Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe

Overview

General Information

Sample name:1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
Analysis ID:1587332
MD5:91d66cb0c8827d4910ccfcbc47c47341
SHA1:bddc6177a0b1e74766aad733e3bf2a9d4a8d2fa8
SHA256:9535dad2b91fa8471968970c7cd34dff2123511f5b451f200a7d7acef8c738f9
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
Yara detected DcRat
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe" MD5: 91D66CB0C8827D4910CCFCBC47C47341)
    • cmd.exe (PID: 5676 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9468.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 1824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 5656 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
NameDescriptionAttributionBlogpost URLsLink
DCRatDCRat is a typical RAT that has been around since at least June 2019.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat

Malware Configuration

Threatname: AsyncRAT

{"Server": "drlas.duckdns.org,", "Ports": "5999", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "ONIEYu5TdgzF27FrSbiruzYVeQWKFfpu", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "LUl+TSA5OfYpNCFirGnKVY2PgFqE//sbmddNOLSMH0n+guFtXitTu57o5KL9UVY6AdSPshxtsmNPz+jIc58b7tVHubUfTMuLPeeSRtO9g5rhtyHIRJ1ccmoF6gMeFImBPGtA6RfONX4v4ooFNlds2HDgTXxKLMqme2ugxPVuS3s=", "BDOS": "null", "External_config_on_Pastebin": "false"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x65fb:$a1: havecamera
    • 0x9aec:$a2: timeout 3 > NUL
    • 0x9b0c:$a3: START "" "
    • 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
    • 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exerat_win_dcrat_qwqdanchunFind DcRAT samples (qwqdanchun) based on specific stringsSekoia.io
    • 0xa146:$str01: DcRatByqwqdanchun
    • 0x9a4c:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
    • 0x9808:$str03: Po_ng
    • 0x97de:$str04: Pac_ket
    • 0x9eea:$str05: Perfor_mance
    • 0x9f2e:$str06: Install_ed
    • 0x66dd:$str07: get_IsConnected
    • 0x7036:$str08: get_ActivatePo_ng
    • 0x79be:$str09: isVM_by_wim_temper
    • 0x9824:$str10: save_Plugin
    • 0x9aec:$str11: timeout 3 > NUL
    • 0x9b5e:$str12: ProcessHacker.exe
    • 0x9cce:$str13: Select * from Win32_CacheMemory
    1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x9997:$s2: L2Mgc2NodGFza3MgL2
    • 0x9916:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x9964:$s4: VmlydHVhbFByb3RlY3Q
    1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x9cce:$q1: Select * from Win32_CacheMemory
    • 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    Click to see the 1 entries

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0xa05f0:$b2: DcRat By qwqdanchun1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2547808998.00000000030D5000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x5eec:$a2: timeout 3 > NUL
    • 0x5f24:$a3: START "" "
    • 0x4914:$b2: DcRat By qwqdanchun1
    • 0x4b64:$b2: DcRat By qwqdanchun1
    00000000.00000002.2549612060.000000001BA44000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x234c:$b2: DcRat By qwqdanchun1
    00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x63fb:$a1: havecamera
      • 0x98ec:$a2: timeout 3 > NUL
      • 0x990c:$a3: START "" "
      • 0x9797:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
      • 0x984c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
      00000000.00000002.2549225816.000000001B809000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x231d0:$b2: DcRat By qwqdanchun1
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpackWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x65fb:$a1: havecamera
        • 0x9aec:$a2: timeout 3 > NUL
        • 0x9b0c:$a3: START "" "
        • 0x9997:$a4: L2Mgc2NodGFza3MgL2NyZWF0ZSAvZiAvc2Mgb25sb2dvbiAvcmwgaGlnaGVzdCAvdG4g
        • 0x9a4c:$a5: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
        0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpackrat_win_dcrat_qwqdanchunFind DcRAT samples (qwqdanchun) based on specific stringsSekoia.io
        • 0xa146:$str01: DcRatByqwqdanchun
        • 0x9a4c:$str02: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA==
        • 0x9808:$str03: Po_ng
        • 0x97de:$str04: Pac_ket
        • 0x9eea:$str05: Perfor_mance
        • 0x9f2e:$str06: Install_ed
        • 0x66dd:$str07: get_IsConnected
        • 0x7036:$str08: get_ActivatePo_ng
        • 0x79be:$str09: isVM_by_wim_temper
        • 0x9824:$str10: save_Plugin
        • 0x9aec:$str11: timeout 3 > NUL
        • 0x9b5e:$str12: ProcessHacker.exe
        • 0x9cce:$str13: Select * from Win32_CacheMemory
        0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
        • 0x9a4c:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
        • 0x9997:$s2: L2Mgc2NodGFza3MgL2
        • 0x9916:$s3: QW1zaVNjYW5CdWZmZXI
        • 0x9964:$s4: VmlydHVhbFByb3RlY3Q
        0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
        • 0x9cce:$q1: Select * from Win32_CacheMemory
        • 0x9d0e:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
        • 0x9d5c:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
        • 0x9daa:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
        Click to see the 5 entries

        Sigma Signatures

        No Sigma rule has matched

        Suricata Signatures

        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-01-10T07:50:29.002132+010020348471Domain Observed Used for C2 Detected45.135.232.385999192.168.2.649826TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-01-10T07:50:29.002132+010028424781Malware Command and Control Activity Detected45.135.232.385999192.168.2.649826TCP
        2025-01-10T07:50:44.670989+010028424781Malware Command and Control Activity Detected45.135.232.385999192.168.2.649919TCP
        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
        2025-01-10T07:50:29.002132+010028480481Domain Observed Used for C2 Detected45.135.232.385999192.168.2.649826TCP

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus / Scanner detection for submitted sample
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeAvira: detected
        Found malware configuration
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeMalware Configuration Extractor: AsyncRAT {"Server": "drlas.duckdns.org,", "Ports": "5999", "Version": "1.0.7", "Autorun": "false", "Install_Folder": "%AppData%", "AES_key": "ONIEYu5TdgzF27FrSbiruzYVeQWKFfpu", "Mutex": "DcRatMutex_qwqdanchun", "Certificate": "MIICMDCCAZmgAwIBAgIVAIhNlmebb6nSe6ECHjMpYKJ1i7gvMA0GCSqGSIb3DQEBDQUAMGQxFTATBgNVBAMMDERjUmF0IFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEcMBoGA1UECgwTRGNSYXQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIxMDEyODA1MzU1N1oXDTMxMTEwNzA1MzU1N1owEDEOMAwGA1UEAwwFRGNSYXQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALz18kcXxyYRNtzNciIOitqVEEKYOOJZOGjSaWOLKz3M/Df8QpKzt86Y+GK3639BYF/OzJ6i8PyJcI4jCe+L56ytnlJDfAYTzg7df+pvpE6bSgYYgBSEMcKBPrpx6bV5z/V8FOCVqlt9xfM47rHzIs6kOkc0Xu0TqFGxVfi3Koj/AgMBAAGjMjAwMB0GA1UdDgQWBBQOZShjgdZ92lUVGT5AalbF4rcBrDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBABuRWEmIgb/BjPElBrcq4LuUTHLBWgnJN3yXXtFA+Nl/+mYto5FZMUmzz3mbjKRHuzo79jdei4h1vSO9+2gTFWw1mY8HoeEoyL0YExBQMCoUPjpLJEuAydiWBMXXBmv0zPzE3W7zhG6DRe8pXQkZ2yu8c9G4KxXS1ITmSrlJqBQ6", "ServerSignature": "LUl+TSA5OfYpNCFirGnKVY2PgFqE//sbmddNOLSMH0n+guFtXitTu57o5KL9UVY6AdSPshxtsmNPz+jIc58b7tVHubUfTMuLPeeSRtO9g5rhtyHIRJ1ccmoF6gMeFImBPGtA6RfONX4v4ooFNlds2HDgTXxKLMqme2ugxPVuS3s=", "BDOS": "null", "External_config_on_Pastebin": "false"}
        Multi AV Scanner detection for submitted file
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeReversingLabs: Detection: 81%
        AI detected suspicious sample
        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
        Machine Learning detection for sample
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeJoe Sandbox ML: detected
        Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49736 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49808 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49925 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49988 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49989 version: TLS 1.2
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

        Networking

        barindex
        Suricata IDS alerts for network traffic
        Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.135.232.38:5999 -> 192.168.2.6:49826
        Source: Network trafficSuricata IDS: 2034847 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:5999 -> 192.168.2.6:49826
        Source: Network trafficSuricata IDS: 2848048 - Severity 1 - ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT) : 45.135.232.38:5999 -> 192.168.2.6:49826
        Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 45.135.232.38:5999 -> 192.168.2.6:49919
        C2 URLs / IPs found in malware configuration
        Source: Malware configuration extractorURLs: drlas.duckdns.org
        Source: Malware configuration extractorURLs:
        Uses dynamic DNS services
        Source: unknownDNS query: name: drlas.duckdns.org
        Source: global trafficTCP traffic: 192.168.2.6:49826 -> 45.135.232.38:5999
        Source: Joe Sandbox ViewIP Address: 45.135.232.38 45.135.232.38
        Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
        Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 173.222.162.64
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: unknownTCP traffic detected without corresponding DNS query: 40.113.103.199
        Source: global trafficDNS traffic detected: DNS query: drlas.duckdns.org
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547482160.00000000012B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547482160.00000000011F5000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547808998.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547808998.00000000030F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: unknownNetwork traffic detected: HTTP traffic on port 49674 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49925 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49673 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49672 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49925
        Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
        Source: unknownHTTPS traffic detected: 40.113.110.67:443 -> 192.168.2.6:49709 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49736 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49808 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49925 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49988 version: TLS 1.2
        Source: unknownHTTPS traffic detected: 40.113.103.199:443 -> 192.168.2.6:49989 version: TLS 1.2

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe PID: 6220, type: MEMORYSTR

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Find DcRAT samples (qwqdanchun) based on specific strings Author: Sekoia.io
        Source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
        Source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
        Source: 0.2.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.12fcbd50.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 0.2.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.1ca00000.2.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 0.2.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.1ca00000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 0.2.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.12fcbd50.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 00000000.00000002.2547808998.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000002.2549612060.000000001BA44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000002.2549225816.000000001B809000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000002.2549225816.000000001B7D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000002.2550355256.000000001CA00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
        Source: 00000000.00000002.2547482160.0000000001255000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000002.2547808998.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: 00000000.00000002.2547808998.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: Process Memory Space: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe PID: 6220, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD348ADD500_2_00007FFD348ADD50
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD3489F7E80_2_00007FFD3489F7E8
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD348A00300_2_00007FFD348A0030
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD348930E50_2_00007FFD348930E5
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD348991320_2_00007FFD34899132
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD3489C07F0_2_00007FFD3489C07F
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD3489FBED0_2_00007FFD3489FBED
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD348983860_2_00007FFD34898386
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD3489DBCD0_2_00007FFD3489DBCD
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD3489FCFA0_2_00007FFD3489FCFA
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD3489773D0_2_00007FFD3489773D
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD34897E890_2_00007FFD34897E89
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2548846884.0000000012F11000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOptions.dll" vs 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000000.2204262220.0000000000C6E000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameClient.exe" vs 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2550355256.000000001CA00000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOptions.dll" vs 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547808998.0000000002F87000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOptions.dll" vs 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeBinary or memory string: OriginalFilenameClient.exe" vs 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_dcrat_qwqdanchun author = Sekoia.io, description = Find DcRAT samples (qwqdanchun) based on specific strings, creation_date = 2023-01-26, classification = TLP:CLEAR, version = 1.0, reference = https://github.com/qwqdanchun/DcRat, id = 8206a410-48b3-425f-9dcb-7a528673a37a
        Source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
        Source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
        Source: 0.2.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.12fcbd50.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 0.2.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.1ca00000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 0.2.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.1ca00000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 0.2.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.12fcbd50.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 00000000.00000002.2547808998.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000002.2549612060.000000001BA44000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000002.2549225816.000000001B809000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000002.2549225816.000000001B7D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000002.2550355256.000000001CA00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
        Source: 00000000.00000002.2547482160.0000000001255000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000002.2547808998.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: 00000000.00000002.2547808998.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: Process Memory Space: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe PID: 6220, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
        Source: classification engineClassification label: mal100.troj.evad.winEXE@7/5@1/2
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.logJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1824:120:WilError_03
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_qwqdanchun
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9468.tmpJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9468.tmp.bat""
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeReversingLabs: Detection: 81%
        Source: unknownProcess created: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe "C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe"
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9468.tmp.bat""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9468.tmp.bat""Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: schannel.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: mskeyprotect.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: ncryptsslp.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: cryptnet.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: webio.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: userenv.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: sxs.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: devenum.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeSection loaded: msdmo.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD3489082F push ss; ret 0_2_00007FFD3489083E
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD348900BD pushad ; iretd 0_2_00007FFD348900C1
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeCode function: 0_2_00007FFD3489F3B8 push esi; retf 5BBDh0_2_00007FFD348B6D27

