Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
250427-yfs7ca1my6.bin.exe

Overview

General Information

Sample name:250427-yfs7ca1my6.bin.exe
Analysis ID:1675615
MD5:618432b575574e0a4c43eb072fdad14c
SHA1:5e6b5c7dcc1ca567348facc468906e7c35a7ffd6
SHA256:605eaaf66354b3d579e6d4c4abf886b6da88c1982b3ae096bb27cec15b959e05
Tags:user-UNP4CK
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Joe Sandbox ML detected suspicious sample
Protects its processes via BreakOnTermination flag
Sample uses string decryption to hide its real strings
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Process Tree

  • System is w10x64
  • 250427-yfs7ca1my6.bin.exe (PID: 8188 cmdline: "C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe" MD5: 618432B575574E0A4C43EB072FDAD14C)
    • cmd.exe (PID: 940 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7972 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 8084 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF95D.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7904 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • AntiVirus.exe (PID: 1488 cmdline: "C:\Users\user\AppData\Roaming\AntiVirus.exe" MD5: 618432B575574E0A4C43EB072FDAD14C)
  • AntiVirus.exe (PID: 7568 cmdline: C:\Users\user\AppData\Roaming\AntiVirus.exe MD5: 618432B575574E0A4C43EB072FDAD14C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.AsyncRAT as delivered by MintsLoader includes a PowerShell module with a DGA. The DGA is similar to MintsLoader's DGA, but generates more domains and uses more than one TLD.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
250427-yfs7ca1my6.bin.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    250427-yfs7ca1my6.bin.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
    • 0xa28f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
    • 0xb638:$a2: Stub.exe
    • 0xb6c8:$a2: Stub.exe
    • 0x6ec3:$a3: get_ActivatePong
    • 0xa4a7:$a4: vmware
    • 0xa31f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
    • 0x7c95:$a6: get_SslClient
    250427-yfs7ca1my6.bin.exerat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
    • 0x6ec3:$str01: get_ActivatePong
    • 0x7c95:$str02: get_SslClient
    • 0x7cb1:$str03: get_TcpClient
    • 0x656c:$str04: get_SendSync
    • 0x6625:$str05: get_IsConnected
    • 0x6c97:$str06: set_UseShellExecute
    • 0xa5c5:$str07: Pastebin
    • 0xa647:$str08: Select * from AntivirusProduct
    • 0xb638:$str09: Stub.exe
    • 0xb6c8:$str09: Stub.exe
    • 0xa39f:$str10: timeout 3 > NUL
    • 0xa28f:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
    • 0xa31f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
    250427-yfs7ca1my6.bin.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
    • 0xa321:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\AntiVirus.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      C:\Users\user\AppData\Roaming\AntiVirus.exeWindows_Trojan_Asyncrat_11a11ba1unknownunknown
      • 0xa28f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
      • 0xb638:$a2: Stub.exe
      • 0xb6c8:$a2: Stub.exe
      • 0x6ec3:$a3: get_ActivatePong
      • 0xa4a7:$a4: vmware
      • 0xa31f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      • 0x7c95:$a6: get_SslClient
      C:\Users\user\AppData\Roaming\AntiVirus.exerat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
      • 0x6ec3:$str01: get_ActivatePong
      • 0x7c95:$str02: get_SslClient
      • 0x7cb1:$str03: get_TcpClient
      • 0x656c:$str04: get_SendSync
      • 0x6625:$str05: get_IsConnected
      • 0x6c97:$str06: set_UseShellExecute
      • 0xa5c5:$str07: Pastebin
      • 0xa647:$str08: Select * from AntivirusProduct
      • 0xb638:$str09: Stub.exe
      • 0xb6c8:$str09: Stub.exe
      • 0xa39f:$str10: timeout 3 > NUL
      • 0xa28f:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
      • 0xa31f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
      C:\Users\user\AppData\Roaming\AntiVirus.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0xa321:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Asyncrat_11a11ba1unknownunknown
        • 0xa08f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
        • 0xc238:$a2: Stub.exe
        • 0xc2c8:$a2: Stub.exe
        • 0x6cc3:$a3: get_ActivatePong
        • 0xa2a7:$a4: vmware
        • 0xa11f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
        • 0x7a95:$a6: get_SslClient
        00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
        • 0xa121:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
        0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0x1c416:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          Click to see the 8 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackWindows_Trojan_Asyncrat_11a11ba1unknownunknown
            • 0xa28f:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn "
            • 0xb638:$a2: Stub.exe
            • 0xb6c8:$a2: Stub.exe
            • 0x6ec3:$a3: get_ActivatePong
            • 0xa4a7:$a4: vmware
            • 0xa31f:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            • 0x7c95:$a6: get_SslClient
            0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackrat_win_asyncratDetect AsyncRAT based on specific stringsSekoia.io
            • 0x6ec3:$str01: get_ActivatePong
            • 0x7c95:$str02: get_SslClient
            • 0x7cb1:$str03: get_TcpClient
            • 0x656c:$str04: get_SendSync
            • 0x6625:$str05: get_IsConnected
            • 0x6c97:$str06: set_UseShellExecute
            • 0xa5c5:$str07: Pastebin
            • 0xa647:$str08: Select * from AntivirusProduct
            • 0xb638:$str09: Stub.exe
            • 0xb6c8:$str09: Stub.exe
            • 0xa39f:$str10: timeout 3 > NUL
            • 0xa28f:$str11: /c schtasks /create /f /sc onlogon /rl highest /tn
            • 0xa31f:$str12: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
            0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
            • 0xa321:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
            0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              Click to see the 6 entries

              Sigma Signatures

              System Summary

              barindex
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe", ParentImage: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe, ParentProcessId: 8188, ParentProcessName: 250427-yfs7ca1my6.bin.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exit, ProcessId: 940, ProcessName: cmd.exe
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe", ParentImage: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe, ParentProcessId: 8188, ParentProcessName: 250427-yfs7ca1my6.bin.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exit, ProcessId: 940, ProcessName: cmd.exe
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 940, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' , ProcessId: 7972, ProcessName: schtasks.exe

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              • AV Detection
              • Compliance
              • Networking
              • Key, Mouse, Clipboard, Microphone and Screen Capturing
              • Operating System Destruction
              • System Summary
              • Data Obfuscation
              • Persistence and Installation Behavior
              • Boot Survival
              • Hooking and other Techniques for Hiding and Protection
              • Malware Analysis System Evasion
              • Anti Debugging
              • HIPS / PFW / Operating System Protection Evasion
              • Language, Device and Operating System Detection
              • Lowering of HIPS / PFW / Operating System Security Settings

