Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe

Overview

General Information

Sample name:1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe
Analysis ID:1592213
MD5:04a1de79844a9148dcbf720090f0bd84
SHA1:03712e89f2b0b7fe5ed5be05f81a11d3050a71a0
SHA256:1b0be562bf434314a8d784f0228b72b07fcb4c090c6f06fb16ba6c5af4147b02
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected AsyncRAT
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "w98snw73idknf486g37d9ijn3u.duckdns.org", "Ports": "8808", "Version": "| nelsontriana980", "Autorun": "false", "Install_Folder": "dDNhOHVyQUZVMDk2MEx4TjZJd1FuVkdGUDNTOGVrRDk=", "Install_File": "UVtqsevwfbTQsW/o7jVDQp4iOFQ9p87vCNT8Cv4vzeKyz9mnj0FUSj4K65sbR9xyzyHN/d/Fn0BALZdPP9nJrA==", "AES_key": "t3a8urAFU0960LxN6IwQnVGFP3S8ekD9", "Mutex": "f87lCdXu/3D4BRvk+nTAPEtfF72xI1sZ6RZ3L4nDLCJwAeuwNZam8lKayF3XZRbG0eCrxTzoSITogfm6M8o83PNPFPe4sTTfaMuYWPxJWZflU9WKPhf5VLoB8DnBsqDTnH2s3U0k+FVcAoMG9Gm8mt0Li21KUSO8saYr3A3bhYk8S/5tdLfBQicU5IvbKA/0DTsiJ7x1wjkrqo30SWQf3/c3YsGAltchr3Gv4vLaNo7IEWj0N6pqDuA7T8iEWj5sydxeoyZelMk7WLjsQMFcglm7d3M0PhuriR8pWC5Mb/DSWvbafQuNZ5enn8lvuKYDr/uMpH0Gx0RfTdljqhKOgqf4w9Candvqj3hYW6TPPZV1isyI37gAIASylgkiP+6wYbvQFdq47StjZOXQmdiXhFaIQ64lHYvHRd2ehmFsdjubQAuTlpynY0fD/EJC06AWFS55WBOgRLjsC6wEQNkdbkIId7KKn2Nc/NzUSvzkgnlvIczwi8WvVIpjhb/+o/zhpwoNHu5TCvyMffG/6QwSeJOvH1vumq3r4GUypVqXGTcEAYj8qp5XB/KmIOfKUcQzsGDKVfSKx5uVbKWeGQyCMNh4phxrIKUvHrLnc4C2Ug+x+0epiDV7nw1GwKBiuR8lMbhRBFhxNc4IgQ7kj8E5StnNrpgLOaIqxtB/RLVfMT4=", "Certificate": "false", "ServerSignature": "false", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xc5a0:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0xf438:$a2: Stub.exe
      • 0xf4c8:$a2: Stub.exe
      • 0x9000:$a3: get_ActivatePong
      • 0xc7b8:$a4: vmware
      • 0xc630:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x9f25:$a6: get_SslClient
      1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exerat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
      • 0x9000:$str01: get_ActivatePong
      • 0x9f25:$str02: get_SslClient
      • 0x9f41:$str03: get_TcpClient
      • 0x841a:$str04: get_SendSync
      • 0x84c8:$str05: get_IsConnected
      • 0x8d44:$str06: set_UseShellExecute
      • 0xc8c6:$str07: Pastebin
      • 0xdf5e:$str08: Select * from AntivirusProduct
      • 0xf438:$str09: Stub.exe
      • 0xf4c8:$str09: Stub.exe
      • 0xc6b0:$str10: timeout 3 > NUL
      • 0xc5a0:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
      • 0xc630:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xc632:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1671414239.0000000000362000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000000.1671414239.0000000000362000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0xc432:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        00000000.00000002.4128635894.0000000002741000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe PID: 6484JoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            Process Memory Space: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe PID: 6484INDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
            • 0x29f2a:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
                • 0xc5a0:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
                • 0xf438:$a2: Stub.exe
                • 0xf4c8:$a2: Stub.exe
                • 0x9000:$a3: get_ActivatePong
                • 0xc7b8:$a4: vmware
                • 0xc630:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                • 0x9f25:$a6: get_SslClient
                0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
                • 0x9000:$str01: get_ActivatePong
                • 0x9f25:$str02: get_SslClient
                • 0x9f41:$str03: get_TcpClient
                • 0x841a:$str04: get_SendSync
                • 0x84c8:$str05: get_IsConnected
                • 0x8d44:$str06: set_UseShellExecute
                • 0xc8c6:$str07: Pastebin
                • 0xdf5e:$str08: Select * from AntivirusProduct
                • 0xf438:$str09: Stub.exe
                • 0xf4c8:$str09: Stub.exe
                • 0xc6b0:$str10: timeout 3 > NUL
                • 0xc5a0:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
                • 0xc630:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
                0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                • 0xc632:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-15T22:52:05.389005+010020355951Domain Observed Used for C2 Detected87.120.112.988808192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-15T22:52:05.389005+010020356071Domain Observed Used for C2 Detected87.120.112.988808192.168.2.449730TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-15T22:52:05.389005+010028424781Malware Command and Control Activity Detected87.120.112.988808192.168.2.449730TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeAvira: detected
                Found malware configuration
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeMalware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "w98snw73idknf486g37d9ijn3u.duckdns.org", "Ports": "8808", "Version": "| nelsontriana980", "Autorun": "false", "Install_Folder": "dDNhOHVyQUZVMDk2MEx4TjZJd1FuVkdGUDNTOGVrRDk=", "Install_File": "UVtqsevwfbTQsW/o7jVDQp4iOFQ9p87vCNT8Cv4vzeKyz9mnj0FUSj4K65sbR9xyzyHN/d/Fn0BALZdPP9nJrA==", "AES_key": "t3a8urAFU0960LxN6IwQnVGFP3S8ekD9", "Mutex": "f87lCdXu/3D4BRvk+nTAPEtfF72xI1sZ6RZ3L4nDLCJwAeuwNZam8lKayF3XZRbG0eCrxTzoSITogfm6M8o83PNPFPe4sTTfaMuYWPxJWZflU9WKPhf5VLoB8DnBsqDTnH2s3U0k+FVcAoMG9Gm8mt0Li21KUSO8saYr3A3bhYk8S/5tdLfBQicU5IvbKA/0DTsiJ7x1wjkrqo30SWQf3/c3YsGAltchr3Gv4vLaNo7IEWj0N6pqDuA7T8iEWj5sydxeoyZelMk7WLjsQMFcglm7d3M0PhuriR8pWC5Mb/DSWvbafQuNZ5enn8lvuKYDr/uMpH0Gx0RfTdljqhKOgqf4w9Candvqj3hYW6TPPZV1isyI37gAIASylgkiP+6wYbvQFdq47StjZOXQmdiXhFaIQ64lHYvHRd2ehmFsdjubQAuTlpynY0fD/EJC06AWFS55WBOgRLjsC6wEQNkdbkIId7KKn2Nc/NzUSvzkgnlvIczwi8WvVIpjhb/+o/zhpwoNHu5TCvyMffG/6QwSeJOvH1vumq3r4GUypVqXGTcEAYj8qp5XB/KmIOfKUcQzsGDKVfSKx5uVbKWeGQyCMNh4phxrIKUvHrLnc4C2Ug+x+0epiDV7nw1GwKBiuR8lMbhRBFhxNc4IgQ7kj8E5StnNrpgLOaIqxtB/RLVfMT4=", "Certificate": "false", "ServerSignature": "false", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}
                Multi AV Scanner detection for submitted file
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeVirustotal: Detection: 67%Perma Link
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeReversingLabs: Detection: 76%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: 8808
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: w98snw73idknf486g37d9ijn3u.duckdns.org
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: | nelsontriana980
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: false
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: 111qqq111QQQ
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: f87lCdXu/3D4BRvk+nTAPEtfF72xI1sZ6RZ3L4nDLCJwAeuwNZam8lKayF3XZRbG0eCrxTzoSITogfm6M8o83PNPFPe4sTTfaMuYWPxJWZflU9WKPhf5VLoB8DnBsqDTnH2s3U0k+FVcAoMG9Gm8mt0Li21KUSO8saYr3A3bhYk8S/5tdLfBQicU5IvbKA/0DTsiJ7x1wjkrqo30SWQf3/c3YsGAltchr3Gv4vLaNo7IEWj0N6pqDuA7T8iEWj5sydxeoyZelMk7WLjsQMFcglm7d3M0PhuriR8pWC5Mb/DSWvbafQuNZ5enn8lvuKYDr/uMpH0Gx0RfTdljqhKOgqf4w9Candvqj3hYW6TPPZV1isyI37gAIASylgkiP+6wYbvQFdq47StjZOXQmdiXhFaIQ64lHYvHRd2ehmFsdjubQAuTlpynY0fD/EJC06AWFS55WBOgRLjsC6wEQNkdbkIId7KKn2Nc/NzUSvzkgnlvIczwi8WvVIpjhb/+o/zhpwoNHu5TCvyMffG/6QwSeJOvH1vumq3r4GUypVqXGTcEAYj8qp5XB/KmIOfKUcQzsGDKVfSKx5uVbKWeGQyCMNh4phxrIKUvHrLnc4C2Ug+x+0epiDV7nw1GwKBiuR8lMbhRBFhxNc4IgQ7kj8E5StnNrpgLOaIqxtB/RLVfMT4=
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: false
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: false
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: null
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: false
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpackString decryptor: 25
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 87.120.112.98:8808 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 87.120.112.98:8808 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 87.120.112.98:8808 -> 192.168.2.4:49730
                Source: Network trafficSuricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 87.120.112.98:8808 -> 192.168.2.4:49730
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: w98snw73idknf486g37d9ijn3u.duckdns.org
                Uses dynamic DNS services
                Source: unknownDNS query: name: w98snw73idknf486g37d9ijn3u.duckdns.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpack, type: UNPACKEDPE
                Source: global trafficTCP traffic: 192.168.2.4:49730 -> 87.120.112.98:8808
                Source: Joe Sandbox ViewASN Name: UNACS-AS-BG8000BurgasBG UNACS-AS-BG8000BurgasBG
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficDNS traffic detected: DNS query: w98snw73idknf486g37d9ijn3u.duckdns.org
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, 00000000.00000002.4127013542.0000000000AB2000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.0.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, 00000000.00000002.4127402160.0000000000B03000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?98f6cb92b4b11
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, 00000000.00000002.4127013542.0000000000A6C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en=
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, 00000000.00000002.4128635894.0000000002741000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1671414239.0000000000362000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4128635894.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe PID: 6484, type: MEMORYSTR