        Boot Survival

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe PID: 6220, type: MEMORYSTR
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\D0166E0128922C00CE6B F7A2CF016280A5E7A24A46D6E81A704BFCCD6486B35AFEFC4601A8330895F85FJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe PID: 6220, type: MEMORYSTR
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeMemory allocated: 11B0000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeMemory allocated: 1AF00000 memory reserve | memory write watchJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeWindow / User API: threadDelayed 8038Jump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeWindow / User API: threadDelayed 1792Jump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe TID: 6708Thread sleep time: -30000s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe TID: 6248Thread sleep time: -19369081277395017s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe TID: 5960Thread sleep count: 8038 > 30Jump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe TID: 5960Thread sleep count: 1792 > 30Jump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547482160.00000000012B2000.00000004.00000020.00020000.00000000.sdmp, 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547482160.00000000012D6000.00000004.00000020.00020000.00000000.sdmp, 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2549379433.000000001B8BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9468.tmp.bat""Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547808998.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547808998.0000000003235000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547808998.0000000003235000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Yara detected AsyncRAT
        Source: Yara matchFile source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, type: SAMPLE
        Source: Yara matchFile source: 0.0.1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.c60000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe PID: 6220, type: MEMORYSTR
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MSASCui.exe
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: procexp.exe
        Source: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: MsMpEng.exe
        Source: C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

        Stealing of Sensitive Information

        barindex
        Yara detected DcRat
        Source: Yara matchFile source: 00000000.00000002.2547808998.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2547808998.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe PID: 6220, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected DcRat
        Source: Yara matchFile source: 00000000.00000002.2547808998.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.2547808998.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe PID: 6220, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		Valid Accounts1
        Windows Management Instrumentation        		1
        Scheduled Task/Job        		12
        Process Injection        		1
        Masquerading        		OS Credential Dumping1
        Query Registry        		Remote Services1
        Archive Collected Data        		12
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Scheduled Task/Job        		1
        Scripting        		1
        Scheduled Task/Job        		1
        Modify Registry        		LSASS Memory121
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media1
        Non-Standard Port        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAt1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Disable or Modify Tools        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook31
        Virtualization/Sandbox Evasion        		NTDS31
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput Capture22
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
        Process Injection        		LSA Secrets1
        Application Window Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
        Obfuscated Files or Information        		Cached Domain Credentials13
        System Information Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
        DLL Side-Loading        		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe82%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
        1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe100%AviraHEUR/AGEN.1307404
        1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe100%Joe Sandbox ML

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        drlas.duckdns.org0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        bg.microsoft.map.fastly.net
        		199.232.210.172
        		truefalse
          		high
          drlas.duckdns.org
          		45.135.232.38
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            true
              		unknown
              drlas.duckdns.orgtrue
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547808998.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe, 00000000.00000002.2547808998.00000000030F0000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                45.135.232.38
                		drlas.duckdns.orgRussian Federation
                		49392ASBAXETNRUtrue

                Private

                IP
                192.168.2.6

                General Information

                Joe Sandbox version:42.0.0 Malachite
                Analysis ID:1587332
                Start date and time:2025-01-10 07:49:08 +01:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 4m 46s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:7
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@7/5@1/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 56%
                • Number of executed functions: 11
                • Number of non-executed functions: 3
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                • Excluded IPs from analysis (whitelisted): 192.229.221.95, 199.232.210.172, 13.107.246.45, 20.12.23.50
                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                01:50:29API Interceptor1x Sleep call for process: 1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe modified

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                45.135.232.3817345062850621022e2a034193497843f70f72ad0e2a6d5b0e23bb6cd0de4c41fac1759029833.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                  1733858044dd572d66bc3a8dabfe408fb29ad3eddb6c690affcab2d50d59673d0019848271178.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                    1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeGet hashmaliciousRemcosBrowse
                      17315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                        17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                          1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                            sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                              172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                  decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exeGet hashmaliciousRemcosBrowse

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    bg.microsoft.map.fastly.netgqIYXW7GfB.exeGet hashmaliciousDCRatBrowse
                                    • 199.232.214.172
                                    https://ik.imagekit.io/nrof2h909/Sherman%20Pruitt,%20Chief%20of%20Police,%20MSCJ.pdf?updatedAt=1736444487005Get hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    https://marcuso-wq.github.io/home/Get hashmaliciousHTMLPhisherBrowse
                                    • 199.232.214.172
                                    1Ta6ojwHc6.exeGet hashmaliciousDCRatBrowse
                                    • 199.232.210.172
                                    Nuevo-orden.xla.xlsxGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    Appraisal-nation-Review_and_Signature_Request46074.pdfGet hashmaliciousUnknownBrowse
                                    • 199.232.214.172
                                    new.batGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    MDE_File_Sample_c404ec52446527b77da6860ca493ea2007ac03d5.zipGet hashmaliciousUnknownBrowse
                                    • 199.232.210.172
                                    JB#40044 Order.exeGet hashmaliciousMassLogger RATBrowse
                                    • 199.232.210.172
                                    bc7EKCf.exeGet hashmaliciousStormKittyBrowse
                                    • 199.232.210.172

                                    ASNs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ASBAXETNRUHilix.m68k.elfGet hashmaliciousMiraiBrowse
                                    • 212.196.181.161
                                    nshppc.elfGet hashmaliciousMiraiBrowse
                                    • 212.196.181.181
                                    mips.elfGet hashmaliciousMiraiBrowse
                                    • 212.60.5.153
                                    ppc.elfGet hashmaliciousMiraiBrowse
                                    • 212.60.5.153
                                    nshkmpsl.elfGet hashmaliciousMiraiBrowse
                                    • 212.192.13.95
                                    billys.exeGet hashmaliciousMeduza StealerBrowse
                                    • 45.130.145.152
                                    ruppert.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                    • 45.130.145.152
                                    SwJD3kiOwV.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                    • 194.87.47.113
                                    8dw8GAvqmM.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                    • 194.87.47.113
                                    UYJ0oreVew.exeGet hashmaliciousUnknownBrowse
                                    • 194.87.47.113

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    3b5074b1b5d032e5620f69f9f700ff0ehttps://aqctslc.com/Get hashmaliciousUnknownBrowse
                                    • 40.113.110.67
                                    • 40.113.103.199
                                    https://sacredartscommunications.com/Get hashmaliciousHTMLPhisherBrowse
                                    • 40.113.110.67
                                    • 40.113.103.199
                                    http://stonecoldstalley.com/Get hashmaliciousUnknownBrowse
                                    • 40.113.110.67
                                    • 40.113.103.199
                                    RFQ-12202430_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                    • 40.113.110.67
                                    • 40.113.103.199
                                    PaymentAdvice.htmlGet hashmaliciousKnowBe4Browse
                                    • 40.113.110.67
                                    • 40.113.103.199
                                    dekont garanti bbva_Ba#U015fka Bankaya Transfer 01112 img .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 40.113.110.67
                                    • 40.113.103.199
                                    #U0130LC#U0130 HOLD#U0130NG a.s fiyati_teklif 017867Sipari#U015fi jpeg doc .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 40.113.110.67
                                    • 40.113.103.199
                                    PO-12202432_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                    • 40.113.110.67
                                    • 40.113.103.199
                                    fiyati_teklif 65TBI20_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 40.113.110.67
                                    • 40.113.103.199
                                    RFQ-12202430_ACD_Group.pif.exeGet hashmaliciousUnknownBrowse
                                    • 40.113.110.67
                                    • 40.113.103.199

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                    Download File
                                    Process:C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
                                    File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                    Category:dropped
                                    Size (bytes):71954
                                    Entropy (8bit):7.996617769952133
                                    Encrypted:true
                                    SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                    MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                    SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                    SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                    SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                    C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                    Download File
                                    Process:C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):328
                                    Entropy (8bit):3.2429904267830576
                                    Encrypted:false
                                    SSDEEP:6:kKwVGDL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:YVGDiDImsLNkPlE99SNxAhUe/3
                                    MD5:170841B51CFB6DB18036C8AC2B4C58F1
                                    SHA1:13BD85FB77D71363D011DFED10092E36152C2634
                                    SHA-256:92734317C95EF193A37EC1F89567360224965C09A13734702D1C672EFC52E66C
                                    SHA-512:E90CD32E30C05E0C793FF246DF3352912905938EDC04BFB1B2F04122658D54ACE25820FEB2C825DCA4565864B004A0DD76FD6CDAA9E860BCC993DF4CD268E152
                                    Malicious:false
                                    Reputation:low
                                    Preview:p...... .........W|.+c..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):1907
                                    Entropy (8bit):5.375380268342155
                                    Encrypted:false
                                    SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkl+vxp3/ell1qHGIs0HKJHNptLHqHj:iqbYqGSI6oPtzHeqKksZp/ellwmj0qJi
                                    MD5:4CEAC8E156C9A1D90AB03AF9133D7A38
                                    SHA1:39ACAE4267BF940B8995DD12CC797DE497B4D73E
                                    SHA-256:7BB4ADB915FC1C1076B35CC3D69402A22EB89878D6269FAF5826FF06958ED0D6
                                    SHA-512:597A202013C9E046449D71BF4C816E98BC7203EDBEB17F3D181400590C36E9E545B6FD7449635719EEF595B8730C066313912B1DA1A7F87AC818082B2C330A7B
                                    Malicious:true
                                    Reputation:low
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.V

                                    C:\Users\user\AppData\Local\Temp\tmp9468.tmp.bat

                                    Download File
                                    Process:C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
                                    File Type:DOS batch file, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):236
                                    Entropy (8bit):5.295808172690044
                                    Encrypted:false
                                    SSDEEP:6:hWKqTtLN2KO9L0Ek8xK197XGw0rDNeN723fTXCk:wdtR2KO9w+xKW/rDN+aLXh
                                    MD5:3D05AAC2E39D259030F55B271D9A6989
                                    SHA1:F4DAD1F4E2432E5CA6462B2169974D7C8961B4F8
                                    SHA-256:82CC4FC6B35F59F1D6372A757511C16B82D46F8977465FD8BF8BC97EADDAC88F
                                    SHA-512:181191F787FC6F8D565375D2A8B01DF175C621CE43E41005A95A6A276363716726B15A62CABD61CE81501E494CA19F994EDB6F2DCD11422A7E441209FFA0EB06
                                    Malicious:false
                                    Reputation:low
                                    Preview:@echo off..timeout 3 > NUL..CD C:\Users\user\Desktop..DEL "1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe" /f /q..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp9468.tmp.bat" /f /q..

