0c47332d5d6f6
                      • Instruction Fuzzy Hash: BED26D70B21205CFCB68EB34E4AC62D77E3EBCA304B504969D44A9B394DF359C86DB52
                      Function 01147FD8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 888 1147fd8-1148074 DuplicateHandle 889 1148076-114807c 888->889 890 114807d-114809a 888->890 889->890
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01148067
                      Memory Dump Source
                      • Source File: 00000000.00000002.4489108484.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1140000_EEdSGSana5.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: f4452aa6425b64a31f8e8f1ffbc09d0d14f27f31cb3bdb8dbb9ce1cb126299b8
                      • Instruction ID: d9c35b37eae7ee481a1b2b16e6cb7dc017796463a6375ea51feb1fd378a8d83f
                      • Opcode Fuzzy Hash: f4452aa6425b64a31f8e8f1ffbc09d0d14f27f31cb3bdb8dbb9ce1cb126299b8
                      • Instruction Fuzzy Hash: A921DFB5D102499FDB11CFAAD584AEEBFF5FB48320F14842AE918A3350C375A944CFA1
                      Function 01142DC0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 893 1142dc0-1142dc1 894 1142dc3-1142e12 893->894 895 1142e1f-1142e50 SetWindowsHookExW 893->895 902 1142e14 894->902 903 1142e1e 894->903 897 1142e52-1142e58 895->897 898 1142e59-1142e7e 895->898 897->898 905 1142e1c 902->905 903->895 905->903
                      APIs
                      • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01142E43
                      Memory Dump Source
                      • Source File: 00000000.00000002.4489108484.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1140000_EEdSGSana5.jbxd
                      Similarity
                      • API ID: HookWindows
                      • String ID:
                      • API String ID: 2559412058-0
                      • Opcode ID: a5a5ecd1c54df21416ec819c7b90a4aaecdedbdea1f886de951f27907674bc39
                      • Instruction ID: a27d0689f448161d4c93b796eba75737fa747a0bdface91b24b9fedd6c0a6cc2
                      • Opcode Fuzzy Hash: a5a5ecd1c54df21416ec819c7b90a4aaecdedbdea1f886de951f27907674bc39
                      • Instruction Fuzzy Hash: A22135B5D002199FDB28DFA9D844BEEFBF4EB88310F148429E519B7250C774A941CFA1
                      Function 01147FE0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 906 1147fe0-1148074 DuplicateHandle 907 1148076-114807c 906->907 908 114807d-114809a 906->908 907->908
                      APIs
                      • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 01148067
                      Memory Dump Source
                      • Source File: 00000000.00000002.4489108484.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1140000_EEdSGSana5.jbxd
                      Similarity
                      • API ID: DuplicateHandle
                      • String ID:
                      • API String ID: 3793708945-0
                      • Opcode ID: 5d007919ecb9cf9a951379d0eef40e40e812f2a17e4901166d7f355b6c7b97c0
                      • Instruction ID: 8611176b27b74222ad4c95a11a7dcfec1c4bf24f9b050fc153eeab6fc3acbfef
                      • Opcode Fuzzy Hash: 5d007919ecb9cf9a951379d0eef40e40e812f2a17e4901166d7f355b6c7b97c0
                      • Instruction Fuzzy Hash: FB21C2B5D102499FDB10CFAAD984ADEBFF8EB48310F14841AE918A3350D375A954CFA5
                      Function 01142DC8 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 911 1142dc8-1142e12 913 1142e14 911->913 914 1142e1e-1142e50 SetWindowsHookExW 911->914 916 1142e1c 913->916 917 1142e52-1142e58 914->917 918 1142e59-1142e7e 914->918 916->914 917->918
                      APIs
                      • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 01142E43
                      Memory Dump Source
                      • Source File: 00000000.00000002.4489108484.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1140000_EEdSGSana5.jbxd
                      Similarity
                      • API ID: HookWindows