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, type: SAMPLEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: 00000000.00000000.1671414239.0000000000362000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: Process Memory Space: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe PID: 6484, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeCode function: 0_2_0253D2D80_2_0253D2D8
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeCode function: 0_2_025370380_2_02537038
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeCode function: 0_2_025379080_2_02537908
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeCode function: 0_2_02536CF00_2_02536CF0
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, 00000000.00000000.1671437814.0000000000372000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeBinary or memory string: OriginalFilenameStub.exe" vs 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, type: SAMPLEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
                Source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: 00000000.00000000.1671414239.0000000000362000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: Process Memory Space: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe PID: 6484, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/2@1/1
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeMutant created: NULL
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\111qqq111QQQ
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeVirustotal: Detection: 67%
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeReversingLabs: Detection: 76%
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: cryptnet.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: cabinet.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                Boot Survival

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1671414239.0000000000362000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4128635894.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe PID: 6484, type: MEMORYSTR
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1671414239.0000000000362000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4128635894.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe PID: 6484, type: MEMORYSTR
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeBinary or memory string: SBIEDLL.DLL
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeMemory allocated: 2490000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeMemory allocated: 2740000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeMemory allocated: 2490000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeWindow / User API: threadDelayed 8278Jump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeWindow / User API: threadDelayed 1568Jump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe TID: 5228Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe TID: 3636Thread sleep count: 37 > 30Jump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe TID: 3636Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe TID: 4592Thread sleep count: 8278 > 30Jump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe TID: 4592Thread sleep count: 1568 > 30Jump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, 00000000.00000002.4127013542.0000000000AB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeBinary or memory string: vmware
                Source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, 00000000.00000002.4127426296.0000000000B1B000.00000004.00000020.00020000.00000000.sdmp, 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, 00000000.00000002.4129881272.0000000004C4F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeQueries volume information: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Yara detected AsyncRAT
                Source: Yara matchFile source: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, type: SAMPLE
                Source: Yara matchFile source: 0.0.1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe.360000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000000.1671414239.0000000000362000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.4128635894.0000000002741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe PID: 6484, type: MEMORYSTR
                Source: C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Windows Management Instrumentation                		1
                Scheduled Task/Job                		1
                Scheduled Task/Job                		1
                Disable or Modify Tools                		OS Credential Dumping1
                Query Registry                		Remote Services1
                Archive Collected Data                		1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Scheduled Task/Job                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		31
                Virtualization/Sandbox Evasion                		LSASS Memory111
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media1
                Non-Standard Port                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
                Obfuscated Files or Information                		Security Account Manager31
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive1
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                DLL Side-Loading                		NTDS1
                Application Window Discovery                		Distributed Component Object ModelInput Capture21
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets13
                System Information Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe68%VirustotalBrowse
                1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe76%ReversingLabsByteCode-MSIL.Trojan.AsyncRATMarte
                1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe100%AviraTR/Dropper.Gen
                1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                w98snw73idknf486g37d9ijn3u.duckdns.org0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                bg.microsoft.map.fastly.net
                		199.232.214.172
                		truefalse
                  		high
                  w98snw73idknf486g37d9ijn3u.duckdns.org
                  		87.120.112.98
                  		truetrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    w98snw73idknf486g37d9ijn3u.duckdns.orgtrue
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, 00000000.00000002.4128635894.0000000002741000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      87.120.112.98
                      		w98snw73idknf486g37d9ijn3u.duckdns.orgBulgaria
                      		25206UNACS-AS-BG8000BurgasBGtrue

                      General Information

                      Joe Sandbox version:42.0.0 Malachite
                      Analysis ID:1592213
                      Start date and time:2025-01-15 22:51:08 +01:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 6m 7s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:5
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/2@1/1
                      EGA Information:Failed
                      HCA Information:
                      • Successful, ratio: 100%
                      • Number of executed functions: 62
                      • Number of non-executed functions: 1
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                      Warnings

                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                      • Excluded IPs from analysis (whitelisted): 199.232.214.172, 20.12.23.50, 13.107.246.45
                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                      • Execution Graph export aborted for target 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe, PID 6484 because it is empty
                      • Not all processes where analyzed, report is missing behavior information
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • Report size getting too big, too many NtReadVirtualMemory calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      16:52:06API Interceptor8177687x Sleep call for process: 1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe modified

                      Joe Sandbox View / Context

                      IPs

                      No context

                      Domains

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      bg.microsoft.map.fastly.net009.vbeGet hashmaliciousAgentTeslaBrowse
                      • 199.232.210.172
                      Mystery_Check.pdfGet hashmaliciousKnowBe4, PDFPhishBrowse
                      • 199.232.210.172
                      g6lWBM64S4.msiGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      1647911459241874440.jsGet hashmaliciousStrela DownloaderBrowse
                      • 199.232.210.172
                      0430tely.pdfGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      Order.xlsGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      Order.xlsGet hashmaliciousUnknownBrowse
                      • 199.232.210.172
                      hNgIvHRuTU.dllGet hashmaliciousWannacryBrowse
                      • 199.232.214.172
                      ACH REMITTANCE DOCUMENT 15.01.25.xlsbGet hashmaliciousUnknownBrowse
                      • 199.232.214.172
                      Personliche Nachricht fur e4060738.pdfGet hashmaliciousUnknownBrowse
                      • 199.232.214.172

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      UNACS-AS-BG8000BurgasBGrandom.exeGet hashmaliciousLiteHTTP BotBrowse
                      • 87.120.126.5
                      dlr.mips.elfGet hashmaliciousUnknownBrowse
                      • 87.120.127.227
                      1736928425effdd3d663e7ae08ee64667d92e2866d7996db3d213458dc5837f6c732ac1388894.dat-decoded.exeGet hashmaliciousXWormBrowse
                      • 87.120.116.179
                      Order Drawing.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                      • 87.120.116.245
                      Material Requirments.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                      • 87.120.116.245
                      preliminary drawing.pif.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                      • 87.120.127.120
                      5tCuNr661k.exeGet hashmaliciousRedLineBrowse
                      • 87.120.120.86
                      5tCuNr661k.exeGet hashmaliciousRedLineBrowse
                      • 87.120.120.86
                      shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                      • 87.120.120.86
                      shaLnqmyTS.exeGet hashmaliciousRedLineBrowse
                      • 87.120.120.86

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe
                      File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                      Category:dropped
                      Size (bytes):71954
                      Entropy (8bit):7.996617769952133
                      Encrypted:true
                      SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                      MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                      SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                      SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                      SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                      Download File
                      Process:C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):328
                      Entropy (8bit):3.247897867253902
                      Encrypted:false
                      SSDEEP:6:kK5Z9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:+DImsLNkPlE99SNxAhUe/3
                      MD5:FFFA202BD31C828BE1D884E2D0F750AA
                      SHA1:B4621C1281B889CA0CD9F16B1BE7B9F7B38C7978
                      SHA-256:10D926FBBD472B73C46CBCA5A0C33C98B0AA3B1AC1652DF64DE464BB65AD0E5B
                      SHA-512:AAC00A5DBFDDFB997A87963D3EB07B5E4F8696E90FE170BD81DF4B4C25FF5586530D576D32DAE9B379253BF6E547225DD61A37059F2245E6FEB5B4774F38E1C9
                      Malicious:false
                      Reputation:low
                      Preview:p...... ........@....g..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                      Entropy (8bit):5.392876211244669
                      TrID:
                      • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                      • Win32 Executable (generic) a (10002005/4) 49.75%
                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                      • Windows Screen Saver (13104/52) 0.07%
                      • Generic Win/DOS Executable (2004/3) 0.01%
                      File name:1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe
                      File size:64'512 bytes
                      MD5:04a1de79844a9148dcbf720090f0bd84
                      SHA1:03712e89f2b0b7fe5ed5be05f81a11d3050a71a0
                      SHA256:1b0be562bf434314a8d784f0228b72b07fcb4c090c6f06fb16ba6c5af4147b02
                      SHA512:a6fd0ee9fcaaf9908583fa4525b9478acd8e0523ec63acca7ac8dedada5c6d95aca2e2483df8db216bd579f7589d2370ae5c30d1d956fe8dfe2d4efdb06dbc93
                      SSDEEP:1536:z2wmkPN1ak1gcKu5UYFFZNh5b0uPAmVqrPlTGFx:z21kPN1ak1Ku5UYFH5b00qdGx
                      TLSH:BF53F8053BE98026F3BE8F7469F6658506F9F4AB2D12C91D0CC910DE0632BC69951BFB
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...vjzd................................. ... ....@.. .......................`............`................................