                                    \Device\Null

                                    Download File
                                    Process:C:\Windows\System32\timeout.exe
                                    File Type:ASCII text, with CRLF line terminators, with overstriking
                                    Category:dropped
                                    Size (bytes):60
                                    Entropy (8bit):4.41440934524794
                                    Encrypted:false
                                    SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                    MD5:3DD7DD37C304E70A7316FE43B69F421F
                                    SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                    SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                    SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                    Malicious:false
                                    Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):5.61761828164522
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                    • Win32 Executable (generic) a (10002005/4) 49.75%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Windows Screen Saver (13104/52) 0.07%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
                                    File size:48'640 bytes
                                    MD5:91d66cb0c8827d4910ccfcbc47c47341
                                    SHA1:bddc6177a0b1e74766aad733e3bf2a9d4a8d2fa8
                                    SHA256:9535dad2b91fa8471968970c7cd34dff2123511f5b451f200a7d7acef8c738f9
                                    SHA512:5c9ac570df36d4822889fa57ff16acf88fb0e55ed88e040443d5f385abae43fad7df5710a07393837edc6995e13fca5cd142c650430e5017a99c3e1acf176627
                                    SSDEEP:768:xGq+s3pUtDILNCCa+Di+0jd3gLqRp8A0PiBMYb5geHuFNxGNKvEgK/JLZVc6KN:8q+AGtQO+GaPAPDbWiyNsknkJLZVclN
                                    TLSH:F2236C0037D8C13AE2FD4BB5A9F2A1458279E6576903CB596CC811EA2F13BC597036FE
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......`................................. ........@.. ....................... ............@................................

                                    File Icon

                                    Icon Hash:00928e8e8686b000

                                    Static PE Info

                                    General

                                    Entrypoint:0x40cbbe
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE
                                    DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x60930A0B [Wed May 5 21:11:39 2021 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xcb680x53.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000xdf7.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xabc40xac00c45e84d071d614c5ee46942222967e66False0.5022256540697675data5.6433375334755755IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rsrc0xe0000xdf70xe002083376922615c09cdda9acfd9305376False0.4017857142857143data5.110607648061562IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x100000xc0x20082148d01c3935cf90ef81a3dd1fad607False0.044921875data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_VERSION0xe0a00x2d4data0.4350828729281768
                                    RT_MANIFEST0xe3740xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2025-01-10T07:50:29.002132+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)145.135.232.385999192.168.2.649826TCP
                                    2025-01-10T07:50:29.002132+01002034847ET MALWARE Observed Malicious SSL Cert (AsyncRAT)145.135.232.385999192.168.2.649826TCP
                                    2025-01-10T07:50:29.002132+01002848048ETPRO MALWARE Observed Malicious SSL Cert (AsyncRAT)145.135.232.385999192.168.2.649826TCP
                                    2025-01-10T07:50:44.670989+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)145.135.232.385999192.168.2.649919TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 10, 2025 07:50:06.132013083 CET49673443192.168.2.6173.222.162.64
                                    Jan 10, 2025 07:50:06.132019997 CET49674443192.168.2.6173.222.162.64
                                    Jan 10, 2025 07:50:06.261193037 CET49709443192.168.2.640.113.110.67
                                    Jan 10, 2025 07:50:06.261229992 CET4434970940.113.110.67192.168.2.6
                                    Jan 10, 2025 07:50:06.261428118 CET49709443192.168.2.640.113.110.67
                                    Jan 10, 2025 07:50:06.261869907 CET49709443192.168.2.640.113.110.67
                                    Jan 10, 2025 07:50:06.261883974 CET4434970940.113.110.67192.168.2.6
                                    Jan 10, 2025 07:50:06.444556952 CET49672443192.168.2.6173.222.162.64
                                    Jan 10, 2025 07:50:07.070242882 CET4434970940.113.110.67192.168.2.6
                                    Jan 10, 2025 07:50:07.070452929 CET49709443192.168.2.640.113.110.67
                                    Jan 10, 2025 07:50:07.075671911 CET49709443192.168.2.640.113.110.67
                                    Jan 10, 2025 07:50:07.075691938 CET4434970940.113.110.67192.168.2.6
                                    Jan 10, 2025 07:50:07.076077938 CET4434970940.113.110.67192.168.2.6
                                    Jan 10, 2025 07:50:07.088617086 CET49709443192.168.2.640.113.110.67
                                    Jan 10, 2025 07:50:07.088645935 CET49709443192.168.2.640.113.110.67
                                    Jan 10, 2025 07:50:07.088653088 CET4434970940.113.110.67192.168.2.6
                                    Jan 10, 2025 07:50:07.088787079 CET49709443192.168.2.640.113.110.67
                                    Jan 10, 2025 07:50:07.131324053 CET4434970940.113.110.67192.168.2.6
                                    Jan 10, 2025 07:50:07.263334990 CET4434970940.113.110.67192.168.2.6
                                    Jan 10, 2025 07:50:07.263423920 CET4434970940.113.110.67192.168.2.6
                                    Jan 10, 2025 07:50:07.263500929 CET49709443192.168.2.640.113.110.67
                                    Jan 10, 2025 07:50:07.263667107 CET49709443192.168.2.640.113.110.67
                                    Jan 10, 2025 07:50:07.263689995 CET4434970940.113.110.67192.168.2.6
                                    Jan 10, 2025 07:50:14.178601980 CET49736443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:14.178612947 CET4434973640.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:14.178675890 CET49736443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:14.179434061 CET49736443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:14.179445028 CET4434973640.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:14.979967117 CET4434973640.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:14.980057955 CET49736443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:14.982486963 CET49736443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:14.982500076 CET4434973640.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:14.982780933 CET4434973640.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:14.984657049 CET49736443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:14.984708071 CET49736443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:14.984718084 CET4434973640.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:14.984834909 CET49736443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:15.027331114 CET4434973640.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:15.159013033 CET4434973640.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:15.159106970 CET4434973640.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:15.159671068 CET49736443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:15.160243988 CET49736443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:15.160264015 CET4434973640.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:15.160284042 CET49736443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:15.741614103 CET49673443192.168.2.6173.222.162.64
                                    Jan 10, 2025 07:50:15.741709948 CET49674443192.168.2.6173.222.162.64
                                    Jan 10, 2025 07:50:16.053922892 CET49672443192.168.2.6173.222.162.64
                                    Jan 10, 2025 07:50:17.753611088 CET44349704173.222.162.64192.168.2.6
                                    Jan 10, 2025 07:50:17.753699064 CET49704443192.168.2.6173.222.162.64
                                    Jan 10, 2025 07:50:26.311728954 CET49808443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:26.311770916 CET4434980840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:26.311855078 CET49808443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:26.312566996 CET49808443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:26.312581062 CET4434980840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:27.118375063 CET4434980840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:27.118663073 CET49808443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:27.120063066 CET49808443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:27.120078087 CET4434980840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:27.120291948 CET4434980840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:27.121932983 CET49808443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:27.121932983 CET49808443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:27.121954918 CET4434980840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:27.122195005 CET49808443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:27.163338900 CET4434980840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:27.301204920 CET4434980840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:27.301446915 CET4434980840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:27.301565886 CET49808443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:27.301743031 CET49808443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:27.301760912 CET4434980840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:28.285481930 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:28.290518999 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:28.290604115 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:28.318129063 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:28.322922945 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:28.991379023 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:28.996828079 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:29.002131939 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:29.228600025 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:29.272576094 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:30.405498981 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:30.410283089 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:30.410341978 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:30.415164948 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.082490921 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.132076979 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.278964043 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.294898987 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.299710035 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.299777985 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.304645061 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754081964 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754190922 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754247904 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754256964 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754297972 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.754333973 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754343033 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754378080 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.754483938 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754493952 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754503965 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754514933 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754537106 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.754554033 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.754889965 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754937887 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754946947 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.754987001 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.755271912 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.755326033 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.759169102 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.759218931 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.759229898 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.759274960 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.884433031 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.885081053 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885132074 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885157108 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885170937 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885186911 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885194063 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.885200977 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885212898 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885230064 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.885287046 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.885371923 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885412931 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.885509014 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885523081 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885536909 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885593891 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.885593891 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.885672092 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885684013 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885698080 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.885737896 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.885747910 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.886276007 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.886291027 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.886303902 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.886344910 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.886384964 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.886415958 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.886435986 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.886449099 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.886462927 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.886475086 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.886502981 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.887139082 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.887166023 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.887182951 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.887219906 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.887243032 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:42.887294054 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.889205933 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.890016079 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:42.928868055 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.015384912 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.015433073 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.015444994 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.015494108 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.015502930 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.015583038 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.015611887 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.015625000 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.015666962 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.015789032 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.015801907 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.015815020 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.015827894 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.015851974 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.015875101 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.016062021 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.016067982 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.016105890 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.016438961 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.016541004 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.016583920 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.016592979 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.016654015 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.016668081 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.016695023 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.016791105 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.016803026 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.016815901 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.016827106 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.016833067 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.016861916 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.017015934 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.017028093 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.017060041 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.017560005 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.017580032 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.017592907 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.017601013 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.017626047 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.017795086 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.017807007 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.017818928 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.017831087 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.017838001 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.017877102 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.017986059 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.017997980 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.018034935 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.018503904 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.018547058 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.018558025 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.018589020 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.018691063 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.018703938 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.018732071 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.018868923 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.018881083 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.018892050 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.018903017 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.018909931 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.018927097 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.019475937 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.019486904 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.019514084 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.020302057 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.020313025 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.020340919 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.069504023 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.330516100 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330537081 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330555916 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330568075 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330578089 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330589056 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330600023 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330610991 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330624104 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.330629110 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330640078 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330651999 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330657005 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.330677986 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.330822945 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330833912 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330845118 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330857038 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330864906 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.330869913 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.330881119 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.330904961 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.331095934 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331106901 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331119061 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331129074 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331140995 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331140995 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.331176043 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.331196070 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331207991 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331218958 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331231117 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331232071 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.331240892 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331252098 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331257105 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.331263065 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331276894 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.331283092 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.331300020 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.332065105 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332078934 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332088947 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332099915 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332109928 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332112074 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.332118034 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.332122087 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332133055 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332144022 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332150936 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.332154989 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332165956 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332170963 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.332175970 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332184076 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.332187891 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332200050 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332211018 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.332225084 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.332247972 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.333029985 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.333043098 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.333053112 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.333064079 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.333072901 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.333072901 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.333085060 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.333098888 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.333126068 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.338272095 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.338325024 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.338335991 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.338360071 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.338454962 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.338466883 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.338493109 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.338570118 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.338609934 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.360733986 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.365525007 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.370356083 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.370417118 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.375286102 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.884471893 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.885837078 CET499195999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.889458895 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.889544964 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.890759945 CET59994991945.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.890841007 CET499195999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.891186953 CET499195999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:43.894557953 CET59994982645.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:43.896001101 CET59994991945.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:44.665642023 CET59994991945.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:44.666248083 CET499195999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:44.670989037 CET59994991945.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:44.701884031 CET499195999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:44.706958055 CET59994991945.135.232.38192.168.2.6
                                    Jan 10, 2025 07:50:44.707055092 CET499195999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:44.712488890 CET498265999192.168.2.645.135.232.38
                                    Jan 10, 2025 07:50:44.890357018 CET49925443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:44.890403986 CET4434992540.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:44.890485048 CET49925443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:44.891087055 CET49925443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:44.891103983 CET4434992540.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:45.778808117 CET4434992540.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:45.778889894 CET49925443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:45.782510042 CET49925443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:45.782519102 CET4434992540.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:45.782753944 CET4434992540.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:45.784409046 CET49925443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:45.784468889 CET49925443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:45.784476042 CET4434992540.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:45.784745932 CET49925443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:45.827325106 CET4434992540.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:45.963174105 CET4434992540.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:45.963248968 CET4434992540.113.103.199192.168.2.6
                                    Jan 10, 2025 07:50:45.963300943 CET49925443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:45.963458061 CET49925443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:50:45.963473082 CET4434992540.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:08.623238087 CET49988443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:08.623270988 CET4434998840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:08.623373032 CET49988443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:08.623918056 CET49988443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:08.623931885 CET4434998840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:09.423871994 CET4434998840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:09.423971891 CET49988443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:09.425896883 CET49988443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:09.425909042 CET4434998840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:09.426153898 CET4434998840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:09.427611113 CET49988443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:09.427681923 CET49988443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:09.427687883 CET4434998840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:09.427824974 CET49988443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:09.475330114 CET4434998840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:09.606277943 CET4434998840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:09.606373072 CET4434998840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:09.606436968 CET49988443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:09.607748985 CET49988443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:09.607770920 CET4434998840.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:40.984044075 CET49989443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:40.984144926 CET4434998940.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:40.984241009 CET49989443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:40.984827995 CET49989443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:40.984868050 CET4434998940.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:41.760119915 CET4434998940.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:41.760231018 CET49989443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:41.762192011 CET49989443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:41.762227058 CET4434998940.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:41.762495995 CET4434998940.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:41.764266014 CET49989443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:41.764309883 CET49989443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:41.764323950 CET4434998940.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:41.764439106 CET49989443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:41.807323933 CET4434998940.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:41.934061050 CET4434998940.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:41.934143066 CET4434998940.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:41.934277058 CET49989443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:41.934519053 CET49989443192.168.2.640.113.103.199
                                    Jan 10, 2025 07:51:41.934561014 CET4434998940.113.103.199192.168.2.6
                                    Jan 10, 2025 07:51:47.078392029 CET49703443192.168.2.620.190.159.4
                                    Jan 10, 2025 07:51:47.085212946 CET4434970320.190.159.4192.168.2.6
                                    Jan 10, 2025 07:51:47.085268021 CET49703443192.168.2.620.190.159.4
                                    Jan 10, 2025 07:51:49.648036957 CET49707443192.168.2.620.190.159.4
                                    Jan 10, 2025 07:51:49.655132055 CET4434970720.190.159.4192.168.2.6
                                    Jan 10, 2025 07:51:49.655224085 CET49707443192.168.2.620.190.159.4