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Source: 250427-yfs7ca1my6.bin.exeAvira: detected
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeAvira: detection malicious, Label: TR/Dropper.Gen
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeReversingLabs: Detection: 83%
              Source: 250427-yfs7ca1my6.bin.exeVirustotal: Detection: 72%Perma Link
              Source: 250427-yfs7ca1my6.bin.exeReversingLabs: Detection: 83%
              Source: Submited SampleNeural Call Log Analysis: 97.7%
              Source: 250427-yfs7ca1my6.bin.exeString decryptor: 23501,2410,8700
              Source: 250427-yfs7ca1my6.bin.exeString decryptor: Alex3143-23501.portmap.io
              Source: 250427-yfs7ca1my6.bin.exeString decryptor: 0.5.8
              Source: 250427-yfs7ca1my6.bin.exeString decryptor: true
              Source: 250427-yfs7ca1my6.bin.exeString decryptor: tbqoxBC1WYZB
              Source: 250427-yfs7ca1my6.bin.exeString decryptor: MIIE8jCCAtqgAwIBAgIQAKXY0ifKY3bVsrJykzdgETANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwNDI1MTM0MjMyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM2njk4mtWKR1BbDD+8t8tP+fuWZZvNDHBiAa5bF/qN5K+TX89Ri8y7GY/IQAIJpANxxAy7jipOtSSSGDiiPPy6gaFEzBl6ekR3Q3xliT7K8llBQ1742R5tuNRQGhsG41ByfPiNm8Luat4DULTeR2ZBd1jqtZb5g2lMDn1NwQsIuXBauGZCXwDZjfao7pErbAt6PtBgB0NSBGu2Qw1iKqSKqyvAZCFEAHSCsQbnDD+2Wc37XmBHUxTTIhvhJdx3bMx1/5AWyoVQf4LxTivzwrpAOnXEXG6dD8H/5dQd9rJTiQCdsBeqBNy9tZFc8PqNlByFtZIWvRo39DncfczYaFotNgNJQvLTSx11Xl+P7wGee4GomHyxAREtawq/Xjg9vSJVYpsQwBMliTMwURNJz7UxLZ6owCMuN2Hh20QQZ9hldWBwSQ0/isoFxDVvUIE3RSVERNTwBSRybKeaoinYdIzUU1UccaoN7oxaKb+WdrI3G+JAN4gvStvKxlRdwHp0XYuKS02S/piv5NcaTspT/xl9s/Nes6hbCxAXv9t5OPedMkHZixvNR/Azh/hFEO3uSLxBVOIMun6l7W8RihCT2aQN+g2fEqSU1V46YLMMIwOipMDRZR0SnABJ6Vhrsg3IvJiqmxsJgNBt91Hvjp6lY5N6AYqswp14qBZ8Qno1CEEMLAgMBAAGjMjAwMB0GA1UdDgQWBBRUYo5XhwXxhdvkVT8MlDxABY+8ozAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCEgHThKuAtXHCLVfprlXLWkYVhNkCFiMZxkFbhGH7rsji06E7F/la3eorBhOns1hXjXCtAP88Gm1WoV6szB6/DVjvs3PNFRIKLbZ5nhcokqJpQMCEjFPvRcWOP5ajJ+sz5FGNog2iX6Zkmqq9ZSuo0oIdQoHwOvb1eWvRABzHU7uVEgWOqYU/SRM5spFEkJVos+JRKcokKV/YhNE2Xb+2FkhwV1SX/df9hF+NOGHWzjEc5tX+drFGXvCaBt69JFN02NGZRAyR7O/xraicuJONr18dG2VV09zhpKkyZBOyzF9ZrzZabAzpfRIWXAlKwhoyUfRkgBg32z3rSqwJh80w7pvBJXWXT9Pk7JD7UjvOdYxawMgstrOEk+3asH/WGXt3W/ok6dP1cubu90ujpORPUYSt4sqDbipjOyRZbxFOs76At+MXftpcHgh05dcbQwEe1gP599l0JMo7IT7zS7DPvz0MOKJy7GcUkbJguAGPPLnX6qukFrDNORIWUPV6vM3wpOixcCiibZjA3Av1lh88vQ/yvWubgQq2t0Fbl8KXB4NsGkioOa5IU153eOxRE9VtwL7f0HH5pEuvueJMmv8z+hsK4P3OwwyhaomZlrPBVuhbUJJnVBOis/sknkoRnOIhgxcuLfFQ0wygNfFukL1clrrSAJewZ0AotrHfdiI5jbQ==
              Source: 250427-yfs7ca1my6.bin.exeString decryptor: pIZWs6DP4k4sHJMZpl0Qqj8EFKQI+jVkZrpfECiu+rH7quQFO3BVhYuU7wjuXaXqg6KXrXyJ6biadHo1TNHRENM5MWhlfNMiM977Bm56GZttRD8jw+1KS/bO0gyT03B/mFgbyDK3v1zclOMMswisv7hlQXCkAZwznWlLJVTY9FVHAI3cTRKskPNQTLRF39hXRPTMTjHehxDkp+874x6e1n/gs1EeT5EfbY4u03HqDwrUTF/yHGeqnVsUMPPkSEWP6UmUftfVfxqUeEyQB92cIY9v2IlOPgORAKUIBc2hZyOamwGk7gejcui/0bW/dXMyn1mW3pbdnQepkAAFX2ET5S07m2NeFogE8+GSD3Hrz8c9YlHZVvj/1BQaLkD6ZcXJgZWhVIN5vO1b4hrOWrveq3B4bpKpXzQEBw5M2MP+IWywUj2vTKILUjEeLRFUh2xMtXY/e3r5bPOg/4JO1O7/80dAThUfgKPLj2g91YivbZxf6LqaDz0ZWH+Ry0CaAwlCmO8sCnpCwrOfYmGnd8YWFdl0Rs5q+cIDXPYz7B9fRMmC97QSYH9AwCY9wJuQKl5AmuoZbLRfuNUTg9tiHB7TnvkE9h97tShQDg+Uksx3QDoC74Zx/ot9sugVmay9swNo1KcJrNHx1s5z22gyarytrjd8lpT0sCvGlVv4FA40TFs=
              Source: 250427-yfs7ca1my6.bin.exeString decryptor: null
              Source: 250427-yfs7ca1my6.bin.exeString decryptor: Default
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackString decryptor: 23501,2410,8700
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackString decryptor: Alex3143-23501.portmap.io
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackString decryptor: 0.5.8
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackString decryptor: true
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackString decryptor: tbqoxBC1WYZB
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackString decryptor: MIIE8jCCAtqgAwIBAgIQAKXY0ifKY3bVsrJykzdgETANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjUwNDI1MTM0MjMyWhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM2njk4mtWKR1BbDD+8t8tP+fuWZZvNDHBiAa5bF/qN5K+TX89Ri8y7GY/IQAIJpANxxAy7jipOtSSSGDiiPPy6gaFEzBl6ekR3Q3xliT7K8llBQ1742R5tuNRQGhsG41ByfPiNm8Luat4DULTeR2ZBd1jqtZb5g2lMDn1NwQsIuXBauGZCXwDZjfao7pErbAt6PtBgB0NSBGu2Qw1iKqSKqyvAZCFEAHSCsQbnDD+2Wc37XmBHUxTTIhvhJdx3bMx1/5AWyoVQf4LxTivzwrpAOnXEXG6dD8H/5dQd9rJTiQCdsBeqBNy9tZFc8PqNlByFtZIWvRo39DncfczYaFotNgNJQvLTSx11Xl+P7wGee4GomHyxAREtawq/Xjg9vSJVYpsQwBMliTMwURNJz7UxLZ6owCMuN2Hh20QQZ9hldWBwSQ0/isoFxDVvUIE3RSVERNTwBSRybKeaoinYdIzUU1UccaoN7oxaKb+WdrI3G+JAN4gvStvKxlRdwHp0XYuKS02S/piv5NcaTspT/xl9s/Nes6hbCxAXv9t5OPedMkHZixvNR/Azh/hFEO3uSLxBVOIMun6l7W8RihCT2aQN+g2fEqSU1V46YLMMIwOipMDRZR0SnABJ6Vhrsg3IvJiqmxsJgNBt91Hvjp6lY5N6AYqswp14qBZ8Qno1CEEMLAgMBAAGjMjAwMB0GA1UdDgQWBBRUYo5XhwXxhdvkVT8MlDxABY+8ozAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCEgHThKuAtXHCLVfprlXLWkYVhNkCFiMZxkFbhGH7rsji06E7F/la3eorBhOns1hXjXCtAP88Gm1WoV6szB6/DVjvs3PNFRIKLbZ5nhcokqJpQMCEjFPvRcWOP5ajJ+sz5FGNog2iX6Zkmqq9ZSuo0oIdQoHwOvb1eWvRABzHU7uVEgWOqYU/SRM5spFEkJVos+JRKcokKV/YhNE2Xb+2FkhwV1SX/df9hF+NOGHWzjEc5tX+drFGXvCaBt69JFN02NGZRAyR7O/xraicuJONr18dG2VV09zhpKkyZBOyzF9ZrzZabAzpfRIWXAlKwhoyUfRkgBg32z3rSqwJh80w7pvBJXWXT9Pk7JD7UjvOdYxawMgstrOEk+3asH/WGXt3W/ok6dP1cubu90ujpORPUYSt4sqDbipjOyRZbxFOs76At+MXftpcHgh05dcbQwEe1gP599l0JMo7IT7zS7DPvz0MOKJy7GcUkbJguAGPPLnX6qukFrDNORIWUPV6vM3wpOixcCiibZjA3Av1lh88vQ/yvWubgQq2t0Fbl8KXB4NsGkioOa5IU153eOxRE9VtwL7f0HH5pEuvueJMmv8z+hsK4P3OwwyhaomZlrPBVuhbUJJnVBOis/sknkoRnOIhgxcuLfFQ0wygNfFukL1clrrSAJewZ0AotrHfdiI5jbQ==
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackString decryptor: pIZWs6DP4k4sHJMZpl0Qqj8EFKQI+jVkZrpfECiu+rH7quQFO3BVhYuU7wjuXaXqg6KXrXyJ6biadHo1TNHRENM5MWhlfNMiM977Bm56GZttRD8jw+1KS/bO0gyT03B/mFgbyDK3v1zclOMMswisv7hlQXCkAZwznWlLJVTY9FVHAI3cTRKskPNQTLRF39hXRPTMTjHehxDkp+874x6e1n/gs1EeT5EfbY4u03HqDwrUTF/yHGeqnVsUMPPkSEWP6UmUftfVfxqUeEyQB92cIY9v2IlOPgORAKUIBc2hZyOamwGk7gejcui/0bW/dXMyn1mW3pbdnQepkAAFX2ET5S07m2NeFogE8+GSD3Hrz8c9YlHZVvj/1BQaLkD6ZcXJgZWhVIN5vO1b4hrOWrveq3B4bpKpXzQEBw5M2MP+IWywUj2vTKILUjEeLRFUh2xMtXY/e3r5bPOg/4JO1O7/80dAThUfgKPLj2g91YivbZxf6LqaDz0ZWH+Ry0CaAwlCmO8sCnpCwrOfYmGnd8YWFdl0Rs5q+cIDXPYz7B9fRMmC97QSYH9AwCY9wJuQKl5AmuoZbLRfuNUTg9tiHB7TnvkE9h97tShQDg+Uksx3QDoC74Zx/ot9sugVmay9swNo1KcJrNHx1s5z22gyarytrjd8lpT0sCvGlVv4FA40TFs=
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackString decryptor: true
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackString decryptor: null
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackString decryptor: true
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpackString decryptor: Default
              Source: 250427-yfs7ca1my6.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 250427-yfs7ca1my6.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: unknownDNS traffic detected: query: Alex3143-23501.portmap.io replaycode: Name error (3)
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficDNS traffic detected: DNS query: Alex3143-23501.portmap.io
              Source: 250427-yfs7ca1my6.bin.exe, 00000000.00000002.1297211381.00000000029BD000.00000004.00000800.00020000.00000000.sdmp, AntiVirus.exe, 0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Source: Yara matchFile source: 250427-yfs7ca1my6.bin.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1297211381.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1297211381.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 250427-yfs7ca1my6.bin.exe PID: 8188, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AntiVirus.exe PID: 1488, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\AntiVirus.exe, type: DROPPED

