Edit tour

Windows Analysis Report
G53ADrk4YR.exe

Overview

General Information

Sample name:	G53ADrk4YR.exe renamed because original name is a hash value
Original sample name:	e4fdff5a89f062dfad43059a9fbe8d80.exe
Analysis ID:	1538230
MD5:	e4fdff5a89f062dfad43059a9fbe8d80
SHA1:	3f6615b2421fab68e19f87cf834621cb330c730f
SHA256:	e61d52a9c9e88e95650fcee8c8aca19da6dc97a78703be06cf0b8d08e0aeb012
Tags:	AsyncRATexeRATuser-abuse_ch
Infos:

Detection

AsyncRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected AsyncRAT

.NET source code contains potential unpacker

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

G53ADrk4YR.exe (PID: 5932 cmdline: "C:\Users\user\Desktop\G53ADrk4YR.exe" MD5: E4FDFF5A89F062DFAD43059A9FBE8D80)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://axmahr.github.io/posts/asyncrat-detection/ https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: AsyncRAT

{"External_config_on_Pastebin": "null", "Server": "82.9.14.4", "Ports": "4646", "Version": "| Edit by Vinom Rat", "Autorun": "false", "Install_Folder": "YlI4UnRocUdNejc0T0tMOUhRdTZYTjg2VEZ6NkdUbXM=", "Install_File": "9szcpXIQxGWxvmQS8p44gtl5LdbDWmPDbhg+2XdmCeFwoZYQ6hKy9UoJQeeL1WdkBZN6SITykc/uKqIRqt72GFPyOiY3TLQYsVr71wluteQ=", "AES_key": "bR8RthqGMz74OKL9HQu6XN86TFz6GTms", "Mutex": "FYdxVQLEq97jMehFcwgJqzqlnDAUlmInYoDx/hk1bdzQGqlav3RjsfsaczHWtIhDvKfVFTtuOwizbFILqa02AzqMKqKoEoB78eBuBk+eUgsaEpUKRvuIygTgf9L/RuHaXdmSx4kMwAZjj6DNIPDQ/XixQTpWWstM1UMKneI9BDFvobFTSrD+/Nsirb3vb+W45MiLzB85w7At/f6STUpY3P5jUga06nH4vVLL7474pDUCyqJ49dsJabJKfV8B+Yevfc98C/VqIJcVGKy4pRQmRUwzKOkoA/TSTQTvnm5rtPumdfnfQ1t7Qm9UzmW4VsALzFI1G1pLql6hJ9RJ6WEJdXvV081TClJFnvxQlIpZLyaqBhUvC/gEPyO3tEXGyBO4Hou8gewSQ2/MH7KQpRKVOu0pNbl468EL4VNQvyUkG/yOXCR6c/5YdQrkPnc7n/JR8HehEaRt7Z8tGgkq+5XEcoejiMIXjNRlMg8/Qluc5Lkc71mJKU4wXZMbtAQMM5rxcS2x5KLNO6ZrwRoOXqg71qopkK7kQQWZ0zMsI/0sJbEBh67bYFMLrwHhAWP5edT8Io223ZQzjeEfIh/G1zW+jm3yd+RYq9Hn85eHCbXednD0wjR/ewYmDRftYZMnj+VtD504PAF2E4bExlQaxt7tazGYF3hph2qFASwnLMyc0sE=", "Certificate": "false", "ServerSignature": "false", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
G53ADrk4YR.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
G53ADrk4YR.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
G53ADrk4YR.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd114:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10038:$a2: Stub.exe 0x100c8:$a2: Stub.exe 0x98a8:$a3: get_ActivatePong 0xd32c:$a4: vmware 0xd1a4:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa8aa:$a6: get_SslClient
G53ADrk4YR.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd1a6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x324:$x1: AsyncRAT 0x362:$x1: AsyncRAT