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 10, 2025 07:50:28.179986954 CET5910153192.168.2.61.1.1.1
                                    Jan 10, 2025 07:50:28.284655094 CET53591011.1.1.1192.168.2.6

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Jan 10, 2025 07:50:28.179986954 CET192.168.2.61.1.1.10x7acStandard query (0)drlas.duckdns.orgA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Jan 10, 2025 07:50:28.284655094 CET1.1.1.1192.168.2.60x7acNo error (0)drlas.duckdns.org45.135.232.38A (IP address)IN (0x0001)false
                                    Jan 10, 2025 07:50:29.043571949 CET1.1.1.1192.168.2.60x5dc8No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                    Jan 10, 2025 07:50:29.043571949 CET1.1.1.1192.168.2.60x5dc8No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination Port
                                    0192.168.2.64970940.113.110.67443
                                    TimestampBytes transferredDirectionData
                                    2025-01-10 06:50:07 UTC70OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 30 65 67 52 55 51 7a 32 58 45 75 35 4c 56 45 6d 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 30 32 35 66 61 61 38 66 65 62 34 66 66 36 0d 0a 0d 0a
                                    Data Ascii: CNT 1 CON 304MS-CV: 0egRUQz2XEu5LVEm.1Context: 3025faa8feb4ff6
                                    2025-01-10 06:50:07 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                    Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                    2025-01-10 06:50:07 UTC1083OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 30 0d 0a 4d 53 2d 43 56 3a 20 30 65 67 52 55 51 7a 32 58 45 75 35 4c 56 45 6d 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 30 32 35 66 61 61 38 66 65 62 34 66 66 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 49 38 74 53 6b 55 67 67 44 65 59 77 51 31 78 76 67 43 45 63 64 51 33 44 33 54 58 31 43 70 67 56 75 6e 50 66 54 79 74 6c 7a 4f 44 2b 68 35 52 4c 73 6b 7a 36 34 58 71 35 4e 6d 69 7a 6a 67 31 71 6a 4d 46 69 4f 74 4e 6e 70 68 73 35 4f 6f 7a 56 56 4b 59 5a 74 45 46 4d 53 4c 58 54 4b 72 71 66 57 51 33 50 2f 70 63 32 4b 70 2b 6b 77
                                    Data Ascii: ATH 2 CON\DEVICE 1060MS-CV: 0egRUQz2XEu5LVEm.2Context: 3025faa8feb4ff6<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcI8tSkUggDeYwQ1xvgCEcdQ3D3TX1CpgVunPfTytlzOD+h5RLskz64Xq5Nmizjg1qjMFiOtNnphs5OozVVKYZtEFMSLXTKrqfWQ3P/pc2Kp+kw
                                    2025-01-10 06:50:07 UTC217OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 36 0d 0a 4d 53 2d 43 56 3a 20 30 65 67 52 55 51 7a 32 58 45 75 35 4c 56 45 6d 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 33 30 32 35 66 61 61 38 66 65 62 34 66 66 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                    Data Ascii: BND 3 CON\WNS 0 196MS-CV: 0egRUQz2XEu5LVEm.3Context: 3025faa8feb4ff6<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                    2025-01-10 06:50:07 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                    Data Ascii: 202 1 CON 58
                                    2025-01-10 06:50:07 UTC58INData Raw: 4d 53 2d 43 56 3a 20 62 36 34 61 4c 74 4f 37 74 55 61 79 38 58 64 43 52 6d 31 44 6d 51 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                    Data Ascii: MS-CV: b64aLtO7tUay8XdCRm1DmQ.0Payload parsing failed.


                                    Session IDSource IPSource PortDestination IPDestination Port
                                    1192.168.2.64973640.113.103.199443
                                    TimestampBytes transferredDirectionData
                                    2025-01-10 06:50:14 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 35 5a 35 44 51 61 36 6a 4e 45 47 59 41 2f 69 65 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 37 34 64 63 33 61 32 34 64 31 65 66 39 36 65 0d 0a 0d 0a
                                    Data Ascii: CNT 1 CON 305MS-CV: 5Z5DQa6jNEGYA/ie.1Context: 174dc3a24d1ef96e
                                    2025-01-10 06:50:14 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                    Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                    2025-01-10 06:50:14 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 35 5a 35 44 51 61 36 6a 4e 45 47 59 41 2f 69 65 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 37 34 64 63 33 61 32 34 64 31 65 66 39 36 65 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 49 38 74 53 6b 55 67 67 44 65 59 77 51 31 78 76 67 43 45 63 64 51 33 44 33 54 58 31 43 70 67 56 75 6e 50 66 54 79 74 6c 7a 4f 44 2b 68 35 52 4c 73 6b 7a 36 34 58 71 35 4e 6d 69 7a 6a 67 31 71 6a 4d 46 69 4f 74 4e 6e 70 68 73 35 4f 6f 7a 56 56 4b 59 5a 74 45 46 4d 53 4c 58 54 4b 72 71 66 57 51 33 50 2f 70 63 32 4b 70 2b 6b
                                    Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: 5Z5DQa6jNEGYA/ie.2Context: 174dc3a24d1ef96e<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcI8tSkUggDeYwQ1xvgCEcdQ3D3TX1CpgVunPfTytlzOD+h5RLskz64Xq5Nmizjg1qjMFiOtNnphs5OozVVKYZtEFMSLXTKrqfWQ3P/pc2Kp+k
                                    2025-01-10 06:50:14 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 35 5a 35 44 51 61 36 6a 4e 45 47 59 41 2f 69 65 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 31 37 34 64 63 33 61 32 34 64 31 65 66 39 36 65 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                    Data Ascii: BND 3 CON\WNS 0 197MS-CV: 5Z5DQa6jNEGYA/ie.3Context: 174dc3a24d1ef96e<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                    2025-01-10 06:50:15 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                    Data Ascii: 202 1 CON 58
                                    2025-01-10 06:50:15 UTC58INData Raw: 4d 53 2d 43 56 3a 20 42 79 48 42 71 6e 62 31 6f 45 71 77 51 33 39 41 7a 35 51 46 43 41 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                    Data Ascii: MS-CV: ByHBqnb1oEqwQ39Az5QFCA.0Payload parsing failed.


                                    Session IDSource IPSource PortDestination IPDestination Port
                                    2192.168.2.64980840.113.103.199443
                                    TimestampBytes transferredDirectionData
                                    2025-01-10 06:50:27 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 48 65 66 46 63 4f 47 54 62 55 2b 33 4c 78 4d 53 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 65 65 64 30 39 39 62 31 38 37 30 64 39 34 66 0d 0a 0d 0a
                                    Data Ascii: CNT 1 CON 305MS-CV: HefFcOGTbU+3LxMS.1Context: 2eed099b1870d94f
                                    2025-01-10 06:50:27 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                    Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                    2025-01-10 06:50:27 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 48 65 66 46 63 4f 47 54 62 55 2b 33 4c 78 4d 53 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 65 65 64 30 39 39 62 31 38 37 30 64 39 34 66 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 49 38 74 53 6b 55 67 67 44 65 59 77 51 31 78 76 67 43 45 63 64 51 33 44 33 54 58 31 43 70 67 56 75 6e 50 66 54 79 74 6c 7a 4f 44 2b 68 35 52 4c 73 6b 7a 36 34 58 71 35 4e 6d 69 7a 6a 67 31 71 6a 4d 46 69 4f 74 4e 6e 70 68 73 35 4f 6f 7a 56 56 4b 59 5a 74 45 46 4d 53 4c 58 54 4b 72 71 66 57 51 33 50 2f 70 63 32 4b 70 2b 6b
                                    Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: HefFcOGTbU+3LxMS.2Context: 2eed099b1870d94f<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcI8tSkUggDeYwQ1xvgCEcdQ3D3TX1CpgVunPfTytlzOD+h5RLskz64Xq5Nmizjg1qjMFiOtNnphs5OozVVKYZtEFMSLXTKrqfWQ3P/pc2Kp+k
                                    2025-01-10 06:50:27 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 48 65 66 46 63 4f 47 54 62 55 2b 33 4c 78 4d 53 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 32 65 65 64 30 39 39 62 31 38 37 30 64 39 34 66 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                    Data Ascii: BND 3 CON\WNS 0 197MS-CV: HefFcOGTbU+3LxMS.3Context: 2eed099b1870d94f<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                    2025-01-10 06:50:27 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                    Data Ascii: 202 1 CON 58
                                    2025-01-10 06:50:27 UTC58INData Raw: 4d 53 2d 43 56 3a 20 4c 2f 41 57 6b 31 79 76 38 30 75 41 4a 66 59 73 56 69 50 32 38 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                    Data Ascii: MS-CV: L/AWk1yv80uAJfYsViP28w.0Payload parsing failed.