              Operating System Destruction

              barindex
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: 00 00 00 00 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Source: 250427-yfs7ca1my6.bin.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 250427-yfs7ca1my6.bin.exe, type: SAMPLEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 250427-yfs7ca1my6.bin.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, type: UNPACKEDPEMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000000.00000002.1297211381.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: 00000000.00000002.1297211381.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: Process Memory Space: 250427-yfs7ca1my6.bin.exe PID: 8188, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: Process Memory Space: AntiVirus.exe PID: 1488, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, type: DROPPEDMatched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, type: DROPPEDMatched rule: Detect AsyncRAT based on specific strings Author: Sekoia.io
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeCode function: 0_2_00CB40880_2_00CB4088
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeCode function: 0_2_00CB49580_2_00CB4958
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeCode function: 0_2_00CB5B200_2_00CB5B20
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeCode function: 0_2_00CB3D400_2_00CB3D40
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeCode function: 12_2_00C0408812_2_00C04088
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeCode function: 12_2_00C0495812_2_00C04958
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeCode function: 12_2_00C05B2012_2_00C05B20
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeCode function: 12_2_00C03D4012_2_00C03D40
              Source: 250427-yfs7ca1my6.bin.exe, 00000000.00000002.1306310769.0000000004CE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs 250427-yfs7ca1my6.bin.exe
              Source: 250427-yfs7ca1my6.bin.exe, 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameStub.exe" vs 250427-yfs7ca1my6.bin.exe
              Source: 250427-yfs7ca1my6.bin.exe, 00000000.00000002.1297211381.00000000029C1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameStub.exe" vs 250427-yfs7ca1my6.bin.exe
              Source: 250427-yfs7ca1my6.bin.exeBinary or memory string: OriginalFilenameStub.exe" vs 250427-yfs7ca1my6.bin.exe
              Source: 250427-yfs7ca1my6.bin.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 250427-yfs7ca1my6.bin.exe, type: SAMPLEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 250427-yfs7ca1my6.bin.exe, type: SAMPLEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 250427-yfs7ca1my6.bin.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, type: UNPACKEDPEMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000000.00000002.1297211381.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 00000000.00000002.1297211381.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: Process Memory Space: 250427-yfs7ca1my6.bin.exe PID: 8188, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: Process Memory Space: AntiVirus.exe PID: 1488, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, type: DROPPEDMatched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, type: DROPPEDMatched rule: rat_win_asyncrat author = Sekoia.io, description = Detect AsyncRAT based on specific strings, creation_date = 2023-01-25, classification = TLP:CLEAR, version = 1.0, id = d698e4a1-77ff-4cd7-acb3-27fb16168ceb
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
              Source: 250427-yfs7ca1my6.bin.exe, gPUHtAYKRkPVh.csBase64 encoded string: '//IW+SJkVi7g0g/q+5TADjFADWJ0txhm/C2GN2XJYN/fH49wVKNtRfR4oItNqsPkvwTwl1pdAF3LYKtpeZPrGA==', 'py3Ucp/VtMmzcb0BtBdkau62G5CK8hp431UkXU9B+Hgo0I7HH0f37CtigBWxR8fBne6E61Vki+9QKN4Uj+uj0g==', 'ntbnLsvlfwdIkEzZrIXQVICn/2sNoKRrEa8110QF3L/4Ack2/RA4nVPEgjw1BLioUKGh0smew37pQy3FdjpR8w==', 'GZ/YqjguCItaoho4FTLFmvxSgG+0XKsr8A8m/NAox/lUfsCCwF21DnJNk51AASWenEy3SGySx18E+Vt4Il9g9PS7PKhxZx76epEAjS+vJqSVEhhtbW0UajEEVCLjeSpTY+DnJolWvcMJ1pJ193GP15lMjtYmhoJOlN8t9ty9kkhdFHLNsok480IRjk755MJHgn8ntAk2p3gKZDmftq0wPHRtp38EmK/IPQgv+YHOcty1iP4bbIGyWrlAXhkJ3C2ubl4KI+Zf+P9qzSpTeQAsEGwwgifLa5WPjKZZZmS/sunpJHxMTWzmAEMNgb8YMBv/8b8MGC1ow1WsM/8HKN4p1zrzKeqlZbCesmsVMn3A5U+FJVVDE3fWCdZvR4v9ZGveXeqFw21BopmkHse77tbfg1IcVJCaokQr4o1Y/bz+WHEmC6HoHgpOivlJGLfDuLT6VANnF9Lt5aYakyWtC/4TL38xQzqx33v8mmTntzzTqFEK3XvFoouizzF7XHk4YzLCTdC+inxRrE2Ud8jZPyCNVcQTA8cuuGlYkDwnCIWhT+bPcpA7T/4VDw+Zw59hI83I/RxokDUsa0s4wTwyt+1kgyALw0iMCTKUuqIGdC/NxPxZM7i0MPECLK6NZ9LPUk8zlPoLBK07U2GDerwveSfLQnJ3CtVwv2b7/5gJomJxfTjoGbUYQ/zOq9Pt5pFkGcSj01YcGl0nDZwzKN6ongljRHrDXUV4G+RPOmdc5cate+JDNVnVxUdMBesdjFKD8B3aeDCIJhFcI7lYXlSELR5mqNzpqISJ9+Oj8U7nSu8NgvCV5jMLT9tsW3LPY7cCVoB4Y62f2sl+VBamSrWC40Bchlm4zaWPPjfmOiRbcI7A5wanzIMTfKYvR7K76ps0K6ej1jTeueBx2QILCmNYRiwoXwA6DTaRGjGtqBtmZZjZzBzkmbjijq+5opPVpH39ebJyEavXrG+KR0/WlIpGu4UsJa1UP2n9WjKwZmyudRDGl7nf3gOSX1A9Lzi4Rcv0n70oosSVxoOKAPt91VTByHXt/HoOJuo/hw2o7Hx7txW368N3Cn0783B0VCORSEuKYqmX4MJto0E3QaEPGYyW8Dbod5uKlX7C5dMk42ZF+N1TZu8lehUv/uqwvXZtxYaaM6oM3/D8k+vwjycrI7Ytqpi7BXel9ilQ/gbpvtSkJ0VzCRjpFxTGPMrx/0WXGzoDe35Uk6rFzrm/PHWt1Bhn6CFGdp0PLKk7DKZC7cQ58RncqIFbQgmb3qGiOLJeaB07FtO3UMgTBzhUDUmfdX5JYJunpKP09AdqGDd9+dH+DzJcCSGTnr2V1quo5t57vEb2vHPsmWYfowlYMMBA1SXmxOpwgnyaVfvHmW1HulO7asU4Jbx0J5Ba1F9eq+rORUMWQV4YrinZiiFbq8fX9HoP98rpD9E1Mo8Xo5X/DjgpOzAnoTgzhA6V4XhU1iZjusdu4Fg/6taXdJVW7WsT5R6Xp2H9Po+O+t7SS53p/NbxuleNUYeK1yiGB+9TuA8eYZYZtoQQJWOoUy0D3RKm3OHYKGhf7RGEl2rZjtlx2WoW9xKfnN3J9oKLEKNXv6z143gOyWZx6wAInRfBh6jSqIxsOsNT5ynSmFkkrlhwnX9a14Yr4tBPh57HKEeHci6unTxL9bw9WZIl1kUtqVCO9rel6fWmgdkkoag1WrghuLcTdw9Oe0ukb9nZKglAAvXD6Ctuy1EM5VaGF/Lzb9WIYWZTVHJAQaOj93wPzXWpKSYkPRjFtuPYmDuV7Wszg/BiKt2y4KXvZaomnV4MRf7gLCtEc8IX7FAEilcvqQhXizqmUlz6pr9jyRo/fsVMfLl3X8ppDJOU0k2w4Eg+RzMF6DhKi/A18tNxkvQfKqzkCl12jI2243gLOIeCd6V/WWHT2JKQhS3CnrLbTNfTL5Bawl1RN4nhs36IhKGPyxb96m85Wfb72pjcS9bHyVRsJ4ttFVM9oRA3USadq0duAK4ry+nbBaY0vDmhSI350rdm+6FcOpNTQ5K5gFy44tgPsUzFxXxMNZ5Pkp1yFastG4uRviM9D48AyN6pG8lDdqEbnHXfARWXgK2rldX8necUrFRYcA8m979CbOou4Bed/f5eEelP1VSEO5+/fKqw2cHzDSkFj2m2FsqeA+VPHYv2I6oqTTkwTfpcz/r/3LpQ/+QhaqM6ocW/3F/+u/czZ1qZSDnV9v4uww/d+GXAnzY56KqCt9h5sTVgPkl3iTHEFiXt9DSx6qp777Euq/GRsIwm0jmo6YsnFdf4YXM5qLgX8wmdNkU9jDauQOjQRWXN48VWlgrd78LCEY+708xxVAD3888AhmA41HE=', 'LazTWHtJhMA7CpCYClTXAaSFQsRAbyG4ipGRcYP5xX0l/N7BCzHGxUoFltop4sqZmuRkd3HFzBc83Alk11bd2AH9+fl2aCpQNePpSF2cXny9rN27gi2+mDKWyK1u5D3tgyRPC9dhLVlZBBuZuaXkS8FIhIb/Li9GpASqcMw0B9FFJnTpvqCyf5d9uEq4cXxcolxl+6eqSezvJJvHMuzM+gfXjiYdImD0Ociwpx9nBCuI3A5bf2T5K+LQkhAHDC8F+l6T7zWdiqOTNxGahwbTGpyD5r5J+n8p8bJTtK71gN5nUAMbGUwwdWTnwr4nKjNr3r2NYGYcPDjoqObo3/HWIlKmkihRE+izTwKy7Ezb81JpP8qVJ+F
              Source: AntiVirus.exe.0.dr, gPUHtAYKRkPVh.csBase64 encoded string: '//IW+SJkVi7g0g/q+5TADjFADWJ0txhm/C2GN2XJYN/fH49wVKNtRfR4oItNqsPkvwTwl1pdAF3LYKtpeZPrGA==', 'py3Ucp/VtMmzcb0BtBdkau62G5CK8hp431UkXU9B+Hgo0I7HH0f37CtigBWxR8fBne6E61Vki+9QKN4Uj+uj0g==', 'ntbnLsvlfwdIkEzZrIXQVICn/2sNoKRrEa8110QF3L/4Ack2/RA4nVPEgjw1BLioUKGh0smew37pQy3FdjpR8w==', 'GZ/YqjguCItaoho4FTLFmvxSgG+0XKsr8A8m/NAox/lUfsCCwF21DnJNk51AASWenEy3SGySx18E+Vt4Il9g9PS7PKhxZx76epEAjS+vJqSVEhhtbW0UajEEVCLjeSpTY+DnJolWvcMJ1pJ193GP15lMjtYmhoJOlN8t9ty9kkhdFHLNsok480IRjk755MJHgn8ntAk2p3gKZDmftq0wPHRtp38EmK/IPQgv+YHOcty1iP4bbIGyWrlAXhkJ3C2ubl4KI+Zf+P9qzSpTeQAsEGwwgifLa5WPjKZZZmS/sunpJHxMTWzmAEMNgb8YMBv/8b8MGC1ow1WsM/8HKN4p1zrzKeqlZbCesmsVMn3A5U+FJVVDE3fWCdZvR4v9ZGveXeqFw21BopmkHse77tbfg1IcVJCaokQr4o1Y/bz+WHEmC6HoHgpOivlJGLfDuLT6VANnF9Lt5aYakyWtC/4TL38xQzqx33v8mmTntzzTqFEK3XvFoouizzF7XHk4YzLCTdC+inxRrE2Ud8jZPyCNVcQTA8cuuGlYkDwnCIWhT+bPcpA7T/4VDw+Zw59hI83I/RxokDUsa0s4wTwyt+1kgyALw0iMCTKUuqIGdC/NxPxZM7i0MPECLK6NZ9LPUk8zlPoLBK07U2GDerwveSfLQnJ3CtVwv2b7/5gJomJxfTjoGbUYQ/zOq9Pt5pFkGcSj01YcGl0nDZwzKN6ongljRHrDXUV4G+RPOmdc5cate+JDNVnVxUdMBesdjFKD8B3aeDCIJhFcI7lYXlSELR5mqNzpqISJ9+Oj8U7nSu8NgvCV5jMLT9tsW3LPY7cCVoB4Y62f2sl+VBamSrWC40Bchlm4zaWPPjfmOiRbcI7A5wanzIMTfKYvR7K76ps0K6ej1jTeueBx2QILCmNYRiwoXwA6DTaRGjGtqBtmZZjZzBzkmbjijq+5opPVpH39ebJyEavXrG+KR0/WlIpGu4UsJa1UP2n9WjKwZmyudRDGl7nf3gOSX1A9Lzi4Rcv0n70oosSVxoOKAPt91VTByHXt/HoOJuo/hw2o7Hx7txW368N3Cn0783B0VCORSEuKYqmX4MJto0E3QaEPGYyW8Dbod5uKlX7C5dMk42ZF+N1TZu8lehUv/uqwvXZtxYaaM6oM3/D8k+vwjycrI7Ytqpi7BXel9ilQ/gbpvtSkJ0VzCRjpFxTGPMrx/0WXGzoDe35Uk6rFzrm/PHWt1Bhn6CFGdp0PLKk7DKZC7cQ58RncqIFbQgmb3qGiOLJeaB07FtO3UMgTBzhUDUmfdX5JYJunpKP09AdqGDd9+dH+DzJcCSGTnr2V1quo5t57vEb2vHPsmWYfowlYMMBA1SXmxOpwgnyaVfvHmW1HulO7asU4Jbx0J5Ba1F9eq+rORUMWQV4YrinZiiFbq8fX9HoP98rpD9E1Mo8Xo5X/DjgpOzAnoTgzhA6V4XhU1iZjusdu4Fg/6taXdJVW7WsT5R6Xp2H9Po+O+t7SS53p/NbxuleNUYeK1yiGB+9TuA8eYZYZtoQQJWOoUy0D3RKm3OHYKGhf7RGEl2rZjtlx2WoW9xKfnN3J9oKLEKNXv6z143gOyWZx6wAInRfBh6jSqIxsOsNT5ynSmFkkrlhwnX9a14Yr4tBPh57HKEeHci6unTxL9bw9WZIl1kUtqVCO9rel6fWmgdkkoag1WrghuLcTdw9Oe0ukb9nZKglAAvXD6Ctuy1EM5VaGF/Lzb9WIYWZTVHJAQaOj93wPzXWpKSYkPRjFtuPYmDuV7Wszg/BiKt2y4KXvZaomnV4MRf7gLCtEc8IX7FAEilcvqQhXizqmUlz6pr9jyRo/fsVMfLl3X8ppDJOU0k2w4Eg+RzMF6DhKi/A18tNxkvQfKqzkCl12jI2243gLOIeCd6V/WWHT2JKQhS3CnrLbTNfTL5Bawl1RN4nhs36IhKGPyxb96m85Wfb72pjcS9bHyVRsJ4ttFVM9oRA3USadq0duAK4ry+nbBaY0vDmhSI350rdm+6FcOpNTQ5K5gFy44tgPsUzFxXxMNZ5Pkp1yFastG4uRviM9D48AyN6pG8lDdqEbnHXfARWXgK2rldX8necUrFRYcA8m979CbOou4Bed/f5eEelP1VSEO5+/fKqw2cHzDSkFj2m2FsqeA+VPHYv2I6oqTTkwTfpcz/r/3LpQ/+QhaqM6ocW/3F/+u/czZ1qZSDnV9v4uww/d+GXAnzY56KqCt9h5sTVgPkl3iTHEFiXt9DSx6qp777Euq/GRsIwm0jmo6YsnFdf4YXM5qLgX8wmdNkU9jDauQOjQRWXN48VWlgrd78LCEY+708xxVAD3888AhmA41HE=', 'LazTWHtJhMA7CpCYClTXAaSFQsRAbyG4ipGRcYP5xX0l/N7BCzHGxUoFltop4sqZmuRkd3HFzBc83Alk11bd2AH9+fl2aCpQNePpSF2cXny9rN27gi2+mDKWyK1u5D3tgyRPC9dhLVlZBBuZuaXkS8FIhIb/Li9GpASqcMw0B9FFJnTpvqCyf5d9uEq4cXxcolxl+6eqSezvJJvHMuzM+gfXjiYdImD0Ociwpx9nBCuI3A5bf2T5K+LQkhAHDC8F+l6T7zWdiqOTNxGahwbTGpyD5r5J+n8p8bJTtK71gN5nUAMbGUwwdWTnwr4nKjNr3r2NYGYcPDjoqObo3/HWIlKmkihRE+izTwKy7Ezb81JpP8qVJ+F
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, gPUHtAYKRkPVh.csBase64 encoded string: '//IW+SJkVi7g0g/q+5TADjFADWJ0txhm/C2GN2XJYN/fH49wVKNtRfR4oItNqsPkvwTwl1pdAF3LYKtpeZPrGA==', 'py3Ucp/VtMmzcb0BtBdkau62G5CK8hp431UkXU9B+Hgo0I7HH0f37CtigBWxR8fBne6E61Vki+9QKN4Uj+uj0g==', 'ntbnLsvlfwdIkEzZrIXQVICn/2sNoKRrEa8110QF3L/4Ack2/RA4nVPEgjw1BLioUKGh0smew37pQy3FdjpR8w==', 'GZ/YqjguCItaoho4FTLFmvxSgG+0XKsr8A8m/NAox/lUfsCCwF21DnJNk51AASWenEy3SGySx18E+Vt4Il9g9PS7PKhxZx76epEAjS+vJqSVEhhtbW0UajEEVCLjeSpTY+DnJolWvcMJ1pJ193GP15lMjtYmhoJOlN8t9ty9kkhdFHLNsok480IRjk755MJHgn8ntAk2p3gKZDmftq0wPHRtp38EmK/IPQgv+YHOcty1iP4bbIGyWrlAXhkJ3C2ubl4KI+Zf+P9qzSpTeQAsEGwwgifLa5WPjKZZZmS/sunpJHxMTWzmAEMNgb8YMBv/8b8MGC1ow1WsM/8HKN4p1zrzKeqlZbCesmsVMn3A5U+FJVVDE3fWCdZvR4v9ZGveXeqFw21BopmkHse77tbfg1IcVJCaokQr4o1Y/bz+WHEmC6HoHgpOivlJGLfDuLT6VANnF9Lt5aYakyWtC/4TL38xQzqx33v8mmTntzzTqFEK3XvFoouizzF7XHk4YzLCTdC+inxRrE2Ud8jZPyCNVcQTA8cuuGlYkDwnCIWhT+bPcpA7T/4VDw+Zw59hI83I/RxokDUsa0s4wTwyt+1kgyALw0iMCTKUuqIGdC/NxPxZM7i0MPECLK6NZ9LPUk8zlPoLBK07U2GDerwveSfLQnJ3CtVwv2b7/5gJomJxfTjoGbUYQ/zOq9Pt5pFkGcSj01YcGl0nDZwzKN6ongljRHrDXUV4G+RPOmdc5cate+JDNVnVxUdMBesdjFKD8B3aeDCIJhFcI7lYXlSELR5mqNzpqISJ9+Oj8U7nSu8NgvCV5jMLT9tsW3LPY7cCVoB4Y62f2sl+VBamSrWC40Bchlm4zaWPPjfmOiRbcI7A5wanzIMTfKYvR7K76ps0K6ej1jTeueBx2QILCmNYRiwoXwA6DTaRGjGtqBtmZZjZzBzkmbjijq+5opPVpH39ebJyEavXrG+KR0/WlIpGu4UsJa1UP2n9WjKwZmyudRDGl7nf3gOSX1A9Lzi4Rcv0n70oosSVxoOKAPt91VTByHXt/HoOJuo/hw2o7Hx7txW368N3Cn0783B0VCORSEuKYqmX4MJto0E3QaEPGYyW8Dbod5uKlX7C5dMk42ZF+N1TZu8lehUv/uqwvXZtxYaaM6oM3/D8k+vwjycrI7Ytqpi7BXel9ilQ/gbpvtSkJ0VzCRjpFxTGPMrx/0WXGzoDe35Uk6rFzrm/PHWt1Bhn6CFGdp0PLKk7DKZC7cQ58RncqIFbQgmb3qGiOLJeaB07FtO3UMgTBzhUDUmfdX5JYJunpKP09AdqGDd9+dH+DzJcCSGTnr2V1quo5t57vEb2vHPsmWYfowlYMMBA1SXmxOpwgnyaVfvHmW1HulO7asU4Jbx0J5Ba1F9eq+rORUMWQV4YrinZiiFbq8fX9HoP98rpD9E1Mo8Xo5X/DjgpOzAnoTgzhA6V4XhU1iZjusdu4Fg/6taXdJVW7WsT5R6Xp2H9Po+O+t7SS53p/NbxuleNUYeK1yiGB+9TuA8eYZYZtoQQJWOoUy0D3RKm3OHYKGhf7RGEl2rZjtlx2WoW9xKfnN3J9oKLEKNXv6z143gOyWZx6wAInRfBh6jSqIxsOsNT5ynSmFkkrlhwnX9a14Yr4tBPh57HKEeHci6unTxL9bw9WZIl1kUtqVCO9rel6fWmgdkkoag1WrghuLcTdw9Oe0ukb9nZKglAAvXD6Ctuy1EM5VaGF/Lzb9WIYWZTVHJAQaOj93wPzXWpKSYkPRjFtuPYmDuV7Wszg/BiKt2y4KXvZaomnV4MRf7gLCtEc8IX7FAEilcvqQhXizqmUlz6pr9jyRo/fsVMfLl3X8ppDJOU0k2w4Eg+RzMF6DhKi/A18tNxkvQfKqzkCl12jI2243gLOIeCd6V/WWHT2JKQhS3CnrLbTNfTL5Bawl1RN4nhs36IhKGPyxb96m85Wfb72pjcS9bHyVRsJ4ttFVM9oRA3USadq0duAK4ry+nbBaY0vDmhSI350rdm+6FcOpNTQ5K5gFy44tgPsUzFxXxMNZ5Pkp1yFastG4uRviM9D48AyN6pG8lDdqEbnHXfARWXgK2rldX8necUrFRYcA8m979CbOou4Bed/f5eEelP1VSEO5+/fKqw2cHzDSkFj2m2FsqeA+VPHYv2I6oqTTkwTfpcz/r/3LpQ/+QhaqM6ocW/3F/+u/czZ1qZSDnV9v4uww/d+GXAnzY56KqCt9h5sTVgPkl3iTHEFiXt9DSx6qp777Euq/GRsIwm0jmo6YsnFdf4YXM5qLgX8wmdNkU9jDauQOjQRWXN48VWlgrd78LCEY+708xxVAD3888AhmA41HE=', 'LazTWHtJhMA7CpCYClTXAaSFQsRAbyG4ipGRcYP5xX0l/N7BCzHGxUoFltop4sqZmuRkd3HFzBc83Alk11bd2AH9+fl2aCpQNePpSF2cXny9rN27gi2+mDKWyK1u5D3tgyRPC9dhLVlZBBuZuaXkS8FIhIb/Li9GpASqcMw0B9FFJnTpvqCyf5d9uEq4cXxcolxl+6eqSezvJJvHMuzM+gfXjiYdImD0Ociwpx9nBCuI3A5bf2T5K+LQkhAHDC8F+l6T7zWdiqOTNxGahwbTGpyD5r5J+n8p8bJTtK71gN5nUAMbGUwwdWTnwr4nKjNr3r2NYGYcPDjoqObo3/HWIlKmkihRE+izTwKy7Ezb81JpP8qVJ+F
              Source: 250427-yfs7ca1my6.bin.exe, zgmNfXZXAQv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 250427-yfs7ca1my6.bin.exe, zgmNfXZXAQv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, zgmNfXZXAQv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, zgmNfXZXAQv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: AntiVirus.exe.0.dr, zgmNfXZXAQv.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: AntiVirus.exe.0.dr, zgmNfXZXAQv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.evad.winEXE@15/5@22/0
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeFile created: C:\Users\user\AppData\Roaming\AntiVirus.exeJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeMutant created: NULL
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeMutant created: \Sessions\1\BaseNamedObjects\tbqoxBC1WYZB
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2916:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3096:120:WilError_03
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF95D.tmpJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF95D.tmp.bat""
              Source: 250427-yfs7ca1my6.bin.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 250427-yfs7ca1my6.bin.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 250427-yfs7ca1my6.bin.exeVirustotal: Detection: 72%
              Source: 250427-yfs7ca1my6.bin.exeReversingLabs: Detection: 83%
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeFile read: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe "C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe"
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exit
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF95D.tmp.bat""
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\AntiVirus.exe "C:\Users\user\AppData\Roaming\AntiVirus.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\AntiVirus.exe C:\Users\user\AppData\Roaming\AntiVirus.exe
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exitJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF95D.tmp.bat""Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\AntiVirus.exe "C:\Users\user\AppData\Roaming\AntiVirus.exe" Jump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: 250427-yfs7ca1my6.bin.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 250427-yfs7ca1my6.bin.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: 250427-yfs7ca1my6.bin.exe, IhlZcjEPoLlU.csHigh entropy of concatenated method names: 'VmFmWkFQPPwAJ', 'nOKiOeYKaZHsAZG', 'WgQMRCOpQGxQPtB', 'hNMUDfIEcBjVZBK', 'pUOzQpyfZjnBaX', 'RlbkOhRYKFtLpf', 'onORxKzPpjdv', 'TqnXRhpkqaAQ', 'qVreUAauxUa', 'jZlQOGrsDbMhublb'
              Source: AntiVirus.exe.0.dr, IhlZcjEPoLlU.csHigh entropy of concatenated method names: 'VmFmWkFQPPwAJ', 'nOKiOeYKaZHsAZG', 'WgQMRCOpQGxQPtB', 'hNMUDfIEcBjVZBK', 'pUOzQpyfZjnBaX', 'RlbkOhRYKFtLpf', 'onORxKzPpjdv', 'TqnXRhpkqaAQ', 'qVreUAauxUa', 'jZlQOGrsDbMhublb'
              Source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, IhlZcjEPoLlU.csHigh entropy of concatenated method names: 'VmFmWkFQPPwAJ', 'nOKiOeYKaZHsAZG', 'WgQMRCOpQGxQPtB', 'hNMUDfIEcBjVZBK', 'pUOzQpyfZjnBaX', 'RlbkOhRYKFtLpf', 'onORxKzPpjdv', 'TqnXRhpkqaAQ', 'qVreUAauxUa', 'jZlQOGrsDbMhublb'
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeFile created: C:\Users\user\AppData\Roaming\AntiVirus.exeJump to dropped file