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0x410ece
                      Entrypoint Section:.text
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                      Time Stamp:0x647A6A76 [Fri Jun 2 22:17:26 2023 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:4
                      OS Version Minor:0
                      File Version Major:4
                      File Version Minor:0
                      Subsystem Version Major:4
                      Subsystem Version Minor:0
                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                      Entrypoint Preview

                      Instruction
                      jmp dword ptr [00402000h]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x10e7c0x4f.text
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x7ff.rsrc
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x140000xc.reloc
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      .text0x20000xeed40xf00087eecf007da7bdb27acb7b27df3c5c1fFalse0.456005859375data5.430119645902478IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      .rsrc0x120000x7ff0x80033cdbc5c50f34a35b4f0e61582ac7f11False0.41650390625data4.884866150337139IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                      .reloc0x140000xc0x2003722cb6f816dc5b7e4ace4627a19fc91False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                      Resources

                      NameRVASizeTypeLanguageCountryZLIB Complexity
                      RT_VERSION0x120a00x2ccdata0.43575418994413406
                      RT_MANIFEST0x1236c0x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277

                      Imports

                      DLLImport
                      mscoree.dll_CorExeMain

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2025-01-15T22:52:05.389005+01002842478ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)187.120.112.988808192.168.2.449730TCP
                      2025-01-15T22:52:05.389005+01002030673ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)187.120.112.988808192.168.2.449730TCP
                      2025-01-15T22:52:05.389005+01002035595ET MALWARE Generic AsyncRAT Style SSL Cert187.120.112.988808192.168.2.449730TCP
                      2025-01-15T22:52:05.389005+01002035607ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)187.120.112.988808192.168.2.449730TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 15, 2025 22:52:04.684185982 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:04.689131975 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:04.689260006 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:04.750602961 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:04.755510092 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:05.326544046 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:05.326562881 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:05.326575041 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:05.326642036 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:05.383224010 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:05.389004946 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:05.558466911 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:05.603720903 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:07.314969063 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:07.319880962 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:07.319962978 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:07.326217890 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:15.901874065 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:15.906785965 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:15.906864882 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:15.911675930 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:16.210716009 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:16.259881020 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:16.342986107 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:16.353378057 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:16.358298063 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:16.358490944 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:16.363403082 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:24.494911909 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:24.500052929 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:24.502274990 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:24.508112907 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:24.799283981 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:24.853640079 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:24.933176041 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:24.935370922 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:24.940186977 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:24.940279961 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:24.945022106 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:28.901907921 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:28.947415113 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:29.030026913 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:29.072763920 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:33.088752031 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:33.093744993 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:33.094347954 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:33.099226952 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:33.385356903 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:33.431802988 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:33.529659033 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:33.531660080 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:33.536797047 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:33.538316965 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:33.543642998 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:41.682611942 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:41.687578917 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:41.687700987 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:41.692543983 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:41.986882925 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:42.041249990 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:42.116990089 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:42.119510889 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:42.124291897 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:42.124366045 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:42.129092932 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:50.275970936 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:50.280869007 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:50.280971050 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:50.285782099 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:50.570096970 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:50.620340109 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:50.702379942 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:50.704533100 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:50.709417105 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:50.709496021 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:50.714396000 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:58.869761944 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:58.874706984 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:58.874847889 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:58.879662991 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:58.894948006 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:58.947460890 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:59.026885986 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:59.072437048 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:59.139549017 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:59.144004107 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:59.194192886 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:52:59.194325924 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:52:59.199136019 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:07.463749886 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:07.468589067 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:07.468648911 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:07.473421097 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:07.767827988 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:07.822468996 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:07.896995068 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:07.899574995 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:07.904731035 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:07.906358004 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:07.911712885 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:11.541723967 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:11.546581030 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:11.546652079 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:11.551461935 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:11.841042995 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:11.884970903 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:11.970468044 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:11.972268105 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:11.977143049 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:11.977222919 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:11.982055902 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:13.135588884 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:13.140474081 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:13.140571117 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:13.145359993 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:13.442272902 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:13.497879982 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:13.572820902 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:13.574959040 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:13.579891920 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:13.579950094 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:13.584830046 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:15.229317904 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:15.234755993 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:15.234883070 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:15.240243912 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:15.531672955 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:15.572499990 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:15.664908886 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:15.667423010 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:15.672429085 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:15.672498941 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:15.677373886 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:23.823223114 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:23.828058004 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:23.828121901 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:23.832947969 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:24.120587111 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:24.166359901 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:24.358551979 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:24.358747959 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:24.358917952 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:24.380141020 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:24.384974957 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:24.390351057 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:24.395219088 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:28.912826061 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:29.025666952 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:29.046317101 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:29.228745937 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:32.416812897 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:32.421757936 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:32.421834946 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:32.426671028 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:32.717784882 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:32.843399048 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:32.843477964 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:32.845824957 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:32.850605011 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:32.850656986 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:32.855523109 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:34.903053999 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:34.908010960 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:34.908082008 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:34.913007021 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:35.195374012 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:35.328730106 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:35.328915119 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:35.330689907 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:35.335463047 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:35.335655928 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:35.340447903 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:43.073117018 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:43.078078032 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:43.078449965 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:43.083285093 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:43.382986069 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:43.517777920 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:43.517899990 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:43.519771099 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:43.525053024 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:43.525113106 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:43.530390978 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:51.668786049 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:51.673783064 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:51.673937082 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:51.678788900 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:51.975259066 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:52.025716066 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:52.100713015 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:52.102535009 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:52.107445955 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:52.107517004 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:52.112358093 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:52.150069952 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:52.154973984 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:52.155028105 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:52.159836054 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:52.402076960 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:52.447570086 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:52.531829119 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:52.535651922 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:52.540555954 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:52.540610075 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:52.545589924 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:55.838671923 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:55.843580008 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:55.843667030 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:55.848510981 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:56.147531986 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:56.197598934 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:56.593501091 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:56.595110893 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:56.599983931 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:56.600059986 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:56.604896069 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:58.906018019 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:58.947608948 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:53:59.031400919 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:53:59.088226080 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:04.432610035 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:04.437391043 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:04.437457085 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:04.442301035 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:04.810395956 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:04.853868961 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:05.020960093 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:05.026029110 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:05.031544924 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:05.033052921 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:05.037868023 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:13.026257992 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:13.031205893 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:13.031276941 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:13.036103010 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:13.057545900 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:13.062638998 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:13.062705994 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:13.067491055 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:13.400738955 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:13.447630882 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:13.531539917 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:13.533881903 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:13.539638996 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:13.539705992 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:13.544503927 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:16.450465918 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:16.455482006 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:16.455655098 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:16.460557938 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:16.783641100 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:16.838357925 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:16.912641048 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:16.915987015 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:16.920902967 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:16.921022892 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:16.925889015 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:21.010950089 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:21.015913010 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:21.015995979 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:21.020827055 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:21.303572893 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:21.369652987 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:21.438340902 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:21.478915930 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:21.535446882 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:21.540441036 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:21.540529013 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:21.545408010 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:21.564177990 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:21.569073915 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:21.569143057 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:21.574002981 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:21.834239960 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:21.885288000 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:21.973612070 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:22.029422045 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:22.134182930 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:22.139075994 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:22.143151999 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:22.148006916 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:29.596745968 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:29.597168922 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:29.597193003 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:29.597220898 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:29.597372055 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:29.597372055 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:29.598232985 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:30.151376009 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:30.156383991 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:30.156462908 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:30.161273956 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:30.444297075 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:30.541532993 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:30.563114882 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:30.565237999 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:30.570650101 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:30.570720911 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:30.575603008 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:33.323105097 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:33.330018044 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:33.330085993 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:33.336460114 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:33.628031015 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:33.771992922 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:33.772134066 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:33.773783922 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:33.784109116 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:33.784198999 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:33.794140100 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:41.916883945 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:41.921854973 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:41.921921015 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:41.926722050 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:42.219089985 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:42.348639011 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:42.349330902 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:42.354876041 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:42.359734058 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:42.360910892 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:42.365699053 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:50.510912895 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:50.516014099 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:50.516083002 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:50.520916939 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:50.812463045 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:50.854028940 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:50.940459967 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:50.942384005 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:50.947240114 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:50.947309017 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:50.952152014 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:58.893677950 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:58.947905064 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:59.020500898 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:59.072880983 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:59.104582071 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:59.109436035 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:59.109802008 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:59.114620924 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:59.405225992 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:59.447885036 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:59.532708883 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:59.534883976 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:59.539875984 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:54:59.540020943 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:54:59.544866085 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:03.432785034 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:03.437876940 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:03.438111067 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:03.442994118 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:03.739510059 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:03.791718006 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:03.868618011 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:03.870713949 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:03.875574112 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:03.876730919 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:03.881587029 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:09.261404037 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:09.266536951 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:09.266736984 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:09.271611929 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:09.563018084 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:09.619991064 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:09.730561972 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:09.780673981 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:09.823615074 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:09.828558922 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:09.828742981 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:09.833599091 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:17.856796026 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:17.861771107 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:17.862839937 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:17.867662907 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:18.159080982 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:18.213591099 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:18.282835007 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:18.284914017 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:18.291640043 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:18.291722059 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:18.296664000 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:26.448646069 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:26.453991890 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:26.454062939 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:26.458971977 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:26.791188002 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:26.838653088 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:26.924468040 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:26.932004929 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:26.936768055 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:26.936928034 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:26.941864967 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:28.908441067 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:28.963677883 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:29.067039967 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:29.119968891 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:33.873317957 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:33.878154039 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:33.878429890 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:33.883145094 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:34.166393995 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:34.213722944 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:34.314770937 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:34.316828012 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:34.321656942 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:34.321712017 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:34.326478004 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:42.464266062 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:42.469701052 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:42.469774008 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:42.474720955 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:42.767788887 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:42.823250055 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:42.902117968 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:42.907454014 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:42.912468910 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:42.913243055 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:42.919389963 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:51.058304071 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:51.063245058 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:51.063307047 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:51.068125010 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:51.351180077 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:51.403069973 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:51.480602980 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:51.484782934 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:51.489557981 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:51.489869118 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:51.494611025 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:56.901998997 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:56.906877995 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:56.906989098 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:56.911787033 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:57.197650909 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:57.245297909 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:57.330775976 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:57.335865021 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:57.340646982 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:57.341619968 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:57.346396923 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:58.893454075 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:58.948334932 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:55:59.020955086 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:55:59.073373079 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:56:05.729995966 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:56:05.734795094 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:56:05.735193014 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:56:05.739988089 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:56:06.034573078 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:56:06.089020014 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:56:06.159202099 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:56:06.160176039 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:56:06.164942980 CET88084973087.120.112.98192.168.2.4
                      Jan 15, 2025 22:56:06.165023088 CET497308808192.168.2.487.120.112.98
                      Jan 15, 2025 22:56:06.169966936 CET88084973087.120.112.98192.168.2.4