                                    Session IDSource IPSource PortDestination IPDestination Port
                                    3192.168.2.64992540.113.103.199443
                                    TimestampBytes transferredDirectionData
                                    2025-01-10 06:50:45 UTC70OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 33 44 52 71 70 58 73 67 6e 6b 4b 6e 41 42 38 72 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 31 65 62 38 35 30 35 61 37 39 66 37 34 36 0d 0a 0d 0a
                                    Data Ascii: CNT 1 CON 304MS-CV: 3DRqpXsgnkKnAB8r.1Context: 51eb8505a79f746
                                    2025-01-10 06:50:45 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                    Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                    2025-01-10 06:50:45 UTC1083OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 30 0d 0a 4d 53 2d 43 56 3a 20 33 44 52 71 70 58 73 67 6e 6b 4b 6e 41 42 38 72 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 31 65 62 38 35 30 35 61 37 39 66 37 34 36 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 49 38 74 53 6b 55 67 67 44 65 59 77 51 31 78 76 67 43 45 63 64 51 33 44 33 54 58 31 43 70 67 56 75 6e 50 66 54 79 74 6c 7a 4f 44 2b 68 35 52 4c 73 6b 7a 36 34 58 71 35 4e 6d 69 7a 6a 67 31 71 6a 4d 46 69 4f 74 4e 6e 70 68 73 35 4f 6f 7a 56 56 4b 59 5a 74 45 46 4d 53 4c 58 54 4b 72 71 66 57 51 33 50 2f 70 63 32 4b 70 2b 6b 77
                                    Data Ascii: ATH 2 CON\DEVICE 1060MS-CV: 3DRqpXsgnkKnAB8r.2Context: 51eb8505a79f746<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcI8tSkUggDeYwQ1xvgCEcdQ3D3TX1CpgVunPfTytlzOD+h5RLskz64Xq5Nmizjg1qjMFiOtNnphs5OozVVKYZtEFMSLXTKrqfWQ3P/pc2Kp+kw
                                    2025-01-10 06:50:45 UTC217OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 36 0d 0a 4d 53 2d 43 56 3a 20 33 44 52 71 70 58 73 67 6e 6b 4b 6e 41 42 38 72 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 31 65 62 38 35 30 35 61 37 39 66 37 34 36 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                    Data Ascii: BND 3 CON\WNS 0 196MS-CV: 3DRqpXsgnkKnAB8r.3Context: 51eb8505a79f746<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                    2025-01-10 06:50:45 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                    Data Ascii: 202 1 CON 58
                                    2025-01-10 06:50:45 UTC58INData Raw: 4d 53 2d 43 56 3a 20 4e 53 52 79 7a 31 59 51 4c 55 2b 6f 47 4f 38 6e 47 4c 7a 4e 52 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                    Data Ascii: MS-CV: NSRyz1YQLU+oGO8nGLzNRw.0Payload parsing failed.


                                    Session IDSource IPSource PortDestination IPDestination Port
                                    4192.168.2.64998840.113.103.199443
                                    TimestampBytes transferredDirectionData
                                    2025-01-10 06:51:09 UTC70OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 34 0d 0a 4d 53 2d 43 56 3a 20 6e 61 67 58 4a 4d 4d 6b 46 55 65 56 74 6f 39 33 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 66 61 35 62 65 31 62 34 62 35 66 31 39 39 0d 0a 0d 0a
                                    Data Ascii: CNT 1 CON 304MS-CV: nagXJMMkFUeVto93.1Context: 5fa5be1b4b5f199
                                    2025-01-10 06:51:09 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                    Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                    2025-01-10 06:51:09 UTC1083OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 30 0d 0a 4d 53 2d 43 56 3a 20 6e 61 67 58 4a 4d 4d 6b 46 55 65 56 74 6f 39 33 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 66 61 35 62 65 31 62 34 62 35 66 31 39 39 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 49 38 74 53 6b 55 67 67 44 65 59 77 51 31 78 76 67 43 45 63 64 51 33 44 33 54 58 31 43 70 67 56 75 6e 50 66 54 79 74 6c 7a 4f 44 2b 68 35 52 4c 73 6b 7a 36 34 58 71 35 4e 6d 69 7a 6a 67 31 71 6a 4d 46 69 4f 74 4e 6e 70 68 73 35 4f 6f 7a 56 56 4b 59 5a 74 45 46 4d 53 4c 58 54 4b 72 71 66 57 51 33 50 2f 70 63 32 4b 70 2b 6b 77
                                    Data Ascii: ATH 2 CON\DEVICE 1060MS-CV: nagXJMMkFUeVto93.2Context: 5fa5be1b4b5f199<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcI8tSkUggDeYwQ1xvgCEcdQ3D3TX1CpgVunPfTytlzOD+h5RLskz64Xq5Nmizjg1qjMFiOtNnphs5OozVVKYZtEFMSLXTKrqfWQ3P/pc2Kp+kw
                                    2025-01-10 06:51:09 UTC217OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 36 0d 0a 4d 53 2d 43 56 3a 20 6e 61 67 58 4a 4d 4d 6b 46 55 65 56 74 6f 39 33 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 35 66 61 35 62 65 31 62 34 62 35 66 31 39 39 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                    Data Ascii: BND 3 CON\WNS 0 196MS-CV: nagXJMMkFUeVto93.3Context: 5fa5be1b4b5f199<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                    2025-01-10 06:51:09 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                    Data Ascii: 202 1 CON 58
                                    2025-01-10 06:51:09 UTC58INData Raw: 4d 53 2d 43 56 3a 20 63 37 5a 34 34 48 32 75 4e 6b 53 6a 63 4f 33 77 35 46 6b 42 70 77 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                    Data Ascii: MS-CV: c7Z44H2uNkSjcO3w5FkBpw.0Payload parsing failed.


                                    Session IDSource IPSource PortDestination IPDestination Port
                                    5192.168.2.64998940.113.103.199443
                                    TimestampBytes transferredDirectionData
                                    2025-01-10 06:51:41 UTC71OUTData Raw: 43 4e 54 20 31 20 43 4f 4e 20 33 30 35 0d 0a 4d 53 2d 43 56 3a 20 6d 77 6a 2b 57 35 56 4b 54 6b 65 45 41 53 6d 33 2e 31 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 63 34 31 62 63 39 63 33 64 61 39 62 33 37 31 0d 0a 0d 0a
                                    Data Ascii: CNT 1 CON 305MS-CV: mwj+W5VKTkeEASm3.1Context: bc41bc9c3da9b371
                                    2025-01-10 06:51:41 UTC249OUTData Raw: 3c 63 6f 6e 6e 65 63 74 3e 3c 76 65 72 3e 32 3c 2f 76 65 72 3e 3c 61 67 65 6e 74 3e 3c 6f 73 3e 57 69 6e 64 6f 77 73 3c 2f 6f 73 3e 3c 6f 73 56 65 72 3e 31 30 2e 30 2e 30 2e 30 2e 31 39 30 34 35 3c 2f 6f 73 56 65 72 3e 3c 70 72 6f 63 3e 78 36 34 3c 2f 70 72 6f 63 3e 3c 6c 63 69 64 3e 65 6e 2d 43 48 3c 2f 6c 63 69 64 3e 3c 67 65 6f 49 64 3e 32 32 33 3c 2f 67 65 6f 49 64 3e 3c 61 6f 61 63 3e 30 3c 2f 61 6f 61 63 3e 3c 64 65 76 69 63 65 54 79 70 65 3e 31 3c 2f 64 65 76 69 63 65 54 79 70 65 3e 3c 64 65 76 69 63 65 4e 61 6d 65 3e 56 4d 77 61 72 65 32 30 2c 31 3c 2f 64 65 76 69 63 65 4e 61 6d 65 3e 3c 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 74 72 75 65 3c 2f 66 6f 6c 6c 6f 77 52 65 74 72 79 3e 3c 2f 61 67 65 6e 74 3e 3c 2f 63 6f 6e 6e 65 63 74 3e
                                    Data Ascii: <connect><ver>2</ver><agent><os>Windows</os><osVer>10.0.0.0.19045</osVer><proc>x64</proc><lcid>en-CH</lcid><geoId>223</geoId><aoac>0</aoac><deviceType>1</deviceType><deviceName>VMware20,1</deviceName><followRetry>true</followRetry></agent></connect>
                                    2025-01-10 06:51:41 UTC1084OUTData Raw: 41 54 48 20 32 20 43 4f 4e 5c 44 45 56 49 43 45 20 31 30 36 31 0d 0a 4d 53 2d 43 56 3a 20 6d 77 6a 2b 57 35 56 4b 54 6b 65 45 41 53 6d 33 2e 32 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 63 34 31 62 63 39 63 33 64 61 39 62 33 37 31 0d 0a 0d 0a 3c 64 65 76 69 63 65 3e 3c 63 6f 6d 70 61 63 74 2d 74 69 63 6b 65 74 3e 74 3d 45 77 43 34 41 75 70 49 42 41 41 55 31 62 44 47 66 64 61 7a 69 44 66 58 70 6a 4e 35 4e 36 63 59 68 54 31 77 62 6d 51 41 41 63 49 38 74 53 6b 55 67 67 44 65 59 77 51 31 78 76 67 43 45 63 64 51 33 44 33 54 58 31 43 70 67 56 75 6e 50 66 54 79 74 6c 7a 4f 44 2b 68 35 52 4c 73 6b 7a 36 34 58 71 35 4e 6d 69 7a 6a 67 31 71 6a 4d 46 69 4f 74 4e 6e 70 68 73 35 4f 6f 7a 56 56 4b 59 5a 74 45 46 4d 53 4c 58 54 4b 72 71 66 57 51 33 50 2f 70 63 32 4b 70 2b 6b
                                    Data Ascii: ATH 2 CON\DEVICE 1061MS-CV: mwj+W5VKTkeEASm3.2Context: bc41bc9c3da9b371<device><compact-ticket>t=EwC4AupIBAAU1bDGfdaziDfXpjN5N6cYhT1wbmQAAcI8tSkUggDeYwQ1xvgCEcdQ3D3TX1CpgVunPfTytlzOD+h5RLskz64Xq5Nmizjg1qjMFiOtNnphs5OozVVKYZtEFMSLXTKrqfWQ3P/pc2Kp+k
                                    2025-01-10 06:51:41 UTC218OUTData Raw: 42 4e 44 20 33 20 43 4f 4e 5c 57 4e 53 20 30 20 31 39 37 0d 0a 4d 53 2d 43 56 3a 20 6d 77 6a 2b 57 35 56 4b 54 6b 65 45 41 53 6d 33 2e 33 0d 0a 43 6f 6e 74 65 78 74 3a 20 62 63 34 31 62 63 39 63 33 64 61 39 62 33 37 31 0d 0a 0d 0a 3c 77 6e 73 3e 3c 76 65 72 3e 31 3c 2f 76 65 72 3e 3c 63 6c 69 65 6e 74 3e 3c 6e 61 6d 65 3e 57 50 4e 3c 2f 6e 61 6d 65 3e 3c 76 65 72 3e 31 2e 30 3c 2f 76 65 72 3e 3c 2f 63 6c 69 65 6e 74 3e 3c 6f 70 74 69 6f 6e 73 3e 3c 70 77 72 6d 6f 64 65 20 6d 6f 64 65 3d 22 30 22 3e 3c 2f 70 77 72 6d 6f 64 65 3e 3c 2f 6f 70 74 69 6f 6e 73 3e 3c 6c 61 73 74 4d 73 67 49 64 3e 30 3c 2f 6c 61 73 74 4d 73 67 49 64 3e 3c 2f 77 6e 73 3e
                                    Data Ascii: BND 3 CON\WNS 0 197MS-CV: mwj+W5VKTkeEASm3.3Context: bc41bc9c3da9b371<wns><ver>1</ver><client><name>WPN</name><ver>1.0</ver></client><options><pwrmode mode="0"></pwrmode></options><lastMsgId>0</lastMsgId></wns>
                                    2025-01-10 06:51:41 UTC14INData Raw: 32 30 32 20 31 20 43 4f 4e 20 35 38 0d 0a
                                    Data Ascii: 202 1 CON 58
                                    2025-01-10 06:51:41 UTC58INData Raw: 4d 53 2d 43 56 3a 20 2b 2f 46 39 67 58 30 2b 67 45 6d 30 78 4d 72 31 56 64 79 49 70 67 2e 30 0d 0a 0d 0a 50 61 79 6c 6f 61 64 20 70 61 72 73 69 6e 67 20 66 61 69 6c 65 64 2e
                                    Data Ascii: MS-CV: +/F9gX0+gEm0xMr1VdyIpg.0Payload parsing failed.