              Boot Survival

              barindex
              Source: Yara matchFile source: 250427-yfs7ca1my6.bin.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1297211381.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1297211381.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 250427-yfs7ca1my6.bin.exe PID: 8188, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AntiVirus.exe PID: 1488, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\AntiVirus.exe, type: DROPPED
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"'
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Source: Yara matchFile source: 250427-yfs7ca1my6.bin.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1297211381.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1297211381.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 250427-yfs7ca1my6.bin.exe PID: 8188, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AntiVirus.exe PID: 1488, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\AntiVirus.exe, type: DROPPED
              Source: 250427-yfs7ca1my6.bin.exe, AntiVirus.exe.0.drBinary or memory string: SBIEDLL.DLL
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeMemory allocated: 2860000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeMemory allocated: 2770000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeMemory allocated: C00000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeMemory allocated: 28B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeMemory allocated: C70000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeMemory allocated: 29F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeMemory allocated: 2CC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeMemory allocated: 4CC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeWindow / User API: threadDelayed 861Jump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe TID: 7260Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exe TID: 704Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: AntiVirus.exe.0.drBinary or memory string: vmware
              Source: AntiVirus.exe, 0000000C.00000002.2504784889.0000000004CF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess information queried: ProcessInformationJump to behavior

              Anti Debugging

              barindex
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeCode function: 0_2_00CB2D4C CheckRemoteDebuggerPresent,0_2_00CB2D4C
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exitJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF95D.tmp.bat""Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\AntiVirus.exe "C:\Users\user\AppData\Roaming\AntiVirus.exe" Jump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeQueries volume information: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeQueries volume information: C:\Users\user\AppData\Roaming\AntiVirus.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\AntiVirus.exeQueries volume information: C:\Users\user\AppData\Roaming\AntiVirus.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Source: Yara matchFile source: 250427-yfs7ca1my6.bin.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.250427-yfs7ca1my6.bin.exe.480000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.250427-yfs7ca1my6.bin.exe.29c1d38.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1297211381.0000000002861000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1297211381.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 250427-yfs7ca1my6.bin.exe PID: 8188, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: AntiVirus.exe PID: 1488, type: MEMORYSTR
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\AntiVirus.exe, type: DROPPED

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid Accounts1
              Windows Management Instrumentation              		2
              Scheduled Task/Job              		11
              Process Injection              		1
              Masquerading              		OS Credential Dumping321
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts2
              Scheduled Task/Job              		1
              Scripting              		2
              Scheduled Task/Job              		1
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Non-Application Layer Protocol              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt1
              DLL Side-Loading              		1
              DLL Side-Loading              		51
              Virtualization/Sandbox Evasion              		Security Account Manager51
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive1
              Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
              Obfuscated Files or Information              		LSA Secrets1
              File and Directory Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials23
              System Information Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1675615 Sample: 250427-yfs7ca1my6.bin.exe Startdate: 27/04/2025 Architecture: WINDOWS Score: 100 34 Alex3143-23501.portmap.io 2->34 38 Malicious sample detected (through community Yara rule) 2->38 40 Antivirus / Scanner detection for submitted sample 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 6 other signatures 2->44 8 250427-yfs7ca1my6.bin.exe 7 2->8         started        12 AntiVirus.exe 3 2->12         started        signatures3 process4 file5 30 C:\Users\user\AppData\Roaming\AntiVirus.exe, PE32 8->30 dropped 32 C:\Users\...\250427-yfs7ca1my6.bin.exe.log, ASCII 8->32 dropped 52 Protects its processes via BreakOnTermination flag 8->52 54 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 8->54 14 cmd.exe 1 8->14         started        16 cmd.exe 1 8->16         started        signatures6 process7 signatures8 19 AntiVirus.exe 2 14->19         started        22 conhost.exe 14->22         started        24 timeout.exe 1 14->24         started        36 Uses schtasks.exe or at.exe to add and modify task schedules 16->36 26 conhost.exe 16->26         started        28 schtasks.exe 1 16->28         started        process9 signatures10 46 Antivirus detection for dropped file 19->46 48 Multi AV Scanner detection for dropped file 19->48 50 Protects its processes via BreakOnTermination flag 19->50

              Screenshots

              Download Video

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              250427-yfs7ca1my6.bin.exe72%VirustotalBrowse
              250427-yfs7ca1my6.bin.exe83%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat
              250427-yfs7ca1my6.bin.exe100%AviraTR/Dropper.Gen
              SAMPLE100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\AntiVirus.exe100%AviraTR/Dropper.Gen
              C:\Users\user\AppData\Roaming\AntiVirus.exe83%ReversingLabsByteCode-MSIL.Backdoor.AsyncRat