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xcf14:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10238:$a2: Stub.exe 0x102c8:$a2: Stub.exe 0x96a8:$a3: get_ActivatePong 0xd12c:$a4: vmware 0xcfa4:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa6aa:$a6: get_SslClient
00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xcfa6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000000.00000002.4132627033.0000000005316000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xf0b3:$x1: AsyncRAT 0xf0f1:$x1: AsyncRAT 0x285f3:$x1: AsyncRAT 0x28631:$x1: AsyncRAT 0x2cbc3:$x1: AsyncRAT 0x2cc01:$x1: AsyncRAT 0x2f3d7:$x1: AsyncRAT 0x2f415:$x1: AsyncRAT 0x541b1:$s8: Win32_ComputerSystem
00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2b7f3:$x1: AsyncRAT 0x2b831:$x1: AsyncRAT
Process Memory Space: G53ADrk4YR.exe PID: 5932	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: G53ADrk4YR.exe PID: 5932	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x2657d:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: G53ADrk4YR.exe PID: 5932	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1b369:$x1: AsyncRAT 0x1b39b:$x1: AsyncRAT 0x1b3b5:$x1: AsyncRAT 0x2ec2b:$x1: AsyncRAT 0x2ec5d:$x1: AsyncRAT 0x26643:$s6: VirtualBox 0x265f6:$s8: Win32_ComputerSystem 0x33fd3:$s8: Win32_ComputerSystem 0x3406f:$s8: Win32_ComputerSystem
Click to see the 4 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.G53ADrk4YR.exe.ae0000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0.0.G53ADrk4YR.exe.ae0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
0.0.G53ADrk4YR.exe.ae0000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd114:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10038:$a2: Stub.exe 0x100c8:$a2: Stub.exe 0x98a8:$a3: get_ActivatePong 0xd32c:$a4: vmware 0xd1a4:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xa8aa:$a6: get_SslClient
0.0.G53ADrk4YR.exe.ae0000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd1a6:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM

Suricata Signatures

ET MALWARE Generic AsyncRAT Style SSL Cert

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T20:57:07.658717+0200	2035595	1	Domain Observed Used for C2 Detected	82.9.14.4	4646	192.168.2.4	49730	TCP

ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T20:57:07.658717+0200	2035607	1	Domain Observed Used for C2 Detected	82.9.14.4	4646	192.168.2.4	49730	TCP

ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T20:57:07.658717+0200	2842478	1	Malware Command and Control Activity Detected	82.9.14.4	4646	192.168.2.4	49730	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: G53ADrk4YR.exe

Avira: detected

Found malware configuration

Source: G53ADrk4YR.exe

Malware Configuration Extractor: AsyncRAT {"External_config_on_Pastebin": "null", "Server": "82.9.14.4", "Ports": "4646", "Version": "| Edit by Vinom Rat", "Autorun": "false", "Install_Folder": "YlI4UnRocUdNejc0T0tMOUhRdTZYTjg2VEZ6NkdUbXM=", "Install_File": "9szcpXIQxGWxvmQS8p44gtl5LdbDWmPDbhg+2XdmCeFwoZYQ6hKy9UoJQeeL1WdkBZN6SITykc/uKqIRqt72GFPyOiY3TLQYsVr71wluteQ=", "AES_key": "bR8RthqGMz74OKL9HQu6XN86TFz6GTms", "Mutex": "FYdxVQLEq97jMehFcwgJqzqlnDAUlmInYoDx/hk1bdzQGqlav3RjsfsaczHWtIhDvKfVFTtuOwizbFILqa02AzqMKqKoEoB78eBuBk+eUgsaEpUKRvuIygTgf9L/RuHaXdmSx4kMwAZjj6DNIPDQ/XixQTpWWstM1UMKneI9BDFvobFTSrD+/Nsirb3vb+W45MiLzB85w7At/f6STUpY3P5jUga06nH4vVLL7474pDUCyqJ49dsJabJKfV8B+Yevfc98C/VqIJcVGKy4pRQmRUwzKOkoA/TSTQTvnm5rtPumdfnfQ1t7Qm9UzmW4VsALzFI1G1pLql6hJ9RJ6WEJdXvV081TClJFnvxQlIpZLyaqBhUvC/gEPyO3tEXGyBO4Hou8gewSQ2/MH7KQpRKVOu0pNbl468EL4VNQvyUkG/yOXCR6c/5YdQrkPnc7n/JR8HehEaRt7Z8tGgkq+5XEcoejiMIXjNRlMg8/Qluc5Lkc71mJKU4wXZMbtAQMM5rxcS2x5KLNO6ZrwRoOXqg71qopkK7kQQWZ0zMsI/0sJbEBh67bYFMLrwHhAWP5edT8Io223ZQzjeEfIh/G1zW+jm3yd+RYq9Hn85eHCbXednD0wjR/ewYmDRftYZMnj+VtD504PAF2E4bExlQaxt7tazGYF3hph2qFASwnLMyc0sE=", "Certificate": "false", "ServerSignature": "false", "BDOS": "false", "Startup_Delay": "3", "Group": "null"}