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:01:50:10
                                    Start date:10/01/2025
                                    Path:C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Users\user\Desktop\1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d2bfc582.dat-decoded.exe"
                                    Imagebase:0xc60000
                                    File size:48'640 bytes
                                    MD5 hash:91D66CB0C8827D4910CCFCBC47C47341
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2547808998.00000000030D5000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2549612060.000000001BA44000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000000.2204241936.0000000000C62000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2549225816.000000001B809000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2549225816.000000001B7D0000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: 00000000.00000002.2550355256.000000001CA00000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2547482160.0000000001255000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2547808998.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2547808998.0000000002F01000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000000.00000002.2547808998.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.2547808998.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:4
                                    Start time:01:50:43
                                    Start date:10/01/2025
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp9468.tmp.bat""
                                    Imagebase:0x7ff7538d0000
                                    File size:289'792 bytes
                                    MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:5
                                    Start time:01:50:43
                                    Start date:10/01/2025
                                    Path:C:\Windows\System32\conhost.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                    Imagebase:0x7ff66e660000
                                    File size:862'208 bytes
                                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:6
                                    Start time:01:50:43
                                    Start date:10/01/2025
                                    Path:C:\Windows\System32\timeout.exe
                                    Wow64 process (32bit):false
                                    Commandline:timeout 3
                                    Imagebase:0x7ff6e1d60000
                                    File size:32'768 bytes
                                    MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:moderate
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:19.2%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:6
                                      Total number of Limit Nodes:0
                                      execution_graph 14392 7ffd34892d3d 14393 7ffd34892d4b VirtualProtect 14392->14393 14395 7ffd34892e2b 14393->14395 14388 7ffd348929e1 14389 7ffd348929eb LoadLibraryA 14388->14389 14391 7ffd34892ad2 14389->14391