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Download Network PCAP: filteredfull

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              Alex3143-23501.portmap.io
              		unknown
              		unknowntrue
                		unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name250427-yfs7ca1my6.bin.exe, 00000000.00000002.1297211381.00000000029BD000.00000004.00000800.00020000.00000000.sdmp, AntiVirus.exe, 0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  No contacted IP infos

                  General Information

                  Joe Sandbox version:42.0.0 Malachite
                  Analysis ID:1675615
                  Start date and time:2025-04-27 21:49:24 +02:00
                  Joe Sandbox product:CloudBasic
                  Overall analysis duration:0h 4m 31s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                  Number of analysed new started processes analysed:18
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample name:250427-yfs7ca1my6.bin.exe
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@15/5@22/0
                  EGA Information:
                  • Successful, ratio: 66.7%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 29
                  • Number of non-executed functions: 1
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                  • Excluded IPs from analysis (whitelisted): 184.29.183.29, 4.245.163.56
                  • Excluded domains from analysis (whitelisted): c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                  • Execution Graph export aborted for target AntiVirus.exe, PID 7568 because it is empty
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  • Report size getting too big, too many NtReadVirtualMemory calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  21:50:21Task SchedulerRun new task: AntiVirus path: "C:\Users\user\AppData\Roaming\AntiVirus.exe"

                  Joe Sandbox View / Context

                  IPs

                  No context

                  Domains

                  No context

                  ASNs

                  No context

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\250427-yfs7ca1my6.bin.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):739
                  Entropy (8bit):5.348505694476449
                  Encrypted:false
                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaWzAbDLI4MNldKZat92n4M6:ML9E4KlKDE4KhKiKhBsXE4qdK284j
                  MD5:A65F13C4355387C4645D260206AE915F
                  SHA1:F8857636BB3B50E634E96E7B0ECE6AD77656BA5F
                  SHA-256:DB8CA2E253F03395ABECD812505666B3BD5CE699B798E3F624D22EE605FB290E
                  SHA-512:0584E8911FD08CC0BB833C6373AE5D161D00CF40FB4533B5DD0D31F38CF1783BB25E34084995A2D116AFB01ABAD14005D62EE51A1D9B79E262EF28775B878AB6
                  Malicious:true
                  Reputation:moderate, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Management\96012833bebd5f21714fc508603cda97\System.Management.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AntiVirus.exe.log

                  Download File
                  Process:C:\Users\user\AppData\Roaming\AntiVirus.exe
                  File Type:CSV text
                  Category:dropped
                  Size (bytes):425
                  Entropy (8bit):5.353683843266035
                  Encrypted:false
                  SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
                  MD5:859802284B12C59DDBB85B0AC64C08F0
                  SHA1:4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
                  SHA-256:FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
                  SHA-512:8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

                  C:\Users\user\AppData\Local\Temp\tmpF95D.tmp.bat

                  Download File
                  Process:C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe
                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):155
                  Entropy (8bit):5.0616051699443485
                  Encrypted:false
                  SSDEEP:3:mKDDCMNqTtvL5oUkh4EaKC5SMjMACIvmqRDUkh4E2J5xAInTRIJha1ZPy:hWKqTtT69aZ5/jMABvmq1923fTpk
                  MD5:EBDAB7A41AECC4A4AE94E7687BF49131
                  SHA1:A2D11DEA970BC495767DD22D3587B1399C0AE633
                  SHA-256:F17D0B50873615709359621F3402478DB66C08F332123492C670A33027E5F4B8
                  SHA-512:D07C85D5779D540404A670C8FA3C4FDBCA974F09349104D1FD4FFF80C7186FC09E8D59B4F48E4F608A7C04A71AFA77F5970B67CDB2D8E0BB2FB2DCEA17602319
                  Malicious:false
                  Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\AntiVirus.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpF95D.tmp.bat" /f /q..

                  C:\Users\user\AppData\Roaming\AntiVirus.exe

                  Download File
                  Process:C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe
                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Category:dropped
                  Size (bytes):48640
                  Entropy (8bit):5.562278871196844
                  Encrypted:false
                  SSDEEP:768:Ium8n1TQwtPtWUNt1nmo2qzV2mTuOmlJxGPIwxgv3E0bXdv7Fm7UgRBDZox:Ium81TQq72FOmlzvwGv3nbXdjg/dox
                  MD5:618432B575574E0A4C43EB072FDAD14C
                  SHA1:5E6B5C7DCC1CA567348FACC468906E7C35A7FFD6
                  SHA-256:605EAAF66354B3D579E6D4C4ABF886B6DA88C1982B3AE096BB27CEC15B959E05
                  SHA-512:6D46F2B9842D9E86D2B69F9437E3887D15D38F6D595059ACA8BD86346624AA6BDB00EF80139A557BD53D0752411C50376C9145D73E885E30DF7FA9192874DAA1
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, Author: Joe Security
                  • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, Author: unknown
                  • Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, Author: Sekoia.io
                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, Author: ditekSHen
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 83%
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....-e............................~.... ........@.. ....................... ............@.................................(...S.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................`.......H........Y..4v.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vrz%.p~....(o....#...*.s...

                  \Device\Null

                  Download File
                  Process:C:\Windows\SysWOW64\timeout.exe
                  File Type:ASCII text, with CRLF line terminators, with overstriking
                  Category:dropped
                  Size (bytes):60
                  Entropy (8bit):4.41440934524794
                  Encrypted:false
                  SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                  MD5:3DD7DD37C304E70A7316FE43B69F421F
                  SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                  SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                  SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                  Malicious:false
                  Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):5.562278871196844
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  • DOS Executable Generic (2002/1) 0.01%
                  File name:250427-yfs7ca1my6.bin.exe
                  File size:48'640 bytes
                  MD5:618432b575574e0a4c43eb072fdad14c
                  SHA1:5e6b5c7dcc1ca567348facc468906e7c35a7ffd6
                  SHA256:605eaaf66354b3d579e6d4c4abf886b6da88c1982b3ae096bb27cec15b959e05
                  SHA512:6d46f2b9842d9e86d2b69f9437e3887d15d38f6d595059aca8bd86346624aa6bdb00ef80139a557bd53d0752411c50376c9145d73e885e30df7fa9192874daa1
                  SSDEEP:768:Ium8n1TQwtPtWUNt1nmo2qzV2mTuOmlJxGPIwxgv3E0bXdv7Fm7UgRBDZox:Ium81TQq72FOmlzvwGv3nbXdjg/dox
                  TLSH:A1232C003BE9C13BF2BE5F78A8F22245857AF6637A02D5491CD441D75623BC29A426FE
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....-e............................~.... ........@.. ....................... ............@................................

                  File Icon

                  Icon Hash:90cececece8e8eb0

                  Static PE Info

                  General

                  Entrypoint:0x40d07e
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x652DADE5 [Mon Oct 16 21:40:53 2023 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd0280x53.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x7ff.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xb0840xb200b05ccc3748ccb986b1e025a1a63894a9False0.5425517907303371data5.6197754357145495IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0xe0000x7ff0x8000f68ce4dd77ed0bb9c1e6b31f6995d94False0.41748046875data4.88506844918463IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x100000xc0x2004cabfef58a4e8716ddd98e1c6e729d0dFalse0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountryZLIB Complexity
                  RT_VERSION0xe0a00x2ccdata0.43575418994413406
                  RT_MANIFEST0xe36c0x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.43381725021349277
                  DLLImport
                  mscoree.dll_CorExeMain
                  DescriptionData
                  Translation0x0000 0x04b0
                  Comments
                  CompanyName
                  FileDescription
                  FileVersion1.0.0.0
                  InternalNameStub.exe
                  LegalCopyright
                  LegalTrademarks
                  OriginalFilenameStub.exe
                  ProductName
                  ProductVersion1.0.0.0
                  Assembly Version1.0.0.0

                  Network Behavior

                  Download Network PCAP: filteredfull

                  TimestampSource PortDest PortSource IPDest IP
                  Apr 27, 2025 21:50:26.498182058 CEST4936353192.168.2.51.1.1.1
                  Apr 27, 2025 21:50:26.682944059 CEST53493631.1.1.1192.168.2.5
                  Apr 27, 2025 21:50:31.701700926 CEST5668753192.168.2.51.1.1.1
                  Apr 27, 2025 21:50:31.915025949 CEST53566871.1.1.1192.168.2.5
                  Apr 27, 2025 21:50:36.920412064 CEST5084953192.168.2.51.1.1.1
                  Apr 27, 2025 21:50:37.077639103 CEST53508491.1.1.1192.168.2.5
                  Apr 27, 2025 21:50:42.092394114 CEST5420453192.168.2.51.1.1.1
                  Apr 27, 2025 21:50:42.234819889 CEST53542041.1.1.1192.168.2.5
                  Apr 27, 2025 21:50:47.248467922 CEST6334653192.168.2.51.1.1.1
                  Apr 27, 2025 21:50:47.399053097 CEST53633461.1.1.1192.168.2.5
                  Apr 27, 2025 21:50:52.439734936 CEST6540953192.168.2.51.1.1.1
                  Apr 27, 2025 21:50:52.589397907 CEST53654091.1.1.1192.168.2.5
                  Apr 27, 2025 21:50:57.593291998 CEST5799253192.168.2.51.1.1.1
                  Apr 27, 2025 21:50:57.776076078 CEST53579921.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:02.779861927 CEST6240553192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:02.920922041 CEST53624051.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:07.936240911 CEST5129053192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:08.076731920 CEST53512901.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:13.092545033 CEST6104653192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:13.270643950 CEST53610461.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:18.292428017 CEST5018253192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:18.462033987 CEST53501821.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:23.498712063 CEST5506253192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:23.666800976 CEST53550621.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:28.670778990 CEST6256053192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:28.845813036 CEST53625601.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:33.858114958 CEST6303553192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:34.038547993 CEST53630351.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:39.046180964 CEST5552553192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:39.232065916 CEST53555251.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:44.248634100 CEST5785953192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:44.407032013 CEST53578591.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:49.421730995 CEST6112753192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:49.564543962 CEST53611271.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:54.577936888 CEST5956053192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:54.725156069 CEST53595601.1.1.1192.168.2.5
                  Apr 27, 2025 21:51:59.733138084 CEST5336253192.168.2.51.1.1.1
                  Apr 27, 2025 21:51:59.908301115 CEST53533621.1.1.1192.168.2.5
                  Apr 27, 2025 21:52:04.922336102 CEST5528853192.168.2.51.1.1.1
                  Apr 27, 2025 21:52:05.077188015 CEST53552881.1.1.1192.168.2.5
                  Apr 27, 2025 21:52:10.093205929 CEST6475453192.168.2.51.1.1.1
                  Apr 27, 2025 21:52:10.275656939 CEST53647541.1.1.1192.168.2.5
                  Apr 27, 2025 21:52:15.452011108 CEST6223553192.168.2.51.1.1.1
                  Apr 27, 2025 21:52:15.594821930 CEST53622351.1.1.1192.168.2.5