                      • String ID:
                      • API String ID: 2559412058-0
                      • Opcode ID: 816062603d6f41a66fa4639c9471575cfd2e5d90101faed1892c15612802f9ca
                      • Instruction ID: 05befd83d69a39dcd7e8200ae0107d9d59c2196a1ceda67405aa0fe2657836c6
                      • Opcode Fuzzy Hash: 816062603d6f41a66fa4639c9471575cfd2e5d90101faed1892c15612802f9ca
                      • Instruction Fuzzy Hash: 872113B5D002198FDB24DFAAD844BEEFBF5AB88310F14842AE519B7250C774A945CFA1
                      Function 0114D798 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                      Download Yara Rule

                      Control-flow Graph

                      • Executed
                      • Not Executed
                      control_flow_graph 922 114d798-114d7f4 924 114d7f6-114d81e KiUserCallbackDispatcher 922->924 925 114d842-114d85b 922->925 926 114d827-114d83b 924->926 927 114d820-114d826 924->927 926->925 927->926
                      APIs
                      • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0114D80D
                      Memory Dump Source
                      • Source File: 00000000.00000002.4489108484.0000000001140000.00000040.00000800.00020000.00000000.sdmp, Offset: 01140000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_1140000_EEdSGSana5.jbxd
                      Similarity
                      • API ID: CallbackDispatcherUser
                      • String ID:
                      • API String ID: 2492992576-0
                      • Opcode ID: b0fc47d211ff389f270bbdd93a642a4df36b811b3b7f1491151c0a3ac4ec47fb
                      • Instruction ID: e93f13a5c95365b216567e3d0079e31ec5b817c2ce03d91e88e85edddd1cd3fe
                      • Opcode Fuzzy Hash: b0fc47d211ff389f270bbdd93a642a4df36b811b3b7f1491151c0a3ac4ec47fb
                      • Instruction Fuzzy Hash: AC119071C043958FEB11CFA9E4047EEBFF4EB15311F148499D498A7782D3785A08CBA2
                      Function 07261937 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4491618468.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7260000_EEdSGSana5.jbxd
                      Similarity
                      • API ID:
                      • String ID: Te]q
                      • API String ID: 0-52440209
                      • Opcode ID: eb7a32d5fecbec3741643c2c574ffa1e22422bd99cdc3a033b58f8cfc234b5db
                      • Instruction ID: 876a2557ee4ddac734ed944141413cab5df27ed9db816f9110fd1ec87e1651b2
                      • Opcode Fuzzy Hash: eb7a32d5fecbec3741643c2c574ffa1e22422bd99cdc3a033b58f8cfc234b5db
                      • Instruction Fuzzy Hash: BC11A0717116099FC7049B69C959BAEBBF6AF88710F200069E502E73E1CE71AD05CB91
                      Function 07261948 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                      Download Yara Rule
                      Strings
                      Memory Dump Source
                      • Source File: 00000000.00000002.4491618468.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7260000_EEdSGSana5.jbxd
                      Similarity
                      • API ID:
                      • String ID: Te]q
                      • API String ID: 0-52440209
                      • Opcode ID: 03f7389e1831b2878483bd7088430f8e13cdf9b78f5a93965beaa99b24fb73f3
                      • Instruction ID: 705e2577171adcd3bd313fee33669bdb1c6b7eb55f06a74538bd66f6ed5408b5
                      • Opcode Fuzzy Hash: 03f7389e1831b2878483bd7088430f8e13cdf9b78f5a93965beaa99b24fb73f3
                      • Instruction Fuzzy Hash: E701A1707105089FC7049B29C55CB6E7AF6AB88710F200059E102E73E0CF71AD01CB90
                      Function 07260006 Relevance: .1, Instructions: 87COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4491618468.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7260000_EEdSGSana5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: db99421dd8de25f59854ca888d9036213181868d6e24daca3ffa544fa123b68d