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 15, 2025 22:52:04.242549896 CET6480053192.168.2.41.1.1.1
                      Jan 15, 2025 22:52:04.680459023 CET53648001.1.1.1192.168.2.4

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Jan 15, 2025 22:52:04.242549896 CET192.168.2.41.1.1.10xf128Standard query (0)w98snw73idknf486g37d9ijn3u.duckdns.orgA (IP address)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Jan 15, 2025 22:52:04.680459023 CET1.1.1.1192.168.2.40xf128No error (0)w98snw73idknf486g37d9ijn3u.duckdns.org87.120.112.98A (IP address)IN (0x0001)false
                      Jan 15, 2025 22:52:06.117882013 CET1.1.1.1192.168.2.40xee6bNo error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                      Jan 15, 2025 22:52:06.117882013 CET1.1.1.1192.168.2.40xee6bNo error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:16:51:59
                      Start date:15/01/2025
                      Path:C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c05b2796.dat-decoded.exe"
                      Imagebase:0x360000
                      File size:64'512 bytes
                      MD5 hash:04A1DE79844A9148DCBF720090F0BD84
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1671414239.0000000000362000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1671414239.0000000000362000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                      • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.4128635894.0000000002741000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:false

                      Disassembly

                      Reset < >

                        Executed Functions

                        Function 02537038 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: \VNm
                        • API String ID: 0-2505523818
                        • Opcode ID: afa40b2184e92c5a0aca3911b5993abf4807ab9163cd3db64f0dae2a9992822b
                        • Instruction ID: d5dd01725ab4a96cff46398d3e603b38159609671998695f177d9eb6a9013599
                        • Opcode Fuzzy Hash: afa40b2184e92c5a0aca3911b5993abf4807ab9163cd3db64f0dae2a9992822b
                        • Instruction Fuzzy Hash: 3BB14DB1E10209CFDB15CFA9C8857ADFBF2BF88314F149129E819A7254EB749845CF85
                        Function 0253D2D8 Relevance: 1.0, Instructions: 1019COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 59bfb397425a17d32dd6bf5fbe4cd94a07b65bcaf4ddb34599b447d03d95a0cc
                        • Instruction ID: 5cb134ded5d8b5214b6e4eac384811b836a3a8a8b3eb7a43e09a4875558ed709
                        • Opcode Fuzzy Hash: 59bfb397425a17d32dd6bf5fbe4cd94a07b65bcaf4ddb34599b447d03d95a0cc
                        • Instruction Fuzzy Hash: FD824930B002058FDB15EF69C884B2EBBF2FF84304F509969D5468B3A9CB75DD4A8B95
                        Function 02537908 Relevance: .3, Instructions: 266COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3bad9317ed9cdec7c5e85ea27335f91a7f02664536b29b90a50c3bff425f63b2
                        • Instruction ID: f64a4fb451ceccfb6d1c5f91f43b5731cf487fcba2673d870d41eda98cf65785
                        • Opcode Fuzzy Hash: 3bad9317ed9cdec7c5e85ea27335f91a7f02664536b29b90a50c3bff425f63b2
                        • Instruction Fuzzy Hash: 2FB14AB0E002098FDF11CFA9D89179DFBF2BF8C314F14A529E815A7294EB749985CB85
                        Function 025320E8 Relevance: 6.7, Strings: 5, Instructions: 449COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: a^q$ a^q$,$xbq$3Xp^
                        • API String ID: 0-3903345887
                        • Opcode ID: 409e24034817f1bf84760dbfebbc0af52d8dfc4540efc4126249fc8422c1feec
                        • Instruction ID: 75128fa5d04c835de57c3a5ed258a22ef24ff9a7d3cc20583ccf13d85c2b0a2d
                        • Opcode Fuzzy Hash: 409e24034817f1bf84760dbfebbc0af52d8dfc4540efc4126249fc8422c1feec
                        • Instruction Fuzzy Hash: CD029F347002009FD716EF38D884B6EBBA2BB84314F148529E8199F3A5DB75EC45CBA5
                        Function 02532322 Relevance: 5.2, Strings: 4, Instructions: 183COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: a^q$ a^q$xbq$3Xp^
                        • API String ID: 0-3530333288
                        • Opcode ID: 16035d40a37701a3d73bd7c2beba31a561d4f0d9f399f77474bc34571bbecc4b
                        • Instruction ID: 75394221a4b435be969c8fdbb0270b1a99574315a257a410c66f9a02fdb09ebb
                        • Opcode Fuzzy Hash: 16035d40a37701a3d73bd7c2beba31a561d4f0d9f399f77474bc34571bbecc4b
                        • Instruction Fuzzy Hash: E66189747403009FD716AF38D884B6ABBE2FB84304F148529E40ADF3A5DB75EC458BA5
                        Function 02530F80 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: (bq$Te^q
                        • API String ID: 0-2856382362
                        • Opcode ID: 646e48d7df88ddccee9cee85499067b20aea3da618b173b1185f815722420725
                        • Instruction ID: c404ff6791fee685cb255987540c73d7c7ecd880fe1a9553f58d30fa28265afb
                        • Opcode Fuzzy Hash: 646e48d7df88ddccee9cee85499067b20aea3da618b173b1185f815722420725
                        • Instruction Fuzzy Hash: 8F516C30B105148FC704DF79C454AAEBBF2FF89710F2581AAE806EB3A1CA71DD018B95
                        Function 02530DE8 Relevance: 2.6, Strings: 2, Instructions: 130COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: Hbq$dLdq
                        • API String ID: 0-411705877
                        • Opcode ID: f16f125942d3d0627bd8b1e6730497fd698eda57136d584a4fa98b159ac01ac6
                        • Instruction ID: 57ef01322fb75a6df6472f4f2bfa08e10d19c74b077643c8b1d4e0c6358a1059
                        • Opcode Fuzzy Hash: f16f125942d3d0627bd8b1e6730497fd698eda57136d584a4fa98b159ac01ac6
                        • Instruction Fuzzy Hash: 9041B2317042048FDB15DF69D454AAEBBF2FF89304F1485AAE406EB3A2CB759C05CBA5
                        Function 0253A6B0 Relevance: 2.6, Strings: 2, Instructions: 111COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: $^q$$^q
                        • API String ID: 0-355816377
                        • Opcode ID: 430c55072a9fc5d93bb35e2f97b90373d35bb4e3a0ade2a524025ae2bdea34d5
                        • Instruction ID: d507c3a461e30436e8fd1173bda69fd471bfe9489a623c1cd2bb24d91b3b4c1b
                        • Opcode Fuzzy Hash: 430c55072a9fc5d93bb35e2f97b90373d35bb4e3a0ade2a524025ae2bdea34d5
                        • Instruction Fuzzy Hash: E8415834A04401CBC74AAF6AD558539BBB3FB84B153289C99E4868B354DF36AC13CBD9
                        Function 0253B808 Relevance: 1.6, Instructions: 1574COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eabe96b6687eb706a4a5881fb9ea0af9c80999b60a82b51198e239c68ef4fbe0
                        • Instruction ID: 4d9c9ee3cad3e783cc51a67fc00884f60ff047763ea252ba8517fcf82928a379
                        • Opcode Fuzzy Hash: eabe96b6687eb706a4a5881fb9ea0af9c80999b60a82b51198e239c68ef4fbe0
                        • Instruction Fuzzy Hash: A6D207347002018FCB5AAB74D49466E77B3BBC9704B209969D50ADB394EF39EC42CF56
                        Function 02539DA5 Relevance: 1.5, Strings: 1, Instructions: 295COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: LR^q
                        • API String ID: 0-2625958711
                        • Opcode ID: 2b5514f1d6209c04d9c2754a953d9536ad045841a8e87011a429118cdb1f200a