Multi AV Scanner detection for submitted file

Source: G53ADrk4YR.exe

ReversingLabs: Detection: 76%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: G53ADrk4YR.exe

Joe Sandbox ML: detected

Source: G53ADrk4YR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: G53ADrk4YR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2842478 - Severity 1 - ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s) : 82.9.14.4:4646 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2030673 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 82.9.14.4:4646 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2035595 - Severity 1 - ET MALWARE Generic AsyncRAT Style SSL Cert : 82.9.14.4:4646 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2035607 - Severity 1 - ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server) : 82.9.14.4:4646 -> 192.168.2.4:49730

Yara detected Generic Downloader

Source: Yara match	File source: G53ADrk4YR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 82.9.14.4:4646

Source: Joe Sandbox View

IP Address: 82.9.14.4 82.9.14.4

Source: Joe Sandbox View

ASN Name: NTLGB NTLGB

Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4
Source: unknown	TCP traffic detected without corresponding DNS query: 82.9.14.4

Source: 77EC63BDA74BD0D0E0426DC8F80085060.0.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: G53ADrk4YR.exe, 00000000.00000002.4132627033.0000000005316000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabD
Source: G53ADrk4YR.exe, 00000000.00000002.4131354920.0000000001137000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enr
Source: G53ADrk4YR.exe, 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: G53ADrk4YR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR

System Summary

Malicious sample detected (through community Yara rule)

Source: G53ADrk4YR.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: G53ADrk4YR.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.4132627033.0000000005316000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Code function: 0_2_02DBD2F0	0_2_02DBD2F0
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Code function: 0_2_02DB7040	0_2_02DB7040
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Code function: 0_2_02DB7910	0_2_02DB7910
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Code function: 0_2_02DB7E10	0_2_02DB7E10
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Code function: 0_2_02DB6CF8	0_2_02DB6CF8

Source: G53ADrk4YR.exe, 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameStub.exe" vs G53ADrk4YR.exe
Source: G53ADrk4YR.exe	Binary or memory string: OriginalFilenameStub.exe" vs G53ADrk4YR.exe

Source: G53ADrk4YR.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: G53ADrk4YR.exe, type: SAMPLE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: G53ADrk4YR.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.4132627033.0000000005316000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: G53ADrk4YR.exe, lXnGtZidHgLo.cs

Base64 encoded string: 'GuRiM19iuqX1GtKSJ1ZF0/gPiPO9KOIMJU2Bh8UJREzFg0V86wvpuzNmNEuzVtkYMQfny+9iIIYHAK7iU1T3eA==', 'ldhr5vkC5wOU0G2UQlhjj4QAohFV4O8oM/DuEBwVQ6DdKK0lALgkzIqClzaGwvRjiic3xyaz1fKzjG36Wdukjw==', 'jurFDIrciJ2xEW7O9kTZb+9k7sFa5fhegyem9AwA9NwPnk+XKM23PusIn8diBRRCcO6FGGUusyw8CAyhVEa5Kxd9P/BmkBb/H4NlYbAdN2I=', 'QOs8RAAfkhJvefchDddr6I4j4MfBDrAg4UVMjYEPiGTptVjy9rccA5ZDaex5Tn/q5ZJeNRG4+/CGvKOMyR0WsQ==', 'pcd+NKUDDqVeXFuw6O4EV0RVchx7U/kNr2mi2wPJZp/eGrJBq3s4HAlUqy82pgGeNZmaJYO4etBIhDIGdi1GQQ==', 'lRjhlWBTFdpdC0v5+I6DYKmhx5jCmRpqRt9DViMNNCVFNVpcw2hi++IuYbtaATcfRDBWreywnvceOkqHpju1Ow=='