                      • Instruction ID: e0f886cf35e8ceabc7872aada3a54edc3eb9e8360a1538c803f1f21b2217b001
                      • Opcode Fuzzy Hash: db99421dd8de25f59854ca888d9036213181868d6e24daca3ffa544fa123b68d
                      • Instruction Fuzzy Hash: 8A3148B16053468FCB369B7898985AD7FB2EF86220B1409EBD045C7391DA399CC6CB52
                      Function 00F2D4A0 Relevance: .1, Instructions: 75COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4488707929.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_f2d000_EEdSGSana5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 3116be0a7f6ec9f09c18e2495b5bef536f12af41f0f84f9ad4adbc243a83ebff
                      • Instruction ID: dee34a2c516f1c53d2a88e619458961a9f98d049aa6ebbba19721b5d8ad09b05
                      • Opcode Fuzzy Hash: 3116be0a7f6ec9f09c18e2495b5bef536f12af41f0f84f9ad4adbc243a83ebff
                      • Instruction Fuzzy Hash: 46213AB2904244DFDB05DF14E9C0B26BF65FB94328F38C56DD9090B256C376D816E7A2
                      Function 010BD110 Relevance: .1, Instructions: 72COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4488956580.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_10bd000_EEdSGSana5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: d227648c42d35a630381e20539ebaab63f83f5e51a4f315409e22ea562dda0ac
                      • Instruction ID: 85f14979dfc1d23f9552da04f68260a022b8722d92db6df36e9a342db1e84dc9
                      • Opcode Fuzzy Hash: d227648c42d35a630381e20539ebaab63f83f5e51a4f315409e22ea562dda0ac
                      • Instruction Fuzzy Hash: 4E210775604204EFDB05DF58D9C0B66FBA5FB84318F24C9ADD8894B246C33AD446CB61
                      Function 00F2D49B Relevance: .1, Instructions: 56COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4488707929.0000000000F2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F2D000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_f2d000_EEdSGSana5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                      • Instruction ID: a8545a557981ca66d61a64f7122b8ae08d98648ed1749513d1b3962e0ad99f72
                      • Opcode Fuzzy Hash: c71a23e6f2891b0ac880f649e89db06405e67f0af756f6891ce480dd6b8289f7
                      • Instruction Fuzzy Hash: 60112676804280CFDF02CF04E5C4B16BF71FB94324F28C1A9D9090B256C336D85ADBA2
                      Function 010BD10B Relevance: .1, Instructions: 53COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4488956580.00000000010BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 010BD000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_10bd000_EEdSGSana5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                      • Instruction ID: f1bbf070fd84f288c8d7df9c01131c3bd61bb8269bfe24d224219961a961d9d7
                      • Opcode Fuzzy Hash: 5ecdbd2196c02b2d36a90ebf2b22d30fffd8b7da1097997a33617a95b9f44a3d
                      • Instruction Fuzzy Hash: EC11BB75504280DFDB06CF54D9C4B15FBA2FB84318F28CAAADC894B656C33AD44ACB61

                      Non-executed Functions

                      Function 07261B10 Relevance: 1.0, Instructions: 1021COMMON
                      Download Yara Rule
                      Memory Dump Source
                      • Source File: 00000000.00000002.4491618468.0000000007260000.00000040.00000800.00020000.00000000.sdmp, Offset: 07260000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_0_2_7260000_EEdSGSana5.jbxd
                      Similarity
                      • API ID:
                      • String ID:
                      • API String ID:
                      • Opcode ID: 7de2c79e1da1afd094384253d7d2d3e6dd918b8d9cec9cbdbec04479246d0f2b
                      • Instruction ID: a7656d260310d410b3310c4c7e047a466c7572e64b12a8fe423c9a82df4d1eb8
                      • Opcode Fuzzy Hash: 7de2c79e1da1afd094384253d7d2d3e6dd918b8d9cec9cbdbec04479246d0f2b
                      • Instruction Fuzzy Hash: 8B8260B0710206CFD714EF69C8D8B6EB6E2FF84700F208969E5069B3A5CA79DD46CB51