                        • Instruction ID: fd193a66c75f0f431804ddd9bb60876a87299773b1453652a1a76db64726267c
                        • Opcode Fuzzy Hash: 2b5514f1d6209c04d9c2754a953d9536ad045841a8e87011a429118cdb1f200a
                        • Instruction Fuzzy Hash: 9101D270B052419FCB06EB7888057BE7BB1BF8A300F0041AED185DB292E7704D15CB99
                        Function 0253702C Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: \VNm
                        • API String ID: 0-2505523818
                        • Opcode ID: ebbfa1885a94b0c5ecb3d494c37378e547af6da8bac3d59458593ca24cf2b451
                        • Instruction ID: 6514defd65e7e1a16bc04ea51e8f0d29d605cc1cb44713662a2f54b5fa19df44
                        • Opcode Fuzzy Hash: ebbfa1885a94b0c5ecb3d494c37378e547af6da8bac3d59458593ca24cf2b451
                        • Instruction Fuzzy Hash: ACB14BB1E10209CFDB11CFA9C8857ADFBF2BF88314F149129E819A7254EB749845CF95
                        Function 02534250 Relevance: 1.5, Strings: 1, Instructions: 247COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: p 6
                        • API String ID: 0-4052615289
                        • Opcode ID: 3ee2d982b2388d1b10a9fe716dfda8698428a21e37ccd1631a42e064344b35a2
                        • Instruction ID: a68f05f46e615a86c71aa6b6794548fa8043b820bcd5fcd7957081d3bbc5763d
                        • Opcode Fuzzy Hash: 3ee2d982b2388d1b10a9fe716dfda8698428a21e37ccd1631a42e064344b35a2
                        • Instruction Fuzzy Hash: FC91AE31A002468FCB16DF68C48469EFBB2FF85314F1486A9D419AB355DB30ED86CB95
                        Function 0253B3B0 Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: xbq
                        • API String ID: 0-73991425
                        • Opcode ID: ceaf42e01afd3cf854022940092ac03f24b4d7d258f1781c2b8f588419e8ad7e
                        • Instruction ID: bf44040304a306a9e4467f65e7cac7dd7bf60995ef8f332de2659fb96ffd64e0
                        • Opcode Fuzzy Hash: ceaf42e01afd3cf854022940092ac03f24b4d7d258f1781c2b8f588419e8ad7e
                        • Instruction Fuzzy Hash: 8C919D75A003808FD726EF29E9847253BE2F785318F14922AC416CF3A0EB749844CFA5
                        Function 0253AC60 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: 99778edd2fbb7def4ef52edd01f25a46bcc5eabf62d27c42cb3166d043390b21
                        • Instruction ID: 6e6c088d441cf31f33fdbc94f0c6505311c80cac0c212cfb13b12d1928e4bdfe
                        • Opcode Fuzzy Hash: 99778edd2fbb7def4ef52edd01f25a46bcc5eabf62d27c42cb3166d043390b21
                        • Instruction Fuzzy Hash: 5951A938A40205DFE725DB69C848B69BBF2BF88715F20815AE416AB3E5CB75EC41CF50
                        Function 025345B8 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: |
                        • API String ID: 0-2343686810
                        • Opcode ID: 9776669493ba7df8db81d21e6a310ac920450cbed526e2f370e2dbc304ccfde7
                        • Instruction ID: 594395f5c24d9359ec52e3b46e9acbd7b77eeb0444c3905dcf1470a2c42aa8f0
                        • Opcode Fuzzy Hash: 9776669493ba7df8db81d21e6a310ac920450cbed526e2f370e2dbc304ccfde7
                        • Instruction Fuzzy Hash: 79419031B002119FCB15EF39D844A5EBBF6EF89710B00846AE10ADB394DB75EC02CBA5
                        Function 0253A699 Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: $^q
                        • API String ID: 0-388095546
                        • Opcode ID: aad317e80669f73e34bf2777a231befdbda324676032859822052d2f276a1260
                        • Instruction ID: de7330f304abde7008a3ce66ffadc5b9cc94eb94a0acfa5fb19d63d40aa5878f
                        • Opcode Fuzzy Hash: aad317e80669f73e34bf2777a231befdbda324676032859822052d2f276a1260
                        • Instruction Fuzzy Hash: 45419A30A04541CBC30A6F69D558139FFB2FF85B2132899A9E4828B350DF35AC13CBDA
                        Function 02531401 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: LR^q
                        • API String ID: 0-2625958711
                        • Opcode ID: 6ad4cffe7ae631cf593ac0b07888dafb3d1b0c2c75507be94b291b2495bdd4c9
                        • Instruction ID: c1f406171e4c43f906d2add8a13bc9934891bd1f5ec3ad0a28190ff90151c631
                        • Opcode Fuzzy Hash: 6ad4cffe7ae631cf593ac0b07888dafb3d1b0c2c75507be94b291b2495bdd4c9
                        • Instruction Fuzzy Hash: 5531CE30B002168FCB05EB798951A6E7BF2BFC9210B14806AE549DB3A5EE30DC02C796
                        Function 02530DD9 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: dLdq
                        • API String ID: 0-3390252261
                        • Opcode ID: c0c9ad0c5a41f1b90a8eb1ae546837020adc99b84af260794744175f658e7aa2
                        • Instruction ID: 2565dd5fd7f7772fb47d06db525370db4f940c03aecf3974d76225ea4f49d981
                        • Opcode Fuzzy Hash: c0c9ad0c5a41f1b90a8eb1ae546837020adc99b84af260794744175f658e7aa2
                        • Instruction Fuzzy Hash: 5C319E35B002048FDB15DF69C458BAEBBF2FF48304F14856AE401AB3A5CB759D45CBA5
                        Function 0253AB48 Relevance: 1.3, Strings: 1, Instructions: 86COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: cc56066b5d7c2c307531f4d78fe68d522e3f3560fd2ed93e1bec8325d3f412d9
                        • Instruction ID: 0ba8f081ba66df09bd650381bb1d5d8e02e2a4af9477ebb6cba4d50eeabb4e28
                        • Opcode Fuzzy Hash: cc56066b5d7c2c307531f4d78fe68d522e3f3560fd2ed93e1bec8325d3f412d9
                        • Instruction Fuzzy Hash: 83318F34740100DFDB059B29C898F69BBE6FF88710F1590AAE506DB3B1CA71DC00CB94
                        Function 0253A5C8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: c8f39446ca85817bb979de253a6be9728192ee4c904378018d8e4d5c41ed8ab5
                        • Instruction ID: 4da18b466b10e5e4a7c1815d3e2a401665617cb8495fb0781e19efecafe44f42
                        • Opcode Fuzzy Hash: c8f39446ca85817bb979de253a6be9728192ee4c904378018d8e4d5c41ed8ab5
                        • Instruction Fuzzy Hash: 3B218C30B101108FDB459B38D858B6E7BF6BF88B20F21815AE502DB3A0CF75DC008BA5
                        Function 0253466C Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: |
                        • API String ID: 0-2343686810
                        • Opcode ID: 0a087f3913fd7c366a7f111dda1e3b3e21e7b3d3acbd03d417dbcb811606e5b9
                        • Instruction ID: 177758ed1316448c26a3f314b5e8a998d2622b56124b64e2e02eba485b79685b
                        • Opcode Fuzzy Hash: 0a087f3913fd7c366a7f111dda1e3b3e21e7b3d3acbd03d417dbcb811606e5b9
                        • Instruction Fuzzy Hash: 75114C75B012159FDB44EF78D814B6EBBF1AF88700F10846AE54ADB3A0DB359901CB95
                        Function 0253AB58 Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: af943e521842f96a1b6df829267a2edb10573301a32af22d6fc4e10ef738ed7c
                        • Instruction ID: faa9ea823e51903a201ed769ee3e3b16d16c7457a817d77d695eb3fabc907685
                        • Opcode Fuzzy Hash: af943e521842f96a1b6df829267a2edb10573301a32af22d6fc4e10ef738ed7c
                        • Instruction Fuzzy Hash: A1118F30B40105DFDB049B29C498FADBBF6BF88710F149059E902AB3A1CEB5AC00CB94
                        Function 0253D100 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: Te^q
                        • API String ID: 0-671973202
                        • Opcode ID: 8f37b576b4a9c2ea4615f622c81e749e8d2a26250606c64496182d3d3643671d