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk

Source: G53ADrk4YR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: G53ADrk4YR.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\G53ADrk4YR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: G53ADrk4YR.exe

ReversingLabs: Detection: 76%

Source: G53ADrk4YR.exe

String found in binary or memory: YfFk15d95gzW3KZUz/tbQfzWm7YNhj4kERBL6vfjH6NlWUa5m0JsbneyuLm1UZ+UDL3JgsGNkMcvRnFWP8b593FEZYQMYAfVrfU97CDqLOXun/Bs5ttrbAAhuul/Kiwa4rcZZdAtzUW2fLoj2C/OLJDIJmwbmpcdaHnGEe6HiPFuS6fD84oElytTTuFBwXhaaa9Qu9wdcHcwyT+dtikMmLheB9rgR72DotD0mJgy0RiPAY1xpMQl1Padj6Vz8t8gZ2VCico+sy0s6UsRZCbu7avanGLNWIdPjob8Q/yce3L9+i1Rhq25T/hybg2I7zKmynLePYExVcwQJ2vUysRSIyGU2UoAq4rBOV44vwdYBbDKt2gZg2N8dXSHVF4ctFMw8LUr/YKEdMaDQaRAHyZFRtZF11xjSkyhdQXwlx5UbZJhPKLOqaPELK9+9dKxF8C5nOtqIcgT4oBJa8KSN5ycypxLDNe9RMm/HJ2cIQoKLtn/LOkalw128JEUiuxC+fus+UihX2T8SkozbZN0lSrIQaai427vzHiipO2/uh6hRI36sCNhypu8Y2fWqOw0jpooPAbfuMWcQesPG4HQkSu1ceAi1BTpYqwYfrBXN5VezYpRE0/m3oq0/o1vXB/N2jvBrKgwrgezaRdzwF+whz7RY6K1zm1HKkpZxkcI2zHtmdO3PGsf0PSbSTB31OmYn7gJW51m+UUQErFDmjryMfXepHe7YRnPy0P0AbNu5srLVGbnrPEE6+e/ByxeLPICxTc+3KvIjUSzz0cAcwBZV4kqjxc1Zlwbd845aSDhDrceJgMR0R4qQJig1RgZhr/9tX+ijXnJdcWY9SCHb7JZvDEaLLnMKAHVCapLOTKZHdvT5VgcroBhdrlCJrN/rbLsdBi0dAA/wlaP3z0QVcbsFAep2WsaOR3bZx0cXAB4fqB4u6R+4lzvIGyLNihckhxwd6vOh5VLobkkIwvCnyzqdZ3rZbSkGTOwI+u6Xgn05FgOvrNG3bFWJo2szQLjI5QHST2LS2LhFyhtHr8rm507SkkWjPu5eFsKh7EPoRzr7+I+Qj9y4L+H10e0zYuNum/pkWoLq6b+GJYH8hXrtMYJQbG0TmU9lP/0dxwGyLnzaAct1mPYfqNLUMVimyjeISTdchvJmoCsWqhasAEpaGRrhLmIEfwvfDJeaj6/OibY6jkKtzNGgI69zMKFn3mcn1L+dRaaGGNwLsn5l0wmZgUNB4P1rDEOM7ZP4Mx+3TeiyUuOPZopF7uNCNwBdWeWWz6Mzympanv/kgphduEeO1XJetTvYxhFQ6d7ttdPdNsOJNNHW8lDTFD/jkQndUexNnskm0ks2LEeGNQJZDimYFDIzAlbQOuDtw6nfVTZlOTmLZwQwWsGHsq1KYR2MGlPkiwEO74xEpSq8bHUcYwgwWsEuGZbimLmCbMRZiArbHIWyZwbvoQL/EY5rjWpD+DMFtgpZTbh+V1iwH/2ecrnvYtmUHIyk9hDwR2lYhFYqEBmjR3JNWGlAVHRjqXlaxW2iZtuL26hDVy3b6wAe8XSmG9Ye5j0Dlpw6Xth9BD07VtBbKeKw2Pl3ncG9VmlL1oEdrpQOnQFn3svLDzJnM/E4u/R7EmMIDQQYPxAGucurIaYTrAUoT7/ZDNzIpWGQbJsshh4ZfLR9RjhO/+66kXVv16lDneQqMBam6ss2HqAX7RCMKsIlj0CfQlzaHMRVRoxSyugU4LcJFK1hxM3wfZ6pW1lPjb1nlkUHlnHd1DzVC+AXmqvIgLPVxZigwKQ+WkwXQ7KGcvMZMk/OKyGO5HYgjgVdvxWIptlLdPUyogR2/g/2WctX0q5aA14SBnmF9uf58Qswq6kgoU0R9OLpc/KHP7T5aaXGQYJxgkxYMkCKHckZjsko+5Lhw95QkyTl4ijXnwXopCLWVcxXNv7PldUKG6xXc8pV9AJRBb86T+B0eKSa5q5T3t5ClerzI1yZJjeUV0RyBDPrJ/hDeq5Y6t+1J6qTMusY7Bgqqryu6OIpNPzJQbiTPOOdlOOFu5wOv6Q0A/8qL6h8WYS81QNZXkyQ2JAACyOiRijVGGVFdaEwZT/OMa5aLeisyQ4mXP/7EmZA8T3W3HsXznWH+599Dny0Oo+yuA3Z+kb6tb2Yzv3UMMs5xf+dp/aDDPSik94mobTWCEy7NwtYJhIlIXogA0vKYgi+4skatKWYLAIwv5/1UtkR/Wfi40PIqMag7uy/iy3v9MBj8Q6aFNSTsWXX8/hPG/t42UPa+s72NrGf7OXYrpvS01EZ7D5HA6sff0JgAOlBs7Zq+IESi+ydQovqIiLrB5DU0A5jqM/Uha5JKivmNyUmqt1hFXs=

Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Section loaded: userenv.dll	Jump to behavior

Source: C:\Users\user\Desktop\G53ADrk4YR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: G53ADrk4YR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: G53ADrk4YR.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

.NET source code contains potential unpacker

Source: G53ADrk4YR.exe, KdFPrLOtZUk.cs

.Net Code: ncJKSELuxvd System.AppDomain.Load(byte[])

Source: C:\Users\user\Desktop\G53ADrk4YR.exe

Code function: 0_2_02DBB7B0 push es; ret

0_2_02DBB7C0

Source: G53ADrk4YR.exe, QHxyWjZbREABBUw.cs

High entropy of concatenated method names: 'efxRXWypncsLXrAQu', 'PYLvoHILFhE', 'juePExhPez', 'mgtajXylhGhK', 'kDTkqiqCZSb', 'sSTdfozEiMK', 'qPLqRQipKlxgRclh', 'KHzUxDzPTWW', 'jYKOfWwZNgOt', 'tUrGtsUCPVfrk'

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: G53ADrk4YR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR

Source: C:\Users\user\Desktop\G53ADrk4YR.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AsyncRAT

Source: Yara match	File source: G53ADrk4YR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: G53ADrk4YR.exe

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Memory allocated: 1460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Memory allocated: 2E50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Memory allocated: 1460000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\G53ADrk4YR.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Window / User API: threadDelayed 3086			Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Window / User API: threadDelayed 6741			Jump to behavior