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Apr 27, 2025 21:50:26.498182058 CEST192.168.2.51.1.1.10x21d3Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:31.701700926 CEST192.168.2.51.1.1.10x344Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:36.920412064 CEST192.168.2.51.1.1.10xcb7Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:42.092394114 CEST192.168.2.51.1.1.10xfb65Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:47.248467922 CEST192.168.2.51.1.1.10x8f26Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:52.439734936 CEST192.168.2.51.1.1.10xdf06Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:57.593291998 CEST192.168.2.51.1.1.10x8252Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:02.779861927 CEST192.168.2.51.1.1.10x38b0Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:07.936240911 CEST192.168.2.51.1.1.10x1291Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:13.092545033 CEST192.168.2.51.1.1.10x593aStandard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:18.292428017 CEST192.168.2.51.1.1.10xfc3bStandard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:23.498712063 CEST192.168.2.51.1.1.10xbcfcStandard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:28.670778990 CEST192.168.2.51.1.1.10x797eStandard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:33.858114958 CEST192.168.2.51.1.1.10xf500Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:39.046180964 CEST192.168.2.51.1.1.10x1b6bStandard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:44.248634100 CEST192.168.2.51.1.1.10xfe69Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:49.421730995 CEST192.168.2.51.1.1.10x684aStandard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:54.577936888 CEST192.168.2.51.1.1.10x577eStandard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:59.733138084 CEST192.168.2.51.1.1.10x17fbStandard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:52:04.922336102 CEST192.168.2.51.1.1.10x1917Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:52:10.093205929 CEST192.168.2.51.1.1.10xd08Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:52:15.452011108 CEST192.168.2.51.1.1.10x50b8Standard query (0)Alex3143-23501.portmap.ioA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Apr 27, 2025 21:50:26.682944059 CEST1.1.1.1192.168.2.50x21d3Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:31.915025949 CEST1.1.1.1192.168.2.50x344Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:37.077639103 CEST1.1.1.1192.168.2.50xcb7Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:42.234819889 CEST1.1.1.1192.168.2.50xfb65Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:47.399053097 CEST1.1.1.1192.168.2.50x8f26Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:52.589397907 CEST1.1.1.1192.168.2.50xdf06Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:50:57.776076078 CEST1.1.1.1192.168.2.50x8252Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:02.920922041 CEST1.1.1.1192.168.2.50x38b0Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:08.076731920 CEST1.1.1.1192.168.2.50x1291Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:13.270643950 CEST1.1.1.1192.168.2.50x593aName error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:18.462033987 CEST1.1.1.1192.168.2.50xfc3bName error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:23.666800976 CEST1.1.1.1192.168.2.50xbcfcName error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:28.845813036 CEST1.1.1.1192.168.2.50x797eName error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:34.038547993 CEST1.1.1.1192.168.2.50xf500Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:39.232065916 CEST1.1.1.1192.168.2.50x1b6bName error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:44.407032013 CEST1.1.1.1192.168.2.50xfe69Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:49.564543962 CEST1.1.1.1192.168.2.50x684aName error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:54.725156069 CEST1.1.1.1192.168.2.50x577eName error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:51:59.908301115 CEST1.1.1.1192.168.2.50x17fbName error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:52:05.077188015 CEST1.1.1.1192.168.2.50x1917Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:52:10.275656939 CEST1.1.1.1192.168.2.50xd08Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false
                  Apr 27, 2025 21:52:15.594821930 CEST1.1.1.1192.168.2.50x50b8Name error (3)Alex3143-23501.portmap.iononenoneA (IP address)IN (0x0001)false

                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  • File
                  • Registry

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:15:50:13
                  Start date:27/04/2025
                  Path:C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\Desktop\250427-yfs7ca1my6.bin.exe"
                  Imagebase:0x480000
                  File size:48'640 bytes
                  MD5 hash:618432B575574E0A4C43EB072FDAD14C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1250333388.0000000000482000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1297211381.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.1297211381.0000000002861000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1297211381.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000002.1297211381.00000000029C1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  Reputation:low
                  Has exited:true
                  Show Windows behavior

                  File Activities

                  Show Windows behavior

                  Section Activities

                  Show Windows behavior

                  Registry Activities

                  Show Windows behavior

                  COM Activities

                  Show Windows behavior

                  Mutex Activities

                  Show Windows behavior

                  Process Activities

                  Show Windows behavior

                  Thread Activities

                  Show Windows behavior

                  Memory Activities

                  Show Windows behavior

                  System Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  Process Token Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:6
                  Start time:15:50:18
                  Start date:27/04/2025
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"' & exit
                  Imagebase:0x220000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true
                  Show Windows behavior

                  File Activities

                  Show Windows behavior

                  Section Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Process Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Memory Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:7
                  Start time:15:50:18
                  Start date:27/04/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7e2000000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true
                  Show Windows behavior

                  File Activities

                  Show Windows behavior

                  Section Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Mutex Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Thread Activities

                  Show Windows behavior

                  Memory Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Windows UI Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:8
                  Start time:15:50:18
                  Start date:27/04/2025
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpF95D.tmp.bat""
                  Imagebase:0x220000
                  File size:236'544 bytes
                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true
                  Show Windows behavior

                  File Activities

                  Show Windows behavior

                  Section Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Process Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Memory Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:9
                  Start time:15:50:18
                  Start date:27/04/2025
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff7e2000000
                  File size:862'208 bytes
                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true
                  Show Windows behavior

                  File Activities

                  Show Windows behavior

                  Section Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Mutex Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Thread Activities

                  Show Windows behavior

                  Memory Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:10
                  Start time:15:50:18
                  Start date:27/04/2025
                  Path:C:\Windows\SysWOW64\timeout.exe
                  Wow64 process (32bit):true
                  Commandline:timeout 3
                  Imagebase:0x7c0000
                  File size:25'088 bytes
                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true
                  Show Windows behavior

                  File Activities

                  Show Windows behavior

                  Section Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Thread Activities

                  Show Windows behavior

                  Memory Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:11
                  Start time:15:50:18
                  Start date:27/04/2025
                  Path:C:\Windows\SysWOW64\schtasks.exe
                  Wow64 process (32bit):true
                  Commandline:schtasks /create /f /sc onlogon /rl highest /tn "AntiVirus" /tr '"C:\Users\user\AppData\Roaming\AntiVirus.exe"'
                  Imagebase:0xe40000
                  File size:187'904 bytes
                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high
                  Has exited:true
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Section Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Thread Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:12
                  Start time:15:50:21
                  Start date:27/04/2025
                  Path:C:\Users\user\AppData\Roaming\AntiVirus.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Roaming\AntiVirus.exe"
                  Imagebase:0x3d0000
                  File size:48'640 bytes
                  MD5 hash:618432B575574E0A4C43EB072FDAD14C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000C.00000002.2502581438.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, Author: Joe Security
                  • Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, Author: unknown
                  • Rule: rat_win_asyncrat, Description: Detect AsyncRAT based on specific strings, Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, Author: Sekoia.io
                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\AntiVirus.exe, Author: ditekSHen
                  Antivirus matches:
                  • Detection: 100%, Avira
                  • Detection: 83%, ReversingLabs
                  Reputation:low
                  Has exited:false
                  Show Windows behavior

                  File Activities

                  Show Windows behavior

                  Section Activities

                  Show Windows behavior

                  Registry Activities

                  Show Windows behavior

                  COM Activities

                  Show Windows behavior

                  Mutex Activities

                  Show Windows behavior

                  Process Activities

                  Show Windows behavior

                  Thread Activities

                  Show Windows behavior

                  Memory Activities

                  Show Windows behavior

                  System Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                  Show Windows behavior

                  Windows UI Activities

                  Process Token Activities

                  There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                  General

                  Target ID:13
                  Start time:15:50:21
                  Start date:27/04/2025
                  Path:C:\Users\user\AppData\Roaming\AntiVirus.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\AppData\Roaming\AntiVirus.exe
                  Imagebase:0x9e0000
                  File size:48'640 bytes
                  MD5 hash:618432B575574E0A4C43EB072FDAD14C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low
                  Has exited:true
                  Show Windows behavior

                  File Activities

                  Show Windows behavior

                  Section Activities

                  Show Windows behavior

                  Registry Activities

                  Show Windows behavior

                  Mutex Activities

                  Show Windows behavior

                  Process Activities

                  Show Windows behavior

                  Thread Activities

                  Show Windows behavior

                  Memory Activities

                  Show Windows behavior

                  System Activities


                  Disassembly

                  Execution Graph

                  Execution Coverage

                  Dynamic/Packed Code Coverage

                  Signature Coverage

                  Execution Coverage:14.6%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:16.7%
                  Total number of Nodes:18
                  Total number of Limit Nodes:0
                  Show Legend
                  Hide Nodes/Edges
                  execution_graph 4531 cb09a8 4532 cb09ca 4531->4532 4533 cb0a27 4532->4533 4535 cb15b8 4532->4535 4537 cb15d1 4535->4537 4536 cb15db 4536->4533 4537->4536 4540 cb5258 4537->4540 4544 cb5204 4537->4544 4541 cb5277 4540->4541 4548 cb2d4c 4541->4548 4545 cb5277 4544->4545 4546 cb2d4c CheckRemoteDebuggerPresent 4545->4546 4547 cb528a 4546->4547 4547->4536 4549 cb52b8 CheckRemoteDebuggerPresent 4548->4549 4551 cb528a 4549->4551 4551->4536 4552 cb6a20 4553 cb6a63 RtlSetProcessIsCritical 4552->4553 4554 cb6a94 4553->4554

                  Executed Functions

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 cb2d4c-cb533c CheckRemoteDebuggerPresent 3 cb533e-cb5344 0->3 4 cb5345-cb5380 0->4 3->4
                  APIs
                  • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00CB532F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296718677.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_cb0000_250427-yfs7ca1my6.jbxd
                  Similarity
                  • API ID: CheckDebuggerPresentRemote
                  • String ID:
                  • API String ID: 3662101638-0
                  • Opcode ID: 10ac692a9e7eac7d8e4b06ea7733d6f1281e0cd61161039a05ec56924b8a9dfe
                  • Instruction ID: 8af67a4d3aac6e38122e02495293f9d2d6e68785226058f2496eb514a056a60b
                  • Opcode Fuzzy Hash: 10ac692a9e7eac7d8e4b06ea7733d6f1281e0cd61161039a05ec56924b8a9dfe
                  • Instruction Fuzzy Hash: 042166B18012598FCB10CF9AC484BEEBBF4AF48310F14842AE818A7351D778A944CFA0

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 45 cb5b20-cb5b32 46 cb5b96-cb5b9d 45->46 47 cb5b34-cb5b73 call cb5928 call cb06dc 45->47 56 cb5b9e-cb5c05 47->56 57 cb5b75-cb5b87 47->57 67 cb5c0e-cb5c1e 56->67 68 cb5c07-cb5c09 56->68 63 cb5b8e 57->63 63->46 70 cb5c20 67->70 71 cb5c25-cb5c35 67->71 69 cb5ead-cb5eb4 68->69 70->69 73 cb5c3b-cb5c49 71->73 74 cb5e94-cb5ea2 71->74 77 cb5c4f 73->77 78 cb5eb5-cb5f2e 73->78 74->78 79 cb5ea4-cb5ea8 call cb4f38 74->79 77->78 80 cb5e88-cb5e92 77->80 81 cb5dee-cb5e14 77->81 82 cb5c6d-cb5c8e 77->82 83 cb5d2c-cb5d4d 77->83 84 cb5dac-cb5de9 77->84 85 cb5ce0-cb5d01 77->85 86 cb5e47-cb5e62 call cb01c0 77->86 87 cb5d06-cb5d27 77->87 88 cb5e64-cb5e86 77->88 89 cb5cba-cb5cdb 77->89 90 cb5e19-cb5e45 77->90 91 cb5d7f-cb5da7 77->91 92 cb5c93-cb5cb5 77->92 93 cb5d52-cb5d7a 77->93 94 cb5c56-cb5c68 77->94 79->69 80->69 81->69 82->69 83->69 84->69 85->69 86->69 87->69 88->69 89->69 90->69 91->69 92->69 93->69 94->69
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296718677.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_cb0000_250427-yfs7ca1my6.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4eb9b2cb9abd8ff3810ea2fb51b1389c6cf35da4dda0319049325cbc4a166c44
                  • Instruction ID: 49ea1f74cefc25b6ecfabf66170428ad745a7543a87543b3d0ac704d295db51d
                  • Opcode Fuzzy Hash: 4eb9b2cb9abd8ff3810ea2fb51b1389c6cf35da4dda0319049325cbc4a166c44
                  • Instruction Fuzzy Hash: 1CB1C834B002548BDB19AB75985437E7BB3AFC9710F14852DE406EB394DE38DD069BA2