                        • Instruction ID: 7271456c59295fe44a4b2e412b06b651ab62d16c1b2ce50649c4d963a417854b
                        • Opcode Fuzzy Hash: 8f37b576b4a9c2ea4615f622c81e749e8d2a26250606c64496182d3d3643671d
                        • Instruction Fuzzy Hash: E7118E317002149BDB05AB29D859BAEBBF6BF8C700F204469E502EB3A1DE759D05CB94
                        Function 02530F07 Relevance: 1.3, Strings: 1, Instructions: 46COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: Hbq
                        • API String ID: 0-1245868
                        • Opcode ID: 7dc97d3b989bb730f516514890fc5366c8d0ee16df33e238ad3353bc9a690187
                        • Instruction ID: 421fca49dd08054c2ea219917a0eac2fe007b738d315921f75b8456c078f3fb5
                        • Opcode Fuzzy Hash: 7dc97d3b989bb730f516514890fc5366c8d0ee16df33e238ad3353bc9a690187
                        • Instruction Fuzzy Hash: D001F4303082848FC3466B3EA85046E7FE3AFCA26432544FBD146CB3A7DE284C1A8365
                        Function 0253A020 Relevance: 1.3, Strings: 1, Instructions: 44COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: LR^q
                        • API String ID: 0-2625958711
                        • Opcode ID: a8e2ecf819bae9b0ed1705a4a85706e3c38fc008928a420a1e4824716768932e
                        • Instruction ID: f3301d2b0ce26ba1f528c262cc24c9e9f9b71d142d6730909a27cc4047c015cb
                        • Opcode Fuzzy Hash: a8e2ecf819bae9b0ed1705a4a85706e3c38fc008928a420a1e4824716768932e
                        • Instruction Fuzzy Hash: 33018B71B001159FCB06EBB888016BE77B5FB88700F1040A9E649DB291EB71AE118BC9
                        Function 02533320 Relevance: .9, Instructions: 931COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 38903ff0b71d25dcaa68eec211fdc1e45be5d34ee35f95e7bccecfe1fe29b0ae
                        • Instruction ID: 886a8fed9f9d36b875d84f12234635d8d56f94c3fb4c68204378a30e36a0279a
                        • Opcode Fuzzy Hash: 38903ff0b71d25dcaa68eec211fdc1e45be5d34ee35f95e7bccecfe1fe29b0ae
                        • Instruction Fuzzy Hash: 5C923F383043818FDB45FF34E5946297BB2FB89304B20895AD405CB36ADB39A957CFA5
                        Function 02533310 Relevance: .7, Instructions: 708COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 55a077f07e6a0dd3ad7271c958209ac28bd23bc985fce8bfce1d676b449cdd7f
                        • Instruction ID: c612e43167efc7cc5067f07af55a7551a621d57ab49e54a4473590ccb3a8dc44
                        • Opcode Fuzzy Hash: 55a077f07e6a0dd3ad7271c958209ac28bd23bc985fce8bfce1d676b449cdd7f
                        • Instruction Fuzzy Hash: 0A6241383043818FDB45FF34E5946697BB2FB88304B10896AD405CB39ADB39ED56CBA5
                        Function 025378FE Relevance: .3, Instructions: 259COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2258fc1bbb3987b2c9228769cb34dce8dbad6e45e6c919c9d5c7da345b1225cc
                        • Instruction ID: b9b12fc87bd9208b926d28e6b2352375794ced0901e733724fd5f1997eca8a59
                        • Opcode Fuzzy Hash: 2258fc1bbb3987b2c9228769cb34dce8dbad6e45e6c919c9d5c7da345b1225cc
                        • Instruction Fuzzy Hash: 93A149B0E002098FDB11CFA8D98179DFBF2BF4C314F14A529E819A7294EB749985CB95
                        Function 0253A860 Relevance: .2, Instructions: 200COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: af2bb299475e96d0ed5abc1a9c8346a55014f71d6fa3f40a4ef7a377b4dd3d5b
                        • Instruction ID: 92f89c1116779a76754ded636d4ca899fa0b628e18a981ad2167f1d91a05423e
                        • Opcode Fuzzy Hash: af2bb299475e96d0ed5abc1a9c8346a55014f71d6fa3f40a4ef7a377b4dd3d5b
                        • Instruction Fuzzy Hash: 1671E275A04145CFCB06DFA8C98496DFFB2FF45310B1594A5E882AB362DB30EC41CBA5
                        Function 02530B49 Relevance: .1, Instructions: 126COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 27b3bdf3308a28cfd57cad6f587dd09d36d07e110e6dfc42b7ae7e85c40d42e5
                        • Instruction ID: c35af32a1f231255b2269b40cb2f032398bb6f39b59c8145f71d4fd44b8ef5ca
                        • Opcode Fuzzy Hash: 27b3bdf3308a28cfd57cad6f587dd09d36d07e110e6dfc42b7ae7e85c40d42e5
                        • Instruction Fuzzy Hash: 3351D53C501242CFD706FB34F984859BB72FB84309310C56AD4098B32DEB39A96ACF90
                        Function 02532CFF Relevance: .1, Instructions: 120COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cf65ce85783bc57cb9756fb99630d1e23d18a9391b26ac6370a4bb07d2752faf
                        • Instruction ID: deb695a00154980058dc4ff0bd9c5d5a80507af1b34ab15b96a349eab411e965
                        • Opcode Fuzzy Hash: cf65ce85783bc57cb9756fb99630d1e23d18a9391b26ac6370a4bb07d2752faf
                        • Instruction Fuzzy Hash: BA418E75B10228DFCF049BB8E9147AD7BBABB8C710F148425E804B3758CB35AC558B95
                        Function 02531298 Relevance: .1, Instructions: 118COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ff77602c95bd7be191e80f8d283dac6e9fc93e64ec951b857b4fd4ac6c92d4d3
                        • Instruction ID: aeebb819975e85885474ec20e90678a503811e5c9ca856d7aee676bd6c7695ff
                        • Opcode Fuzzy Hash: ff77602c95bd7be191e80f8d283dac6e9fc93e64ec951b857b4fd4ac6c92d4d3
                        • Instruction Fuzzy Hash: 4841C270E00209AFCB04DFB9894466EBBFAFF88300F20C56AE449D7345DA34DE418BA5
                        Function 025309A8 Relevance: .1, Instructions: 114COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 9cdfec21bfa88f1c9d43c554e782c4be0416b71c275d36f3a63f75c6ba0e139c
                        • Instruction ID: 2a0d962a4cdfcf899db8871d0106d69b2121c13283ccbb27b373f9a835bd7f56
                        • Opcode Fuzzy Hash: 9cdfec21bfa88f1c9d43c554e782c4be0416b71c275d36f3a63f75c6ba0e139c
                        • Instruction Fuzzy Hash: 2A41A2307007419FDB5ABB7AA85427E7BE5BF84648704982DD40BCB3D4EF24D941CBAA
                        Function 025309B8 Relevance: .1, Instructions: 112COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 75f1d2738e5d39e1f7b32824bf25b2e3a53aef530e3f60523cc9ef5c61a49d27
                        • Instruction ID: 9b37d6f0831338eb017f69c3cb594c6d3c6c597cd4de33fed605e92b89a3d4fc
                        • Opcode Fuzzy Hash: 75f1d2738e5d39e1f7b32824bf25b2e3a53aef530e3f60523cc9ef5c61a49d27
                        • Instruction Fuzzy Hash: 063184307007429FDB6ABF79A85467E7BE5BF84648704582DD40ACB3D4EF24D841CB6A
                        Function 02534740 Relevance: .1, Instructions: 100COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eca1acfbcde13f6ed4603ec93e56fa2c30492e44b7a222e35a67d426d43021f3
                        • Instruction ID: c7c7aac7babf3a7148c7a53ec29c8bf207163bf57dffc40e8b08a8e5f3819854
                        • Opcode Fuzzy Hash: eca1acfbcde13f6ed4603ec93e56fa2c30492e44b7a222e35a67d426d43021f3
                        • Instruction Fuzzy Hash: 0031A4267092904FD7167B3C986039E7FA29FD6354F1900BBD185CB392DE28DC4A8796
                        Function 0253554C Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7071910d5a56a356fadaeebbcdaf5f54ddcfea7a42a49c0b33d599e6e719d4d7
                        • Instruction ID: 535ab9c7502262a0c93300b1acfa7a62473f0f87ddf1b4884401a45f30587771
                        • Opcode Fuzzy Hash: 7071910d5a56a356fadaeebbcdaf5f54ddcfea7a42a49c0b33d599e6e719d4d7
                        • Instruction Fuzzy Hash: 2A41FFB1D002499FDB10DFA9C584ADEBFB5FF48314F608429E409AB264EB74A945CB94