Source: C:\Users\user\Desktop\G53ADrk4YR.exe TID: 5304	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe TID: 280	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe TID: 280	Thread sleep time: -37815825351104557s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe TID: 764	Thread sleep count: 3086 > 30	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe TID: 764	Thread sleep count: 6741 > 30	Jump to behavior

Source: C:\Users\user\Desktop\G53ADrk4YR.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\G53ADrk4YR.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: G53ADrk4YR.exe	Binary or memory string: vmware
Source: G53ADrk4YR.exe, 00000000.00000002.4131497141.00000000011D1000.00000004.00000020.00020000.00000000.sdmp, G53ADrk4YR.exe, 00000000.00000002.4132627033.0000000005316000.00000004.00000020.00020000.00000000.sdmp, G53ADrk4YR.exe, 00000000.00000002.4132844548.0000000005390000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\G53ADrk4YR.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\G53ADrk4YR.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Queries volume information: C:\Users\user\Desktop\G53ADrk4YR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\G53ADrk4YR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\G53ADrk4YR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: G53ADrk4YR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.G53ADrk4YR.exe.ae0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: G53ADrk4YR.exe PID: 5932, type: MEMORYSTR

Source: G53ADrk4YR.exe, 00000000.00000002.4131497141.00000000011F9000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\G53ADrk4YR.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	1 Scheduled Task/Job	1 Disable or Modify Tools	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	Logon Script (Windows)	Logon Script (Windows)	111 Obfuscated Files or Information	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
G53ADrk4YR.exe	76%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRat
G53ADrk4YR.exe	100%	Avira	TR/Dropper.Gen
G53ADrk4YR.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	G53ADrk4YR.exe, 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
82.9.14.4	unknown	United Kingdom		5089	NTLGB	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538230
Start date and time:	2024-10-20 20:56:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	G53ADrk4YR.exe renamed because original name is a hash value
Original Sample Name:	e4fdff5a89f062dfad43059a9fbe8d80.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/2@0/1
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 61 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target G53ADrk4YR.exe, PID 5932 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: G53ADrk4YR.exe

Simulations

Behavior and APIs

Time	Type	Description
14:57:08	API Interceptor	9051642x Sleep call for process: G53ADrk4YR.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
82.9.14.4	BY4ypm1UDs.exe	Get hash	malicious	Unknown	Browse
	TLqhu9mJBZ.exe	Get hash	malicious	Unknown	Browse
	BY4ypm1UDs.exe	Get hash	malicious	Unknown	Browse
	xBdB3fb8N8.exe	Get hash	malicious	Unknown	Browse
	TLqhu9mJBZ.exe	Get hash	malicious	Unknown	Browse
	CQyPpdxkYm.exe	Get hash	malicious	Unknown	Browse
	VkrR9Zde20.exe	Get hash	malicious	Unknown	Browse
	XdY2PQU261.exe	Get hash	malicious	Unknown	Browse
	xBdB3fb8N8.exe	Get hash	malicious	Unknown	Browse
	555tjcsfq1.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
NTLGB	bin.armv7l.elf	Get hash	malicious	Mirai	Browse	81.111.111.31
	arm.nn.elf	Get hash	malicious	Mirai, Okiru	Browse	82.11.248.127
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	82.18.109.11
	la.bot.mipsel.elf	Get hash	malicious	Unknown	Browse	86.26.143.236
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	82.4.92.2
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	82.47.249.37
	la.bot.mips.elf	Get hash	malicious	Unknown	Browse	82.3.7.129
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	82.33.106.67
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	86.21.69.110
	la.bot.sh4.elf	Get hash	malicious	Unknown	Browse	82.35.105.236