                                      Executed Functions

                                      Function 00007FFD3489C07F Relevance: 13.0, Strings: 9, Instructions: 1711COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 7ffd3489c07f-7ffd3489c098 2 7ffd3489c0c7-7ffd3489c0cd 0->2 3 7ffd3489c09a-7ffd3489c0c2 0->3 5 7ffd3489c1c4-7ffd3489c1ca 2->5 6 7ffd3489c0d3-7ffd3489c0d9 2->6 20 7ffd3489cfc2-7ffd3489cfce 3->20 7 7ffd3489c1d0-7ffd3489c1d6 5->7 8 7ffd3489c26f-7ffd3489c275 5->8 6->5 9 7ffd3489c0df-7ffd3489c0f6 call 7ffd34894a80 6->9 7->8 10 7ffd3489c1dc-7ffd3489c1f6 call 7ffd34894a80 7->10 12 7ffd3489c277-7ffd3489c27d 8->12 13 7ffd3489c2dc-7ffd3489c2e2 8->13 9->20 22 7ffd3489c0fc-7ffd3489c16a call 7ffd3489ac58 9->22 10->20 27 7ffd3489c1fc-7ffd3489c268 call 7ffd34890ac8 10->27 12->13 17 7ffd3489c27f-7ffd3489c2d7 12->17 18 7ffd3489c31e-7ffd3489c324 13->18 19 7ffd3489c2e4-7ffd3489c2ea 13->19 17->20 23 7ffd3489c326-7ffd3489c33b call 7ffd34894a80 18->23 24 7ffd3489c340-7ffd3489c346 18->24 19->18 26 7ffd3489c2ec-7ffd3489c319 19->26 105 7ffd3489c16f-7ffd3489c1b9 call 7ffd34890ac8 22->105 23->20 30 7ffd3489c34c-7ffd3489c352 24->30 31 7ffd3489cfcf-7ffd3489d00a 24->31 26->20 104 7ffd3489c26a 27->104 37 7ffd3489c37f-7ffd3489c385 30->37 38 7ffd3489c354-7ffd3489c364 30->38 65 7ffd3489d011-7ffd3489d096 31->65 43 7ffd3489c387-7ffd3489c3ad 37->43 44 7ffd3489c3b2-7ffd3489c3b8 37->44 38->37 43->20 48 7ffd3489c3ba-7ffd3489c406 44->48 49 7ffd3489c40b-7ffd3489c411 44->49 48->20 53 7ffd3489c417-7ffd3489c49c call 7ffd3489aa28 49->53 54 7ffd3489c4a1-7ffd3489c4a7 49->54 53->20 57 7ffd3489c536-7ffd3489c53c 54->57 58 7ffd3489c4ad-7ffd3489c4e0 call 7ffd3489aa28 54->58 64 7ffd3489c542-7ffd3489c548 57->64 57->65 102 7ffd3489c4e5-7ffd3489c531 58->102 64->65 69 7ffd3489c54e-7ffd3489c554 64->69 135 7ffd3489d098-7ffd3489d09e 65->135 136 7ffd3489d0ab-7ffd3489d0b1 65->136 69->65 73 7ffd3489c55a-7ffd3489c560 69->73 77 7ffd3489c5e6-7ffd3489c5ec 73->77 78 7ffd3489c566-7ffd3489c5ad call 7ffd3489aa28 73->78 84 7ffd3489c672-7ffd3489c678 77->84 85 7ffd3489c5f2-7ffd3489c62d call 7ffd3489aa28 77->85 163 7ffd3489c5c0-7ffd3489c5c9 78->163 164 7ffd3489c5af-7ffd3489c5bf 78->164 89 7ffd3489c6b7-7ffd3489c6bd 84->89 90 7ffd3489c67a-7ffd3489c6b2 84->90 159 7ffd3489c62e-7ffd3489c639 85->159 96 7ffd3489c6bf-7ffd3489c72f call 7ffd3489aa28 89->96 97 7ffd3489c734-7ffd3489c73a 89->97 90->20 96->20 108 7ffd3489c73c-7ffd3489c7a9 call 7ffd3489aa28 97->108 109 7ffd3489c7ae-7ffd3489c7b4 97->109 102->20 104->20 105->22 272 7ffd3489c1bf 105->272 108->20 115 7ffd3489c7b6-7ffd3489c824 call 7ffd3489aa28 109->115 116 7ffd3489c829-7ffd3489c82f 109->116 115->20 123 7ffd3489c835-7ffd3489c892 call 7ffd3489aa28 call 7ffd34894a80 116->123 124 7ffd3489c90b-7ffd3489c911 116->124 123->20 275 7ffd3489c898-7ffd3489c8b5 123->275 128 7ffd3489c9ed-7ffd3489c9f3 124->128 129 7ffd3489c913-7ffd3489c919 124->129 139 7ffd3489c9f5-7ffd3489ca12 call 7ffd3489ac58 128->139 140 7ffd3489ca17-7ffd3489ca1d 128->140 144 7ffd3489c91b-7ffd3489c950 call 7ffd3489aa28 129->144 145 7ffd3489c951-7ffd3489c974 call 7ffd34894a80 129->145 135->136 149 7ffd3489d0a0-7ffd3489d0a6 135->149 141 7ffd3489d0c7-7ffd3489d0cd 136->141 142 7ffd3489d0b3-7ffd3489d0c2 136->142 139->20 155 7ffd3489cb4e-7ffd3489cb54 140->155 156 7ffd3489ca23-7ffd3489ca80 call 7ffd3489aa28 call 7ffd34894a80 140->156 157 7ffd3489d119-7ffd3489d11f 141->157 158 7ffd3489d0cf-7ffd3489d117 call 7ffd3489aa28 141->158 161 7ffd3489d168-7ffd3489d1b0 142->161 144->145 145->20 217 7ffd3489c97a-7ffd3489c9e6 call 7ffd34890ac8 145->217 149->161 174 7ffd3489cc85-7ffd3489cc8b 155->174 175 7ffd3489cb5a-7ffd3489cbb7 call 7ffd3489aa28 call 7ffd34894a80 155->175 156->20 300 7ffd3489ca86-7ffd3489cb43 call 7ffd3489ac58 call 7ffd34890ac8 156->300 157->161 177 7ffd3489d121-7ffd3489d166 call 7ffd3489aa28 157->177 158->161 200 7ffd3489c64c-7ffd3489c656 159->200 201 7ffd3489c63b-7ffd3489c63e 159->201 191 7ffd3489c645-7ffd3489c64b 163->191 192 7ffd3489c5cb-7ffd3489c5d1 163->192 164->163 179 7ffd3489cdba-7ffd3489cdc0 174->179 180 7ffd3489cc91-7ffd3489ccec call 7ffd3489aa28 call 7ffd34894a80 174->180 175->20 303 7ffd3489cbbd-7ffd3489cc7a call 7ffd3489ac58 call 7ffd34890ac8 175->303 177->161 194 7ffd3489cdc2-7ffd3489cddf call 7ffd3489ac58 179->194 195 7ffd3489cde4-7ffd3489cdea 179->195 180->20 312 7ffd3489ccf2-7ffd3489cdaf call 7ffd3489ac58 call 7ffd34890ac8 180->312 191->200 208 7ffd3489c5e4 192->208 209 7ffd3489c5d3-7ffd3489c5de 192->209 194->20 211 7ffd3489cdec-7ffd3489ce09 call 7ffd3489ac58 195->211 212 7ffd3489ce0e-7ffd3489ce14 195->212 232 7ffd3489c668-7ffd3489c66d 200->232 233 7ffd3489c658-7ffd3489c65d 200->233 201->191 208->77 209->159 222 7ffd3489c5e0-7ffd3489c5e1 209->222 211->20 229 7ffd3489ce16-7ffd3489ce50 212->229 230 7ffd3489ce55-7ffd3489ce5b 212->230 326 7ffd3489c9e8 217->326 222->20 229->20 237 7ffd3489ce5d-7ffd3489ceb4 call 7ffd3489aa28 230->237 238 7ffd3489ced4-7ffd3489ceda 230->238 232->20 247 7ffd3489c670 233->247 248 7ffd3489c65f-7ffd3489c667 233->248 299 7ffd3489cf0c-7ffd3489cf4a call 7ffd3489aa28 237->299 328 7ffd3489ceb6-7ffd3489cecf 237->328 256 7ffd3489cf4c-7ffd3489cf52 238->256 257 7ffd3489cedc-7ffd3489cf06 238->257 247->84 248->232 256->20 273 7ffd3489cf54-7ffd3489cfbb call 7ffd3489aa28 256->273 257->299 272->20 273->20 275->129 294 7ffd3489c8b7-7ffd3489c904 call 7ffd34890ac8 275->294 294->275 346 7ffd3489c906 294->346 299->20 378 7ffd3489cb49 300->378 379 7ffd3489cc80 303->379 381 7ffd3489cdb5 312->381 326->20 328->20 346->20 378->20 379->20 381->20
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 0ox4$0ox4$0ox4$0ox4$0ox4$0ox4$0ox4$HAx4$HAx4
                                      • API String ID: 0-630351626
                                      • Opcode ID: 3591842321db90a843528874145976763fa4096488f4af0fd62eb2752c5fd7af
                                      • Instruction ID: 3de8c1dd9f42adb6e6d2c708c4fcf5d545556869037a44ba61a7a7b3d0a4b106
                                      • Opcode Fuzzy Hash: 3591842321db90a843528874145976763fa4096488f4af0fd62eb2752c5fd7af
                                      • Instruction Fuzzy Hash: 6AB2E321B1CD4A4BEB68EB6884A567977D2FFAA310F14417AD50EC32D7DE3CB8429341
                                      Function 00007FFD348A0030 Relevance: 4.4, Strings: 1, Instructions: 3128COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 2L_H
                                      • API String ID: 0-1203901355
                                      • Opcode ID: 5d7a44434a5ecc10e9476eed8f7366e0a38852b8e0780dd500def0511a563595
                                      • Instruction ID: ed2ef9acd82c90fa9093c0f8be7ac86136e79bfff43ae2abe92e32932ccac9f5
                                      • Opcode Fuzzy Hash: 5d7a44434a5ecc10e9476eed8f7366e0a38852b8e0780dd500def0511a563595
                                      • Instruction Fuzzy Hash: 0933407061CB858FD7B9DB58C4A5AAAB3E1FF99304F10457ED58DC3291CE38A841DB82
                                      Function 00007FFD348ADD50 Relevance: 3.3, Strings: 2, Instructions: 776COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1019 7ffd348add50-7ffd348add91 call 7ffd3489f438 1023 7ffd348adda5-7ffd348addb0 1019->1023 1024 7ffd348add93-7ffd348adda3 1019->1024 1025 7ffd348addb6-7ffd348addba 1023->1025 1026 7ffd348ae0f3-7ffd348ae0f6 1023->1026 1024->1023 1030 7ffd348addcb-7ffd348addd3 1025->1030 1031 7ffd348addbc-7ffd348addc1 1025->1031 1027 7ffd348ae0f8-7ffd348ae100 1026->1027 1028 7ffd348ae10c-7ffd348ae11f 1026->1028 1034 7ffd348ae101-7ffd348ae10a call 7ffd3489f208 1027->1034 1032 7ffd348addd9-7ffd348addf6 1030->1032 1033 7ffd348ae143-7ffd348ae159 1030->1033 1031->1030 1038 7ffd348addfc-7ffd348ade70 call 7ffd3489f3d0 1032->1038 1039 7ffd348adfd1-7ffd348adfe6 1032->1039 1041 7ffd348ae15b-7ffd348ae162 1033->1041 1042 7ffd348ae163-7ffd348ae168 1033->1042 1034->1028 1078 7ffd348ade98 1038->1078 1079 7ffd348ade72-7ffd348ade73 1038->1079 1047 7ffd348adfe8-7ffd348adfee 1039->1047 1048 7ffd348ae063-7ffd348ae06e 1039->1048 1041->1042 1042->1034 1045 7ffd348ae169 1042->1045 1045->1034 1049 7ffd348ae16b-7ffd348ae1a8 1045->1049 1053 7ffd348adff0-7ffd348ae000 1047->1053 1054 7ffd348ae002-7ffd348ae008 call 7ffd3489f448 1047->1054 1051 7ffd348ae07f-7ffd348ae086 1048->1051 1052 7ffd348ae070-7ffd348ae075 1048->1052 1067 7ffd348ae1aa-7ffd348ae1bf 1049->1067 1068 7ffd348ae1c2-7ffd348ae1f6 1049->1068 1051->1033 1058 7ffd348ae08c-7ffd348ae0c4 call 7ffd3489f4b8 1051->1058 1052->1051 1053->1054 1060 7ffd348ae00d-7ffd348ae011 1054->1060 1070 7ffd348ae0c9-7ffd348ae0cc 1058->1070 1063 7ffd348ae015-7ffd348ae021 1060->1063 1063->1025 1066 7ffd348ae027 1063->1066 1066->1026 1067->1068 1081 7ffd348ae1fc-7ffd348ae21f 1068->1081 1082 7ffd348ae3b0-7ffd348ae3d8 1068->1082 1072 7ffd348ae0ce-7ffd348ae0dd call 7ffd3489f4a0 1070->1072 1073 7ffd348ae0e2-7ffd348ae0f1 call 7ffd3489f408 1070->1073 1072->1073 1073->1026 1083 7ffd348ade9a-7ffd348adeb3 1078->1083 1085 7ffd348ade77-7ffd348ade87 1079->1085 1106 7ffd348ae225-7ffd348ae243 1081->1106 1107 7ffd348ae38f-7ffd348ae3aa 1081->1107 1104 7ffd348ae44c-7ffd348ae45a 1082->1104 1105 7ffd348ae3da-7ffd348ae42d 1082->1105 1092 7ffd348aded5-7ffd348aded8 1083->1092 1093 7ffd348adeb5-7ffd348aded0 call 7ffd3489f440 1083->1093 1087 7ffd348ade96 1085->1087 1088 7ffd348ade89-7ffd348ade90 1085->1088 1087->1083 1088->1085 1089 7ffd348ade92-7ffd348ade94 1088->1089 1089->1087 1095 7ffd348adeda-7ffd348adeeb 1092->1095 1096 7ffd348adf53-7ffd348adf5b 1092->1096 1093->1092 1095->1096 1101 7ffd348adf69-7ffd348adf7a call 7ffd3489f430 1096->1101 1102 7ffd348adf5d-7ffd348adf67 call 7ffd348a8048 1096->1102 1111 7ffd348adf7c-7ffd348adf96 1101->1111 1112 7ffd348adfaa-7ffd348adfb3 call 7ffd3489f460 1101->1112 1102->1101 1116 7ffd348adfc0-7ffd348adfcd 1102->1116 1105->1104 1133 7ffd348ae42f-7ffd348ae44a 1105->1133 1106->1107 1126 7ffd348ae249-7ffd348ae2b4 1106->1126 1107->1081 1107->1082 1120 7ffd348ae02c-7ffd348ae031 1111->1120 1121 7ffd348adf9c-7ffd348adfa8 1111->1121 1122 7ffd348adfb8-7ffd348adfbc 1112->1122 1116->1063 1127 7ffd348adfcf-7ffd348ae056 call 7ffd3489f428 1116->1127 1120->1026 1121->1116 1122->1116 1141 7ffd348ae2b6-7ffd348ae2ef 1126->1141 1142 7ffd348ae2f1-7ffd348ae2ff 1126->1142 1135 7ffd348ae05b-7ffd348ae05e 1127->1135 1133->1104 1135->1026 1141->1142 1145 7ffd348ae355-7ffd348ae35e 1142->1145 1146 7ffd348ae301-7ffd348ae334 1142->1146 1154 7ffd348ae36c-7ffd348ae384 1145->1154 1155 7ffd348ae360-7ffd348ae365 1145->1155 1152 7ffd348ae386-7ffd348ae38e call 7ffd348ae45b 1146->1152 1153 7ffd348ae336-7ffd348ae353 1146->1153 1152->1107 1153->1145 1154->1152 1154->1153 1155->1154
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (gw4$]M_H
                                      • API String ID: 0-2204827320
                                      • Opcode ID: 13640ee1d5f28d2fc7d3df991a0d99c345eadcda3af3f525dd69193b38c426ab
                                      • Instruction ID: 3cf3055dc412dfa4fb516c8ab7f0503bab1013329c695c72b737c82dc68f0bd2
                                      • Opcode Fuzzy Hash: 13640ee1d5f28d2fc7d3df991a0d99c345eadcda3af3f525dd69193b38c426ab
                                      • Instruction Fuzzy Hash: 8332D031B1DA498FEBD4EB1C84A4AB977E2FF99310F0405BAE54DC3296DE68EC418750
                                      Function 00007FFD3489F7E8 Relevance: 3.1, Strings: 2, Instructions: 568COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1354 7ffd3489f7e8 1355 7ffd348d2140-7ffd348d2166 1354->1355 1358 7ffd348d2179-7ffd348d2199 1355->1358 1359 7ffd348d2168-7ffd348d2178 1355->1359 1361 7ffd348d219b-7ffd348d2236 1358->1361 1362 7ffd348d2136-7ffd348d213f 1358->1362 1373 7ffd348d2259-7ffd348d23d9 call 7ffd348d0850 * 3 1361->1373 1374 7ffd348d2238-7ffd348d2254 1361->1374 1362->1355 1397 7ffd348d7061-7ffd348d7071 1373->1397 1398 7ffd348d23df-7ffd348d243b call 7ffd348d0840 1373->1398 1374->1373 1403 7ffd348d7073 1397->1403 1404 7ffd348d7074-7ffd348d7097 1397->1404 1402 7ffd348d2440-7ffd348d247d 1398->1402 1402->1397 1409 7ffd348d2483-7ffd348d2736 call 7ffd348d0840 * 4 1402->1409 1403->1404 1442 7ffd348d2738-7ffd348d274f 1409->1442 1443 7ffd348d2754-7ffd348d27e3 call 7ffd348d0840 1409->1443 1442->1443 1443->1397
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ($m
                                      • API String ID: 0-200552969
                                      • Opcode ID: 54dc49c2ffa6c83d8a3e0d3b069e2b47af363ddc21ef994a3c4085e78781f642
                                      • Instruction ID: c2d0ac6e0b984bc93106af3e3e845ca83ae9ccf4b521e229ea332ba676ff56ec
                                      • Opcode Fuzzy Hash: 54dc49c2ffa6c83d8a3e0d3b069e2b47af363ddc21ef994a3c4085e78781f642
                                      • Instruction Fuzzy Hash: B512C371A096498FE799DF58C8A57A9B7F5FF5A304F1402BEE14DD3282CE386D818B01
                                      Function 00007FFD3489FBED Relevance: 3.0, Strings: 2, Instructions: 468COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1452 7ffd3489fbed-7ffd3489fdd9 1477 7ffd3489fddb-7ffd3489fe0e 1452->1477 1478 7ffd3489fe21-7ffd3489fe26 1452->1478 1484 7ffd3489fe2d-7ffd3489fe2e 1477->1484 1496 7ffd3489fe10-7ffd3489fe16 1477->1496 1479 7ffd3489fe28 1478->1479 1480 7ffd3489fe42-7ffd3489fe46 1478->1480 1479->1484 1481 7ffd3489fe48-7ffd3489fe5d 1480->1481 1482 7ffd3489fe5e-7ffd3489ff4e 1480->1482 1481->1482 1523 7ffd3489ff51-7ffd3489ff67 1482->1523 1487 7ffd3489fe49-7ffd3489fe4e 1484->1487 1488 7ffd3489fe30-7ffd3489fe36 1484->1488 1492 7ffd3489fe50-7ffd3489fe56 1487->1492 1488->1492 1495 7ffd3489fe38-7ffd3489fe3e 1488->1495 1501 7ffd3489fe57-7ffd3489fe5d 1492->1501 1495->1501 1503 7ffd3489fe40-7ffd3489fe46 1495->1503 1504 7ffd3489fe18-7ffd3489fe1e 1496->1504 1505 7ffd3489fe34-7ffd3489fe36 1496->1505 1501->1482 1503->1481 1503->1482 1509 7ffd3489fe3b-7ffd3489fe3e 1504->1509 1510 7ffd3489fe20-7ffd3489fe26 1504->1510 1505->1492 1505->1495 1509->1501 1509->1503 1510->1479 1510->1480 1525 7ffd3489ff69-7ffd3489ff7f 1523->1525 1525->1525 1526 7ffd3489ff81-7ffd3489ffa6 1525->1526
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: KN_I$_
                                      • API String ID: 0-3582441820
                                      • Opcode ID: 5f75394f6ed75ba0b89a0f918f769c5059ecf7ec7b1af52d9e5613d2c7d2b848
                                      • Instruction ID: 1a915d948c8656e5eee2d99c1eb94196d0180fa7a6dd52ab73e283de953df078
                                      • Opcode Fuzzy Hash: 5f75394f6ed75ba0b89a0f918f769c5059ecf7ec7b1af52d9e5613d2c7d2b848
                                      • Instruction Fuzzy Hash: 38C1D417B0C9A22BD221B7FDB9751EE6F64DF82375B0C51B7D388CE0939968604A83D1
                                      Function 00007FFD348930E5 Relevance: 1.8, Strings: 1, Instructions: 597COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1653 7ffd348930e5-7ffd34893142 1659 7ffd34893148-7ffd348931ed 1653->1659 1660 7ffd34893381-7ffd348933c2 call 7ffd34891998 1653->1660 1689 7ffd348932b3 1659->1689 1690 7ffd348931f3-7ffd348932a0 1659->1690 1668 7ffd348933d7-7ffd348933e0 1660->1668 1669 7ffd348933c4-7ffd348933d5 1660->1669 1672 7ffd348933e8-7ffd34893404 1668->1672 1669->1672 1678 7ffd34893406-7ffd34893417 1672->1678 1679 7ffd34893419-7ffd3489341e 1672->1679 1681 7ffd34893425-7ffd3489348b call 7ffd348919a8 call 7ffd348919b8 1678->1681 1679->1681 1704 7ffd34893491-7ffd348934dd 1681->1704 1705 7ffd34893512 1681->1705 1693 7ffd348932b8-7ffd348932df 1689->1693 1690->1689 1729 7ffd348932a2-7ffd348932ad 1690->1729 1712 7ffd348932e1-7ffd348932ef 1693->1712 1704->1705 1731 7ffd348934df-7ffd3489350b 1704->1731 1709 7ffd34893517-7ffd3489353f 1705->1709 1734 7ffd34893541-7ffd34893558 call 7ffd348938d5 1709->1734 1717 7ffd34893365-7ffd34893374 1712->1717 1718 7ffd348932f1-7ffd3489330b 1712->1718 1724 7ffd3489337c 1717->1724 1725 7ffd34893559-7ffd3489356a 1718->1725 1726 7ffd34893311-7ffd3489332c 1718->1726 1724->1725 1737 7ffd34893570-7ffd3489365e call 7ffd348919c8 call 7ffd348919d8 1725->1737 1738 7ffd34893891-7ffd348938a4 1725->1738 1733 7ffd34893334-7ffd34893345 1726->1733 1729->1693 1732 7ffd348932af-7ffd348932b1 1729->1732 1731->1709 1742 7ffd3489350d-7ffd34893510 1731->1742 1732->1712 1744 7ffd34893347 1733->1744 1745 7ffd3489334c-7ffd3489335e 1733->1745 1734->1725 1737->1689 1764 7ffd34893664-7ffd34893690 1737->1764 1742->1734 1744->1725 1745->1726 1748 7ffd34893360 1745->1748 1748->1725 1766 7ffd34893692-7ffd34893698 1764->1766 1767 7ffd3489369a-7ffd348936a1 1766->1767 1768 7ffd348936d0-7ffd34893712 1766->1768 1767->1766 1773 7ffd348936a3-7ffd348936c5 call 7ffd34891988 call 7ffd34890628 1767->1773 1768->1738 1779 7ffd348936ca 1773->1779 1779->1768
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ,
                                      • API String ID: 0-3772416878
                                      • Opcode ID: 4375bf40cb37aa039478a99af1f469e2c6696b046f5576d697bef8e1a0da9f67
                                      • Instruction ID: df3129606738e580d880c66ac32c2899af0d372cc104e1d258cf60b45c8e239b
                                      • Opcode Fuzzy Hash: 4375bf40cb37aa039478a99af1f469e2c6696b046f5576d697bef8e1a0da9f67
                                      • Instruction Fuzzy Hash: 1612A431B189094FEBA9EBA890B97B977E2FF99310F544579D10EC32D6CE38B8419740
                                      Function 00007FFD3489DBCD Relevance: 1.6, Strings: 1, Instructions: 373COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: cx4
                                      • API String ID: 0-2812048196
                                      • Opcode ID: ecaff48f2ec9c81111901a0c81ffbe66c3d7d16c70da93a7c533fb8a044ad5ff
                                      • Instruction ID: aa5eefe6f012125ee5793ea4dbe367e45644666dc1f06c89338d116e23206c35
                                      • Opcode Fuzzy Hash: ecaff48f2ec9c81111901a0c81ffbe66c3d7d16c70da93a7c533fb8a044ad5ff
                                      • Instruction Fuzzy Hash: 7CB102B1B1CE454FE758AB2CA4AAA7577D1FB99314F1441BFE00DC3293CE78A8428785
                                      Function 00007FFD34898386 Relevance: .5, Instructions: 471COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 415c8d1ad4df0350d99da2dfb5fd843befa171689eacd69d140cacad05d3cd3d
                                      • Instruction ID: 944ecf15f967819251a7ec09717e4d8d473285bae6fcf6517405f59245f71daa
                                      • Opcode Fuzzy Hash: 415c8d1ad4df0350d99da2dfb5fd843befa171689eacd69d140cacad05d3cd3d
                                      • Instruction Fuzzy Hash: 71F1B630618A4E4FEBA8DF28C8557E93BD1FF55310F04466EE84DC7291DF38A9458B81
                                      Function 00007FFD34899132 Relevance: .5, Instructions: 456COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 47b443697e48e48b0c720ab3dc62d2c9be5bf8d881cdaae71b1ea6ef610d1637
                                      • Instruction ID: 0f71daec099cf8dae05a145e2b7880c9b885aaf3faa0026d63de5a47fc9cd4da
                                      • Opcode Fuzzy Hash: 47b443697e48e48b0c720ab3dc62d2c9be5bf8d881cdaae71b1ea6ef610d1637
                                      • Instruction Fuzzy Hash: 39E1B330A08A4D8FEBA8DF68C8A57E97BD1FF55310F14426ED84DC7291DF78A8458B81
                                      Function 00007FFD348929E1 Relevance: 1.7, APIs: 1, Instructions: 152libraryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2029 7ffd348929e1-7ffd34892ad0 LoadLibraryA 2035 7ffd34892ad8-7ffd34892b31 call 7ffd34892b32 2029->2035 2036 7ffd34892ad2 2029->2036 2036->2035
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID: LibraryLoad
                                      • String ID:
                                      • API String ID: 1029625771-0
                                      • Opcode ID: 1a196631940a4bae2531828ede2e41cde21a680fe4b99d3795823b529cd5bd2b
                                      • Instruction ID: a1f56cc46507e6496a58427b5530098288f8a740dd67ae2db608ae20cfbb83ce
                                      • Opcode Fuzzy Hash: 1a196631940a4bae2531828ede2e41cde21a680fe4b99d3795823b529cd5bd2b
                                      • Instruction Fuzzy Hash: AD417030A08A1C8FDB98DF98D855BEDBBF1FF59310F04416AD00DE7252CA74A841CB81
                                      Function 00007FFD34892D3D Relevance: 1.6, APIs: 1, Instructions: 138memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID: ProtectVirtual
                                      • String ID:
                                      • API String ID: 544645111-0
                                      • Opcode ID: 06ad9c73f0f076ba985471d766b351fa6ef99261366bd6d9685496225cceba80
                                      • Instruction ID: 254687449dca2a130905e6683fa57efa087d8dda243d4ff3913895c6bce2893c
                                      • Opcode Fuzzy Hash: 06ad9c73f0f076ba985471d766b351fa6ef99261366bd6d9685496225cceba80
                                      • Instruction Fuzzy Hash: 5041E83190DB884FDB199BA898566AD7FE0EF57321F0442AFD089D3192CA746406C792