                        Function 02535558 Relevance: .1, Instructions: 90COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f3960281c5c04b17c842fac429823397c035b4852a9e24d2bf8389aa5a4d77b4
                        • Instruction ID: ef1ce39f1f41c689cd56014ac86addf70a3f3939eda097c628321397ae0662b2
                        • Opcode Fuzzy Hash: f3960281c5c04b17c842fac429823397c035b4852a9e24d2bf8389aa5a4d77b4
                        • Instruction Fuzzy Hash: 5E41FEB0D002499FDB10DFA9C584ADEBFF5BF48314F508029E809AB224DB74A945CB94
                        Function 0253A33A Relevance: .1, Instructions: 71COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7605a6867747363c96d0a168cd17cbed06ec16e7ab340a9bbc6a63bc99781af7
                        • Instruction ID: faa5999061c43ddb5bf7a049b0abd3986e6fa14ed5413c6c4a35ffea9046f837
                        • Opcode Fuzzy Hash: 7605a6867747363c96d0a168cd17cbed06ec16e7ab340a9bbc6a63bc99781af7
                        • Instruction Fuzzy Hash: 43219D30600219CFCB15EB74C8546AEBBB2BF89318F149028D906AB3A4DF759C46CB95
                        Function 0253A4C8 Relevance: .1, Instructions: 69COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cdc0c5b8092ad1d692b6d51009d722dad788763bfa157ba13ced83173e2599be
                        • Instruction ID: b0f80f41ca8f71cf00154a96335841bc8f6ccc982e6432374ed98fea5b2068cf
                        • Opcode Fuzzy Hash: cdc0c5b8092ad1d692b6d51009d722dad788763bfa157ba13ced83173e2599be
                        • Instruction Fuzzy Hash: 6721B375E042068FDF01CFB995406AEBBF1BBC8240F24D16AC499E3291E7349D02CB95
                        Function 0253AEA9 Relevance: .1, Instructions: 67COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1f9e2bfcc8900eaa9337d9afa78eefb0f4460eb7a1fe4b125e89f57f10975484
                        • Instruction ID: a062621a41881c09ac533449bebca21050e585504671eb89f4960c36557795fe
                        • Opcode Fuzzy Hash: 1f9e2bfcc8900eaa9337d9afa78eefb0f4460eb7a1fe4b125e89f57f10975484
                        • Instruction Fuzzy Hash: 7821A170A002459FCB42FF78E44169EBBB2FFC5314B108669D0158B396EB34EA06CBD5
                        Function 0253B7F9 Relevance: .1, Instructions: 65COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 45a2f187972a6a3b7c36e7a6719e9fa57d4af1bb2e7251bf85d1e0cead1e6c5d
                        • Instruction ID: 42262afa3e2a57cceabe65660d52cf795cdf9ca9b89096f96b929f13d9018786
                        • Opcode Fuzzy Hash: 45a2f187972a6a3b7c36e7a6719e9fa57d4af1bb2e7251bf85d1e0cead1e6c5d
                        • Instruction Fuzzy Hash: 3621E4317012458FCB39AB68D88426EB7F2FF84314B5448BAD55AD7390EF319D85CB52
                        Function 0253AEB8 Relevance: .1, Instructions: 61COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5dd553ea8c07d86cad03eedffcf685153e2ffd052bf490b9f68656988d004726
                        • Instruction ID: ddd30a6121a228a524b62cbfa2ce8c17f90bc988f435f3318fd540647fd3b68a
                        • Opcode Fuzzy Hash: 5dd553ea8c07d86cad03eedffcf685153e2ffd052bf490b9f68656988d004726
                        • Instruction Fuzzy Hash: D7215E70A002459FCB42FF78E44065EBBA2FFC5310B108669D1158B395EB75AA0A8BD5
                        Function 025314F9 Relevance: .1, Instructions: 58COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: bfe99e7050bc55919fc03a8cc70afdc0786e1d91e21af67b31b1baedbf074a90
                        • Instruction ID: 47134d0148aa3e02c946bd9eda7c3323af1063e2d36dd6db2a6e31487d1c301b
                        • Opcode Fuzzy Hash: bfe99e7050bc55919fc03a8cc70afdc0786e1d91e21af67b31b1baedbf074a90
                        • Instruction Fuzzy Hash: 4F11E075B002049FCB55EF78D8046AA7BF6FF8920070088BAD40ACB355EB34DD11CB90
                        Function 02531508 Relevance: .1, Instructions: 53COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5217d190270e530f203998c6c516cb37856f805fb99c475f2b832b5c15788a6
                        • Instruction ID: 46fbc5920a0a452c4d31d38cfcc0f2039fbcbda492a1d09184c58d378c99b7a4
                        • Opcode Fuzzy Hash: f5217d190270e530f203998c6c516cb37856f805fb99c475f2b832b5c15788a6
                        • Instruction Fuzzy Hash: 5C11A175B002059FCB55EB78D80462A7BF6BF88201710887AD00ACB354EF35DD11CB90
                        Function 0253A592 Relevance: .1, Instructions: 51COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f5b6dd63d6c99916ee02737c96122284d2bbdd43088cbf1cd07b0ffdb032aa22
                        • Instruction ID: ba21737d590264093da2a839e4ab0413f03e1ce92fdbd8f255c73d50f1b707d0
                        • Opcode Fuzzy Hash: f5b6dd63d6c99916ee02737c96122284d2bbdd43088cbf1cd07b0ffdb032aa22
                        • Instruction Fuzzy Hash: 2F11CE7AF001058BCF02CF79D88039EBBB1BB88754F10909AD885AB351E735DD06CBA8
                        Function 02532BB0 Relevance: .1, Instructions: 51COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 149a4e3d67910d7ba649112b15cfd7f75f20235a6ab312f55511c0345c0091a5
                        • Instruction ID: 7de02aff7a2fd4d6fb6c5b72c21adcbc50d50bd6c8e5fe1c548109feb9b1afc6
                        • Opcode Fuzzy Hash: 149a4e3d67910d7ba649112b15cfd7f75f20235a6ab312f55511c0345c0091a5
                        • Instruction Fuzzy Hash: AF11A5786053419FD30ADF29E980615FBE6FFC5214319C1A6D408DB329D730F811CB64
                        Function 02534730 Relevance: .0, Instructions: 50COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 37529765f4d03a9093d211df5a99be7a65c2d5bdfcdb5f2599eb3ad0b258b4ba
                        • Instruction ID: 49c493bbd56b036f459cb700be3e2994b5507e7a098bf1010e82ba0ec675006a
                        • Opcode Fuzzy Hash: 37529765f4d03a9093d211df5a99be7a65c2d5bdfcdb5f2599eb3ad0b258b4ba
                        • Instruction Fuzzy Hash: 030142313042404BCB2A7A3998A0A7EB7E3EFCA355704147DE10AC7352CF34DC028791
                        Function 0253A0A8 Relevance: .0, Instructions: 43COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 204dc60be3e0c6f9b1b1988a6bff8b0dc38c0d6276da6a257443242ee3b0a57a
                        • Instruction ID: 4c3b3e399d3ca3a8b96519d7a70131fde26fd6b8881b5e2e83c684f105f27586
                        • Opcode Fuzzy Hash: 204dc60be3e0c6f9b1b1988a6bff8b0dc38c0d6276da6a257443242ee3b0a57a
                        • Instruction Fuzzy Hash: EA1100B58002488FCB20DF9AC985BDEFBF4EB48324F208459D558A7350C375A944CFA5
                        Function 0253A0B0 Relevance: .0, Instructions: 41COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f1dc4ec74a65405501e0560a95091faed25fb6c9d9e5612707471b86c0c89fb1
                        • Instruction ID: 1663b193f523bb6850852984cc2d53c7f50618ca806a92f297978b4e24b9bb5c
                        • Opcode Fuzzy Hash: f1dc4ec74a65405501e0560a95091faed25fb6c9d9e5612707471b86c0c89fb1
                        • Instruction Fuzzy Hash: C711EEB5900249CFCB20DF9AC984BDEFBF4FB48324F208459D559A7250C379A944CFA5
                        Function 02532E83 Relevance: .0, Instructions: 40COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: cdb6c6f843ca5e02cc6c0efa388aadca591b33b4d0af414d455e8492e788afcb
                        • Instruction ID: 37c81813a2eb818b8efe35286796d95aab64a48b94f2e4d3dfe2f0f30d9b7ba6
                        • Opcode Fuzzy Hash: cdb6c6f843ca5e02cc6c0efa388aadca591b33b4d0af414d455e8492e788afcb