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 245 cb4088-cb40ee 247 cb4138-cb413a 245->247 248 cb40f0-cb40fb 245->248 250 cb413c-cb4155 247->250 248->247 249 cb40fd-cb4109 248->249 251 cb410b-cb4115 249->251 252 cb412c-cb4136 249->252 257 cb41a1-cb41a3 250->257 258 cb4157-cb4163 250->258 253 cb4119-cb4128 251->253 254 cb4117 251->254 252->250 253->253 256 cb412a 253->256 254->253 256->252 259 cb41a5-cb41fd 257->259 258->257 260 cb4165-cb4171 258->260 269 cb41ff-cb420a 259->269 270 cb4247-cb4249 259->270 261 cb4173-cb417d 260->261 262 cb4194-cb419f 260->262 264 cb417f 261->264 265 cb4181-cb4190 261->265 262->259 264->265 265->265 266 cb4192 265->266 266->262 269->270 272 cb420c-cb4218 269->272 271 cb424b-cb4263 270->271 278 cb42ad-cb42af 271->278 279 cb4265-cb4270 271->279 273 cb423b-cb4245 272->273 274 cb421a-cb4224 272->274 273->271 276 cb4228-cb4237 274->276 277 cb4226 274->277 276->276 280 cb4239 276->280 277->276 282 cb42b1-cb4302 278->282 279->278 281 cb4272-cb427e 279->281 280->273 283 cb42a1-cb42ab 281->283 284 cb4280-cb428a 281->284 290 cb4308-cb4316 282->290 283->282 285 cb428e-cb429d 284->285 286 cb428c 284->286 285->285 288 cb429f 285->288 286->285 288->283 291 cb4318-cb431e 290->291 292 cb431f-cb437f 290->292 291->292 299 cb438f-cb4393 292->299 300 cb4381-cb4385 292->300 302 cb43a3-cb43a7 299->302 303 cb4395-cb4399 299->303 300->299 301 cb4387 300->301 301->299 305 cb43a9-cb43ad 302->305 306 cb43b7-cb43bb 302->306 303->302 304 cb439b 303->304 304->302 305->306 307 cb43af-cb43b2 call cb0418 305->307 308 cb43cb-cb43cf 306->308 309 cb43bd-cb43c1 306->309 307->306 310 cb43df-cb43e3 308->310 311 cb43d1-cb43d5 308->311 309->308 313 cb43c3-cb43c6 call cb0418 309->313 315 cb43f3-cb43f7 310->315 316 cb43e5-cb43e9 310->316 311->310 314 cb43d7-cb43da call cb0418 311->314 313->308 314->310 320 cb43f9-cb43fd 315->320 321 cb4407 315->321 316->315 319 cb43eb 316->319 319->315 320->321 322 cb43ff 320->322 323 cb4408 321->323 322->321 323->323
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296718677.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_cb0000_250427-yfs7ca1my6.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4a910391f9cb497acacba29729d01e0a99d84882713ad67b588442a077aaf342
                  • Instruction ID: 08e85a36097164ebe8b4a1c1b90fc1f9638cf91ca6798315a7057e2d6bb8d460
                  • Opcode Fuzzy Hash: 4a910391f9cb497acacba29729d01e0a99d84882713ad67b588442a077aaf342
                  • Instruction Fuzzy Hash: 67B14C70E04209CFDF18CFA9D8857EEBBF2AF88304F148129E825A7255EB749945DF91

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 404 cb4958-cb49be 406 cb4a08-cb4a0a 404->406 407 cb49c0-cb49cb 404->407 409 cb4a0c-cb4a25 406->409 407->406 408 cb49cd-cb49d9 407->408 410 cb49db-cb49e5 408->410 411 cb49fc-cb4a06 408->411 416 cb4a71-cb4a73 409->416 417 cb4a27-cb4a33 409->417 412 cb49e9-cb49f8 410->412 413 cb49e7 410->413 411->409 412->412 415 cb49fa 412->415 413->412 415->411 418 cb4a75-cb4a8d 416->418 417->416 419 cb4a35-cb4a41 417->419 425 cb4a8f-cb4a9a 418->425 426 cb4ad7-cb4ad9 418->426 420 cb4a43-cb4a4d 419->420 421 cb4a64-cb4a6f 419->421 423 cb4a4f 420->423 424 cb4a51-cb4a60 420->424 421->418 423->424 424->424 427 cb4a62 424->427 425->426 428 cb4a9c-cb4aa8 425->428 429 cb4adb-cb4af3 426->429 427->421 430 cb4acb-cb4ad5 428->430 431 cb4aaa-cb4ab4 428->431 436 cb4b3d-cb4b3f 429->436 437 cb4af5-cb4b00 429->437 430->429 432 cb4ab8-cb4ac7 431->432 433 cb4ab6 431->433 432->432 435 cb4ac9 432->435 433->432 435->430 438 cb4b41-cb4bb4 436->438 437->436 439 cb4b02-cb4b0e 437->439 448 cb4bba-cb4bc8 438->448 440 cb4b31-cb4b3b 439->440 441 cb4b10-cb4b1a 439->441 440->438 442 cb4b1e-cb4b2d 441->442 443 cb4b1c 441->443 442->442 445 cb4b2f 442->445 443->442 445->440 449 cb4bca-cb4bd0 448->449 450 cb4bd1-cb4c31 448->450 449->450 457 cb4c33-cb4c37 450->457 458 cb4c41-cb4c45 450->458 457->458 459 cb4c39 457->459 460 cb4c47-cb4c4b 458->460 461 cb4c55-cb4c59 458->461 459->458 460->461 462 cb4c4d 460->462 463 cb4c5b-cb4c5f 461->463 464 cb4c69-cb4c6d 461->464 462->461 463->464 465 cb4c61 463->465 466 cb4c6f-cb4c73 464->466 467 cb4c7d-cb4c81 464->467 465->464 466->467 468 cb4c75 466->468 469 cb4c83-cb4c87 467->469 470 cb4c91-cb4c95 467->470 468->467 469->470 471 cb4c89-cb4c8c call cb0418 469->471 472 cb4c97-cb4c9b 470->472 473 cb4ca5 470->473 471->470 472->473 474 cb4c9d-cb4ca0 call cb0418 472->474 477 cb4ca6 473->477 474->473 477->477
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296718677.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_cb0000_250427-yfs7ca1my6.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1aab1b03dd2b818acc962ddae352d58a389559eb76b323dd007b917d6cdc4d60
                  • Instruction ID: e00bd78a27cb6df36586d7836e0d5fa4561ab9930bb762aaa21384d8aa3fe690
                  • Opcode Fuzzy Hash: 1aab1b03dd2b818acc962ddae352d58a389559eb76b323dd007b917d6cdc4d60
                  • Instruction Fuzzy Hash: 8AB18E70E042098FDF18CFA9D8857EDBBF2AF88714F148129E825A7295EB349945DF81

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 7 cb52b0-cb533c CheckRemoteDebuggerPresent 9 cb533e-cb5344 7->9 10 cb5345-cb5380 7->10 9->10
                  APIs
                  • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00CB532F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296718677.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_cb0000_250427-yfs7ca1my6.jbxd
                  Similarity
                  • API ID: CheckDebuggerPresentRemote
                  • String ID:
                  • API String ID: 3662101638-0
                  • Opcode ID: 6975f16b409271653a900b2e3e712922c7ec5fc1650b930a1c955d6021594f26
                  • Instruction ID: 26f29793d8b0d54998284d19e5624a12c90aeec5d3079a5bad3ebc1129ed5214
                  • Opcode Fuzzy Hash: 6975f16b409271653a900b2e3e712922c7ec5fc1650b930a1c955d6021594f26
                  • Instruction Fuzzy Hash: A22178B29012598FCB10CFAAD484BEEBBF4AF48310F14846EE854A7350D7789A44CF60

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 13 cb6a19-cb6a5b 14 cb6a63-cb6a92 RtlSetProcessIsCritical 13->14 15 cb6a99-cb6ab2 14->15 16 cb6a94 14->16 16->15
                  APIs
                  • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 00CB6A85
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296718677.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_cb0000_250427-yfs7ca1my6.jbxd
                  Similarity
                  • API ID: CriticalProcess
                  • String ID:
                  • API String ID: 2695349919-0
                  • Opcode ID: d5585da15d296d0d2606e4bfedbefb084e4d9de52712a2a561ea767c4154d523
                  • Instruction ID: 34f3df936696d7007c5eb31258bb25d6c201de366130ea1f3ff58ac26d565302
                  • Opcode Fuzzy Hash: d5585da15d296d0d2606e4bfedbefb084e4d9de52712a2a561ea767c4154d523
                  • Instruction Fuzzy Hash: F21125B59002498FDB20CF9AC484BDEBFF4EF48314F24811AD919A7251C338A945CFA1

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 18 cb6a20-cb6a92 RtlSetProcessIsCritical 20 cb6a99-cb6ab2 18->20 21 cb6a94 18->21 21->20
                  APIs
                  • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 00CB6A85
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296718677.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_cb0000_250427-yfs7ca1my6.jbxd
                  Similarity
                  • API ID: CriticalProcess
                  • String ID:
                  • API String ID: 2695349919-0
                  • Opcode ID: 1d236d32252bf4d402c74f3561fa77a39095bffaa44e9a45167a117073733da1
                  • Instruction ID: 4b77ff474bef3cae2cb7332414c112abc26c18c4c15b282a161aae46f62ca443
                  • Opcode Fuzzy Hash: 1d236d32252bf4d402c74f3561fa77a39095bffaa44e9a45167a117073733da1
                  • Instruction Fuzzy Hash: 0911F2B59002498FDB20DF9AC584ADEBFF4EB48310F248419D619A7251C779A944CFA5
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296476872.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c5d000_250427-yfs7ca1my6.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6d738aa2c6a679403902ed81c9e3dc898a18c07be534e3ae92d0643301f72650
                  • Instruction ID: 5752b5f58317a7ab9aa31ca909e234572885a10972f04ea23d72f6383be2a3dc
                  • Opcode Fuzzy Hash: 6d738aa2c6a679403902ed81c9e3dc898a18c07be534e3ae92d0643301f72650
                  • Instruction Fuzzy Hash: 492148B5500300DFDB25DF14D9C0B26BF65FB94325F60C169ED0A0B256C336D88ACBA2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296476872.0000000000C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C5D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_c5d000_250427-yfs7ca1my6.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e68199e4efcf8fe5faf796e1eb00fdac1bd40fbc6b1f5683208f03f6d852d321
                  • Instruction ID: d03eb37f7fb0abd691b57b0cf6442889af2a7035f2c432a4e01c224d24a0e2b2
                  • Opcode Fuzzy Hash: e68199e4efcf8fe5faf796e1eb00fdac1bd40fbc6b1f5683208f03f6d852d321
                  • Instruction Fuzzy Hash: 3411AFB6504240CFDB16CF14D5C4B16BF61FB94324F2485A9DD0A4B256C33AD95ACBA2

                  Non-executed Functions

                  Memory Dump Source
                  • Source File: 00000000.00000002.1296718677.0000000000CB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00CB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_cb0000_250427-yfs7ca1my6.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 02fde94828a7cb6b62c0aa9318d3c93155d81510d7229af301e6ef72e7dbad73
                  • Instruction ID: afb6cc859df70f0b387d94115d2ac43543ef2dbf3433ba8377401445812e970c
                  • Opcode Fuzzy Hash: 02fde94828a7cb6b62c0aa9318d3c93155d81510d7229af301e6ef72e7dbad73
                  • Instruction Fuzzy Hash: AB918070E00249CFDF14CFA9D9857EEBBF2AF88304F248529E415A7294EB749A45CF91

                  Execution Graph

                  Execution Coverage

                  Dynamic/Packed Code Coverage

                  Signature Coverage

                  Execution Coverage:12.7%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:18
                  Total number of Limit Nodes:0
                  Show Legend
                  Hide Nodes/Edges
                  execution_graph 4704 c069c8 4705 c06a0b RtlSetProcessIsCritical 4704->4705 4706 c06a3c 4705->4706 4707 c009a8 4708 c009ca 4707->4708 4709 c00a27 4708->4709 4711 c015b8 4708->4711 4712 c015d1 4711->4712 4713 c015db 4712->4713 4716 c05248 4712->4716 4720 c05258 4712->4720 4713->4709 4717 c05277 4716->4717 4724 c02d4c 4717->4724 4721 c05277 4720->4721 4722 c02d4c CheckRemoteDebuggerPresent 4721->4722 4723 c0528a 4722->4723 4723->4713 4725 c052b8 CheckRemoteDebuggerPresent 4724->4725 4727 c0528a 4725->4727 4727->4713

                  Executed Functions

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 134 c02d4c-c0533c CheckRemoteDebuggerPresent 137 c05345-c05380 134->137 138 c0533e-c05344 134->138 138->137
                  APIs
                  • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00C0532F
                  Memory Dump Source
                  • Source File: 0000000C.00000002.2502239502.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_c00000_AntiVirus.jbxd
                  Similarity
                  • API ID: CheckDebuggerPresentRemote
                  • String ID:
                  • API String ID: 3662101638-0
                  • Opcode ID: 89e079c6ca8219d6639cdeb4b3674dd4f1c143c19c453df1640ff6d76a3360bb
                  • Instruction ID: f967678032e722eaca0d288d91143b9425c6831a7c846eb9ee308271734344a0
                  • Opcode Fuzzy Hash: 89e079c6ca8219d6639cdeb4b3674dd4f1c143c19c453df1640ff6d76a3360bb
                  • Instruction Fuzzy Hash: 7F2136B1801659CFCB10CF9AD484BEEBBF4EF49310F14846AE959A7251D778A944CFA0