Process:	C:\Users\user\Desktop\G53ADrk4YR.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	71954
Entropy (8bit):	7.996617769952133
Encrypted:	true
SSDEEP:	1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
MD5:	49AEBF8CBD62D92AC215B2923FB1B9F5
SHA1:	1723BE06719828DDA65AD804298D0431F6AFF976
SHA-256:	B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
SHA-512:	BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..\|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........\|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.\|.c.&>?..^t. ..;..X.d.E.0G....[Q.,......#.Dp..L.o\|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Download File

Process:	C:\Users\user\Desktop\G53ADrk4YR.exe
File Type:	data
Category:	dropped
Size (bytes):	328
Entropy (8bit):	3.1501841598665044
Encrypted:	false
SSDEEP:	6:kKvW9UswDLL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:HZDnLNkPlE99SNxAhUe/3
MD5:	45E6CE7EB98490458FCA4F2D07D3F6C4
SHA1:	00225728DC7A6FD3EF09D05B94AA7B8F627EE248
SHA-256:	934C9D51F7A5F8F7106D8E42126B30FDC4B709AEFBDAA6D8C743B5672F6DC98D
SHA-512:	134BE794E34E74F55536421DE515D7EAEF2C9074456FC6212722E7F1312D5A738336B35461909D805B1EE66633A8F637E7FDBF22541AD7F5B4630F535BE2C498
Malicious:	false
Reputation:	low
Preview:	p...... ........$%..!#..(....................................................... ........G..@.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.512730398495966
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	G53ADrk4YR.exe
File size:	67'584 bytes
MD5:	e4fdff5a89f062dfad43059a9fbe8d80
SHA1:	3f6615b2421fab68e19f87cf834621cb330c730f
SHA256:	e61d52a9c9e88e95650fcee8c8aca19da6dc97a78703be06cf0b8d08e0aeb012
SHA512:	843bb88e42b4d82d4702fae47dfae078334c4db54e2ce8124f33d319c765058f652b2235604e02ff104d8d306a88ff9618ff51e51f996847e87ed0e2b4227707
SSDEEP:	1536:zmfWSqHdykrVMKuJUYFs1LK1/dMbCYtGSamQRxqmMdrmTGdx:zmeSqHdykGKuJUYFwi1MbfE5/RxqmMdh
TLSH:	AE6319043BE89129F3BE8F7469F266854AF5F46B2D12D95D1CC501CE0632B829D42FBB
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......d............................>.... ... ....@.. .......................`............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x411a3e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A6F687 [Thu Jul 6 17:14:47 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x119f0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x7ff	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x14000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xfa44	0xfc00	052d47a369b66af3b6b1ab76e713e4d0	False	0.49614025297619047	data	5.55154071210939	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x7ff	0x800	33cdbc5c50f34a35b4f0e61582ac7f11	False	0.41650390625	data	4.884866150337139	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x14000	0xc	0x200	9d3fba3936c228cb014acb8616f679c1	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x120a0	0x2cc	data			0.43575418994413406
RT_MANIFEST	0x1236c	0x493	exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.43381725021349277