                        • Instruction Fuzzy Hash: 8501282415D3C48FD303A778A825A907F749F47604F0941E7D485CF6A7DB19A809C372
                        Function 02531C60 Relevance: .0, Instructions: 35COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: ed252b95190bc427fbbb6e17ce89944c3acdfd5053cdd8e385a0daee7ac7f43c
                        • Instruction ID: ae87a6b57f1ea8d5944a2ce0801901b41b116cb9fc0cd8e1614869ad324d46c4
                        • Opcode Fuzzy Hash: ed252b95190bc427fbbb6e17ce89944c3acdfd5053cdd8e385a0daee7ac7f43c
                        • Instruction Fuzzy Hash: 2C01A434900749DFD701FBB8E88566DBB75FF81308B408569C44A9B358EF34A915CBAA
                        Function 02531C4F Relevance: .0, Instructions: 34COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 1ad4cbac394780ef32103314f953982eb0469817e96f3a0d39f7898b65464f29
                        • Instruction ID: 89b18c655fae6b5df3ec436927309bdae1928c4d54d751a9d70af23f2d7c59a2
                        • Opcode Fuzzy Hash: 1ad4cbac394780ef32103314f953982eb0469817e96f3a0d39f7898b65464f29
                        • Instruction Fuzzy Hash: 54F0F434C047898FD712FBB8D88566C7B70BF82304B008669C08A9A3D4EB345505CB5A
                        Function 0253ADFE Relevance: .0, Instructions: 27COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: fb42df7f0da09d9b5cb6465603ea3745f86842ace6c0874db843ce070cef1c71
                        • Instruction ID: a36a92a7540552f6ef2f43e7d7588da4677725f7975cd6002d2606626b0c1c9c
                        • Opcode Fuzzy Hash: fb42df7f0da09d9b5cb6465603ea3745f86842ace6c0874db843ce070cef1c71
                        • Instruction Fuzzy Hash: 3EF0E5B9A842868FE3129B21C460B787FB0BF05304F152086E0D2DB2A3CB28C905EF24
                        Function 02530F48 Relevance: .0, Instructions: 24COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 2c2774a1d1de7a38b4e0c71547614c661386e703e3b10582d913a8193e28615c
                        • Instruction ID: 194cae520b67ccb8b6d7956e2cca8e925f0b976aef14ba2175dc100a178d7208
                        • Opcode Fuzzy Hash: 2c2774a1d1de7a38b4e0c71547614c661386e703e3b10582d913a8193e28615c
                        • Instruction Fuzzy Hash: 36E012363002149F8744A67EF88885BB7DAEFC957536548BAF10DC7326DD65DC014790
                        Function 02539BC8 Relevance: .0, Instructions: 22COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 4a2c7db9b6974091acd93d9e1438cb80a6ec9528c7a32de5d1f59ab62f0d59d2
                        • Instruction ID: e7486def26e74829730b30d79bda2194c3a9a8166ab2342e477d4032ed83cdd7
                        • Opcode Fuzzy Hash: 4a2c7db9b6974091acd93d9e1438cb80a6ec9528c7a32de5d1f59ab62f0d59d2
                        • Instruction Fuzzy Hash: 82E08C223001149FC700A7FEE805A9E37D9AF8A258F5400BAE444CB3A6DE209E024791
                        Function 0253B758 Relevance: .0, Instructions: 20COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 40360ed0463e1535df0eb700c42234e5e2fa31c3e38cde117933b9897ece5954
                        • Instruction ID: 6fce3d807ceba74b63b1fa13d9519522f63e3a449bf6e1865f80d578aa68d372
                        • Opcode Fuzzy Hash: 40360ed0463e1535df0eb700c42234e5e2fa31c3e38cde117933b9897ece5954
                        • Instruction Fuzzy Hash: 5BE04F75901005EFCB40EFA4ED467ADBBB1EB49200F1085AAE818D7350EB70AF149B51
                        Function 02532EBF Relevance: .0, Instructions: 17COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 283cd0b5f547c2f714c399575a8301439ed38ef5663cbbfbdc35ace0c39f8d5a
                        • Instruction ID: 0f3bb0423778a8f99d8bb636605c17b9ef96341d53865562730045775839a5ca
                        • Opcode Fuzzy Hash: 283cd0b5f547c2f714c399575a8301439ed38ef5663cbbfbdc35ace0c39f8d5a
                        • Instruction Fuzzy Hash: F2D05E354942845FEA01FB68EC02B94B759C780704F045331410D4A399DF58B40A12B6
                        Function 0253B768 Relevance: .0, Instructions: 16COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 7970e0b679a8def12f75b8a80d24b4d37c8ad49261d8eccf00b78c85b44343f6
                        • Instruction ID: 6eef8fd0e50944d206e968d07488ba5c8bbff86a2e51b377cecd7ee7ce7174a9
                        • Opcode Fuzzy Hash: 7970e0b679a8def12f75b8a80d24b4d37c8ad49261d8eccf00b78c85b44343f6
                        • Instruction Fuzzy Hash: 61D05B7090110CEFCB40EFA8ED4156DBBB9DB45200B1085A9D808D7340DF31AF049B51
                        Function 02532ED0 Relevance: .0, Instructions: 13COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 5cc804b13d9f15facfbd1a2480bc7e8d5afca2af419c92d547c7e0e23f50daaa
                        • Instruction ID: af163c550d47dc16c1792e54d7c30501b8b36f12a7ee273669b89cc0f174a1de
                        • Opcode Fuzzy Hash: 5cc804b13d9f15facfbd1a2480bc7e8d5afca2af419c92d547c7e0e23f50daaa
                        • Instruction Fuzzy Hash: A0D012341543884EEA02F778FD41B95B75D9780704F405336810D0B3A9DF69B85A43B7
                        Function 02530B19 Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 3048f9db7976e91562d82b82ae0e43e0ade586368d53114338b389b8f9f8d469
                        • Instruction ID: 4792f801cb8769f8e4fc0d16d173cca2b8dd4747ecc72c14af21ea9a7f602661
                        • Opcode Fuzzy Hash: 3048f9db7976e91562d82b82ae0e43e0ade586368d53114338b389b8f9f8d469
                        • Instruction Fuzzy Hash: 78C01220004788CAD70637E4E8A87AC3B10B78130EF602095E103882E49E684885C62A
                        Function 02530B35 Relevance: .0, Instructions: 9COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 55578e5584331e222cdbe45bd762f17d32f2bab3000766d0bbd1504bcc13ad53
                        • Instruction ID: 9ffdef41dc0f14ce941fd79b842a362f4794d1c0ff0d473f02397a392fe8bbed
                        • Opcode Fuzzy Hash: 55578e5584331e222cdbe45bd762f17d32f2bab3000766d0bbd1504bcc13ad53
                        • Instruction Fuzzy Hash: 46C08C200043C8CBD30637F4E8AC7BC3F10BB8230EF202490E143882E4EE684884C23A
                        Function 02532EA8 Relevance: .0, Instructions: 8COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f17e2892a1b21336e65fb5f017091247db30d7b05614d7fabace503a0339ce0f
                        • Instruction ID: 8886429ec59eea9e3f3d97060beef1f7a07bd132a4fc4bd827a583db3ade5dc4
                        • Opcode Fuzzy Hash: f17e2892a1b21336e65fb5f017091247db30d7b05614d7fabace503a0339ce0f
                        • Instruction Fuzzy Hash: A4C048392602088F8244EAA9E588C12B7A8BF58A00351409AE5058BB22CB21F820DA61

                        Non-executed Functions

                        Function 02536CF0 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.4128435210.0000000002530000.00000040.00000800.00020000.00000000.sdmp, Offset: 02530000, based on PE: false
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_2530000_1736977840835b9184f01bf0b6c60ce50d66e7897e18892b3f9e56b6303ef4929b2a1c.jbxd
                        Similarity
                        • API ID:
                        • String ID: \VNm
                        • API String ID: 0-2505523818
                        • Opcode ID: 92b92d01cc1d51bdd5c16a31e2246962c0701e2fefe7ffd398c7d0731685af45
                        • Instruction ID: ab8576857488f762f2596bb9344de60775dd32082d5138b4f947f4c4a4f98c23
                        • Opcode Fuzzy Hash: 92b92d01cc1d51bdd5c16a31e2246962c0701e2fefe7ffd398c7d0731685af45
                        • Instruction Fuzzy Hash: 63915CB0E00209AFDF11CFA9C98479EBBF6BF88314F14952DE405E7254EB749845CB89