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 141 c052b0-c0533c CheckRemoteDebuggerPresent 143 c05345-c05380 141->143 144 c0533e-c05344 141->144 144->143
                  APIs
                  • CheckRemoteDebuggerPresent.KERNELBASE(00000000,?), ref: 00C0532F
                  Memory Dump Source
                  • Source File: 0000000C.00000002.2502239502.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_c00000_AntiVirus.jbxd
                  Similarity
                  • API ID: CheckDebuggerPresentRemote
                  • String ID:
                  • API String ID: 3662101638-0
                  • Opcode ID: 89572119edc3f27929dba405d38632f18557b9465dffe1005e41775bf078794b
                  • Instruction ID: 1eaf11a34feeff1eb76c4ffa150834222355c2c2741092e091102f7baa15b550
                  • Opcode Fuzzy Hash: 89572119edc3f27929dba405d38632f18557b9465dffe1005e41775bf078794b
                  • Instruction Fuzzy Hash: 382166B6801659CFDB10CFA9D484BEEFBF4AF48310F14846AE458A3250D778AA44CF60

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 147 c069c0-c06a03 149 c06a0b-c06a3a RtlSetProcessIsCritical 147->149 150 c06a41-c06a5a 149->150 151 c06a3c 149->151 151->150
                  APIs
                  • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 00C06A2D
                  Memory Dump Source
                  • Source File: 0000000C.00000002.2502239502.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_c00000_AntiVirus.jbxd
                  Similarity
                  • API ID: CriticalProcess
                  • String ID:
                  • API String ID: 2695349919-0
                  • Opcode ID: 3535c5e2c8a308c491cf25ad173a164f4d7a6cdf5e2410c31fc5c366861efd4b
                  • Instruction ID: 3c4f2b1d0427aa84f28dc9be2467ff2a306bb438e44153c31dc559c22be3bb75
                  • Opcode Fuzzy Hash: 3535c5e2c8a308c491cf25ad173a164f4d7a6cdf5e2410c31fc5c366861efd4b
                  • Instruction Fuzzy Hash: B71113B5900649DFDB20DF9AC985BDEBFF4EB88310F108019D669A7250C774A944CFA1

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 153 c069c8-c06a3a RtlSetProcessIsCritical 155 c06a41-c06a5a 153->155 156 c06a3c 153->156 156->155
                  APIs
                  • RtlSetProcessIsCritical.NTDLL(?,?,?), ref: 00C06A2D
                  Memory Dump Source
                  • Source File: 0000000C.00000002.2502239502.0000000000C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C00000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_c00000_AntiVirus.jbxd
                  Similarity
                  • API ID: CriticalProcess
                  • String ID:
                  • API String ID: 2695349919-0
                  • Opcode ID: 26b982a0bf33f7026f69ad238a0aec845edcbcfa10bb45bf27083acaf7cb78b4
                  • Instruction ID: c49a5909768868492133801f196b99875df72e5c20aec83c57402e1538603b20
                  • Opcode Fuzzy Hash: 26b982a0bf33f7026f69ad238a0aec845edcbcfa10bb45bf27083acaf7cb78b4
                  • Instruction Fuzzy Hash: 221103B5900649CFDB20DF9AD985BDEBFF4EF88310F108019D618A7251C774A944CFA5
                  Memory Dump Source
                  • Source File: 0000000C.00000002.2501673324.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_8ed000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4ab5b54ed9d53e817f411d462894f71bf1096e1a06780f980d8ed5d638d2299f
                  • Instruction ID: 6290e8f82e7a81f86c8b02d56d97d59d3d6ddcf97ee1fab8560005a23df3fd5b
                  • Opcode Fuzzy Hash: 4ab5b54ed9d53e817f411d462894f71bf1096e1a06780f980d8ed5d638d2299f
                  • Instruction Fuzzy Hash: 64210475504384EFDB05DF15D9C0B26FB65FB85314F24C56DE8098B296C33AD80ACAA1
                  Memory Dump Source
                  • Source File: 0000000C.00000002.2501673324.00000000008ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 008ED000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_8ed000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 635a0055f575a6eb21eb872a3a1e87cb2ee35c6e4d8a8db28d5e9f1465cd98cb
                  • Instruction ID: c1c002b48d87f73a0728778efdffd7854e0db74a9c91afbb95fdd5eac57db130
                  • Opcode Fuzzy Hash: 635a0055f575a6eb21eb872a3a1e87cb2ee35c6e4d8a8db28d5e9f1465cd98cb
                  • Instruction Fuzzy Hash: 1E119D79504380DFDB06CF14D9C4B15FBB2FB85314F24C6A9D8498B656C33AD84ACBA1

                  Executed Functions

                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a14002a769daa9dd00a68fc43238e4f4e24480f2a694c8ee7856eaae74294f10
                  • Instruction ID: 4d74609003806cce3c7e3076e42bd8b470a7875e725aa029463cf4dbfb806861
                  • Opcode Fuzzy Hash: a14002a769daa9dd00a68fc43238e4f4e24480f2a694c8ee7856eaae74294f10
                  • Instruction Fuzzy Hash: E9515030B101149FCB55DF79C458AAEBBF6EF88700F2581A9E905EB3A5CA71DC02CB91
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2a11d7e88f9d2e96bd852758684b5badf871541c536f3a1f3cf60e6ce101916d
                  • Instruction ID: 1bd3e2c1fb2c4d0e08b2e57c3df9c6b85a87043e3a8cc4370348c347f55b764f
                  • Opcode Fuzzy Hash: 2a11d7e88f9d2e96bd852758684b5badf871541c536f3a1f3cf60e6ce101916d
                  • Instruction Fuzzy Hash: 1151DF31B042548FCB55DF7CC494AAEBBF6AF89304F1484A9E505EB3A2CB359C06CB90
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 96ca7c3f10e1df2bfebe8a9b66bc9d491e87b8e6013919de3c5e9b36d1e23638
                  • Instruction ID: ab40171447a3912b0b6e7acc31443b061a02533be3a8675d53e2eab2d2cf90a4
                  • Opcode Fuzzy Hash: 96ca7c3f10e1df2bfebe8a9b66bc9d491e87b8e6013919de3c5e9b36d1e23638
                  • Instruction Fuzzy Hash: B851C338665281CFC707FB34F488A697B66FB84306790CA6DD402CB25ADB799D46CF90
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4a7a6de492dd7c569231ed28c66f470666aa7129dc54e8e9b3ca5b16463776c0
                  • Instruction ID: 67a35932701fae85ecde1e74e661fdd5da76b037a64f74924244295fb8d0f3dc
                  • Opcode Fuzzy Hash: 4a7a6de492dd7c569231ed28c66f470666aa7129dc54e8e9b3ca5b16463776c0
                  • Instruction Fuzzy Hash: 9441A270F00219AFCB84DBB984546AEFBF6EFC8300F20C569D48AD7345DA349902CBA1
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ec7891d273ad95e31569b54128a2313f5e926c1394b755f7a7b96bfe3c2ed8ac
                  • Instruction ID: b7f7d34361d728b940fd44688b9bf9bf4f4bf2323f54242882b4baaf460b26bd
                  • Opcode Fuzzy Hash: ec7891d273ad95e31569b54128a2313f5e926c1394b755f7a7b96bfe3c2ed8ac
                  • Instruction Fuzzy Hash: 83318434F002168FCB85DB798455A6EBBF6AFC9200B144069E549EB3A1DE75DD01CBA0
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 821ed0fc576ed4e5afb4d1b93572d16bc0d38f2fdee8dbf93a5aa05ea1ac8400
                  • Instruction ID: 52a93d9a7ba049feafe2b7ec0001b36b8984fd56d7e3a85111da6629bba7e18f
                  • Opcode Fuzzy Hash: 821ed0fc576ed4e5afb4d1b93572d16bc0d38f2fdee8dbf93a5aa05ea1ac8400
                  • Instruction Fuzzy Hash: D731AF35A002048FDB55DF68C498BAEBBF6BF88300F148569E505EB3A2DB75AD05CB90
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381630834.000000000295D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0295D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_295d000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 942925a7bf7f1f3fa7955baf2a49127c2cf7a887be9e9ad3fbc08138d522fff1
                  • Instruction ID: 61bc86109cd75143bed92989b0a9816af4806a7a4519aa50fe69d59e8c3ae0ba
                  • Opcode Fuzzy Hash: 942925a7bf7f1f3fa7955baf2a49127c2cf7a887be9e9ad3fbc08138d522fff1
                  • Instruction Fuzzy Hash: C0210771604240DFDB15DF14D9C0B26BF69FB88328F24C569ED0A4B25AC336D456CBB2
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 767aa7ee297af5163c956aad2c0e6a51cd5304d848a8aa45a7c5c13fb90cef53
                  • Instruction ID: 3d511b3a55fa3f4a7af5ae4dbe9bd65e5b633bfb6e3c8614097f64d6f62b3504
                  • Opcode Fuzzy Hash: 767aa7ee297af5163c956aad2c0e6a51cd5304d848a8aa45a7c5c13fb90cef53
                  • Instruction Fuzzy Hash: AD216A30B583428FDBE4AB74A85C73E7BECAF00205741882DDA47D214AEB24C950CB61
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 458494a844fb4c5ab4b3b673f49827cd44fa9103faf1ea807f982920bb44dd1d
                  • Instruction ID: a32b5d57d1c516cbcf8a034b6ae484cfad6f5c4810c042ad04130328d0d5ad65
                  • Opcode Fuzzy Hash: 458494a844fb4c5ab4b3b673f49827cd44fa9103faf1ea807f982920bb44dd1d
                  • Instruction Fuzzy Hash: B5213E30A583038FDBE4BB75A91C73E7AACAB00205740882DDA07D214AEF24C950CBA2
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c2395688ef08971bd43f7e9796f11b725d2b533fe0529eb7f2f9b6e6e4f43540
                  • Instruction ID: 72676b12996f7f3ab77b56d3daaa661ffdb4de421bacd3867c6a3700b1edc02f
                  • Opcode Fuzzy Hash: c2395688ef08971bd43f7e9796f11b725d2b533fe0529eb7f2f9b6e6e4f43540
                  • Instruction Fuzzy Hash: 1E11AC30A00251DFCB85EBB8D814AAA7BF6AFC921471448BAD409DB351EB34CC42CBD0
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381630834.000000000295D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0295D000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_295d000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e68199e4efcf8fe5faf796e1eb00fdac1bd40fbc6b1f5683208f03f6d852d321
                  • Instruction ID: 2639f6539a6fc77e035a7fba38fbb00b7a6bcf67f5b3c54610c79be3c2aee62d
                  • Opcode Fuzzy Hash: e68199e4efcf8fe5faf796e1eb00fdac1bd40fbc6b1f5683208f03f6d852d321
                  • Instruction Fuzzy Hash: 2711D376504240CFDB16CF14D5C4B16BF71FB84324F24C5A9DD094B25AC33AD45ACBA2
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 011768997a23a4af547817e717358305780e04b3665dac76ba7cc0b64912b9ab
                  • Instruction ID: 16e96f922aab1eb56cd8ff5724b3826bd5cba56396fe115442683faf289fafa7
                  • Opcode Fuzzy Hash: 011768997a23a4af547817e717358305780e04b3665dac76ba7cc0b64912b9ab
                  • Instruction Fuzzy Hash: 82116D74B00205DFCB94EFB9D404A6ABBFAAFC8215720487AD50EDB315EA35DC52CB90
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5576007eb902aa69d2cf08cb4b2409ae9932a392450e4d29302416189e1dfcae
                  • Instruction ID: c3998ebb1a1b292bacf6694a7bce322d39a6bac5aeeb9c3c4503544e1b0fe098
                  • Opcode Fuzzy Hash: 5576007eb902aa69d2cf08cb4b2409ae9932a392450e4d29302416189e1dfcae
                  • Instruction Fuzzy Hash: DD01D1207082A14FC756973C54A44AE7FE79FCA25432908EAD189CB3A3DD288C078795
                  Memory Dump Source
                  • Source File: 0000000D.00000002.1381819711.00000000029F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_13_2_29f0000_AntiVirus.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 231d4334da7edd224d2daa89d4b6da2617b250eb7886fafd8ab6698b9df2bae2
                  • Instruction ID: 9efd8d225c191908fe18ddac718c06c8c7012587f86ddc9ae237676fad2ebb51
                  • Opcode Fuzzy Hash: 231d4334da7edd224d2daa89d4b6da2617b250eb7886fafd8ab6698b9df2bae2
                  • Instruction Fuzzy Hash: 74E012367042105F8744967EE88885BB7EBEFCD6753654879F109D7321DD75DC0147A0