                                      Non-executed Functions

                                      Function 00007FFD3489FCFA Relevance: 1.6, Strings: 1, Instructions: 342COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: _
                                      • API String ID: 0-701932520
                                      • Opcode ID: 69ecba1798962e10200a74d9f20b8500630558ef44cd9d30978880b09c8c97bb
                                      • Instruction ID: afd6d6102e11d4644f2e71296de6de1722f93fc87db5a31dbd3ad5a50d411846
                                      • Opcode Fuzzy Hash: 69ecba1798962e10200a74d9f20b8500630558ef44cd9d30978880b09c8c97bb
                                      • Instruction Fuzzy Hash: 7D91D027B0C57266D221B7FDB9711EE6B68DF82375B085177D38CCE0839968708A83E5
                                      Function 00007FFD34897E89 Relevance: .4, Instructions: 411COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b435cf96d3127be79d0c478933bc510baae663e5944baf3690aff5284bfc3a2f
                                      • Instruction ID: 43072e6de3266eba63ec97ab23947dde8db927d799bd2e7f237174cdd08c75a7
                                      • Opcode Fuzzy Hash: b435cf96d3127be79d0c478933bc510baae663e5944baf3690aff5284bfc3a2f
                                      • Instruction Fuzzy Hash: 71D19630A18A8E8FEB68DF28D8557E97BD1FF55310F04426EE84DC7291CF78A9458782
                                      Function 00007FFD3489773D Relevance: .4, Instructions: 390COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.2550971191.00007FFD34890000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34890000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_7ffd34890000_1736491685cd440ba02224486139c45779065ac91a3edb422c48d3d3c6920c4d30fc9d.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9dff45d1a2dd3e4ad45db28c440501f08e3244019755081036cc3a3bb526e538
                                      • Instruction ID: d4ca095652411d0777b0deb3348278c580a7f1f9286450f54af8cb8d54d0370c
                                      • Opcode Fuzzy Hash: 9dff45d1a2dd3e4ad45db28c440501f08e3244019755081036cc3a3bb526e538
                                      • Instruction Fuzzy Hash: ECD1B130A0CB4C8FDB59EBA8D855BEDBBB1FF56310F1442AAD04DD7292DA346845CB81