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-20T20:57:07.658717+0200	2842478	ETPRO JA3 Hash - Suspected ASYNCRAT Server Cert (ja3s)	1	82.9.14.4	4646	192.168.2.4	49730	TCP
2024-10-20T20:57:07.658717+0200	2030673	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	82.9.14.4	4646	192.168.2.4	49730	TCP
2024-10-20T20:57:07.658717+0200	2035595	ET MALWARE Generic AsyncRAT Style SSL Cert	1	82.9.14.4	4646	192.168.2.4	49730	TCP
2024-10-20T20:57:07.658717+0200	2035607	ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)	1	82.9.14.4	4646	192.168.2.4	49730	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 20:57:06.509802103 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:06.514758110 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:06.514945030 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:06.527457952 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:06.532454014 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:07.609960079 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:07.610002041 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:07.610048056 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:07.653829098 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:07.658716917 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:07.977701902 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:08.024323940 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:09.572165966 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:09.577162027 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:09.577215910 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:09.582168102 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:15.713648081 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:16.024457932 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:16.633721113 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:16.758342981 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:16.760394096 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:16.761863947 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:17.084796906 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:17.133699894 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:17.243916035 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:17.253931046 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:17.258898973 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:17.258951902 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:17.263962984 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:19.679786921 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:19.727466106 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:19.847119093 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:19.899342060 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:21.859762907 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:21.865120888 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:21.865243912 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:21.870240927 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:22.181205034 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:22.240968943 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:22.340156078 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:22.381486893 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:22.386661053 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:22.386784077 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:22.391961098 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:27.993531942 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:27.999424934 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:27.999631882 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:28.004630089 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:28.318464994 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:28.368098974 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:28.476989031 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:28.478876114 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:28.483791113 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:28.483850002 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:28.488780975 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:34.166271925 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:34.171247005 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:34.171302080 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:34.176197052 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:34.496040106 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:34.540009022 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:34.653651953 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:34.655500889 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:34.660307884 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:34.660362959 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:34.665828943 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:40.274872065 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:40.279795885 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:40.279877901 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:40.284938097 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:40.611303091 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:40.665199995 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:40.753277063 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:40.755450010 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:40.760355949 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:40.760404110 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:40.765368938 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:46.415479898 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:46.420403004 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:46.420466900 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:46.425537109 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:46.738924980 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:46.790034056 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:46.898633957 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:46.900748968 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:46.905626059 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:46.905683994 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:46.910686970 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:49.667368889 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:49.712004900 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:49.826699018 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:49.868175983 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:52.556140900 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:52.561259031 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:52.561335087 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:52.566467047 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:52.877559900 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:52.930767059 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:53.039890051 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:53.041652918 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:53.046550035 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:53.046603918 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:53.051538944 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:58.696794033 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:58.901279926 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:58.901458025 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:58.906270981 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:59.216197968 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:59.258836031 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:59.387233019 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:59.427625895 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:59.432646990 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:57:59.432744026 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:57:59.437947989 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:04.837335110 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:04.842406034 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:04.842472076 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:04.847659111 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:05.157996893 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:05.211967945 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:05.320630074 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:05.368217945 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:05.414855003 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:05.419822931 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:05.423029900 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:05.427949905 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:10.978179932 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:10.983232021 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:10.983278036 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:10.988424063 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:11.301440001 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:11.352646112 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:11.466120958 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:11.476361990 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:11.481312990 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:11.481359959 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:11.486134052 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:17.118967056 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:17.123915911 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:17.124922037 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:17.130314112 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:17.445434093 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:17.493194103 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:17.616393089 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:17.617930889 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:17.622944117 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:17.623004913 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:17.627882957 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:19.678533077 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:19.727574110 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:19.839911938 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:19.883908033 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:23.259263039 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:23.264533043 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:23.264595032 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:23.270023108 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:23.682981968 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:23.933320999 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:23.933402061 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:23.934077978 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:23.934514999 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:23.934571981 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:23.935642958 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:23.938247919 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:23.938307047 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:23.943160057 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:24.256658077 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:24.262232065 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:24.262337923 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:24.264272928 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:24.269191027 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:24.269263029 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:24.274137020 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:29.821731091 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:29.826822996 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:29.827042103 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:29.831932068 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:30.145692110 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:30.196997881 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:30.306396008 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:30.309307098 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:30.314286947 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:30.314331055 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:30.319333076 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:33.165608883 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:33.170734882 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:33.170815945 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:33.175935030 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:33.487715006 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:33.542031050 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:33.646769047 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:33.648809910 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:33.653759003 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:33.653862000 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:33.658783913 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:39.306497097 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:39.311552048 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:39.311608076 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:39.316550970 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:39.639221907 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:39.696362972 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:39.797873020 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:39.804253101 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:39.809226036 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:39.809284925 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:39.814353943 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:41.559039116 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:41.725836039 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:41.725990057 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:41.730973005 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:42.043474913 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:42.091001987 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:42.202250004 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:42.205317020 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:42.210464001 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:42.210721016 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:42.215576887 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:47.697609901 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:47.702955008 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:47.703023911 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:47.708040953 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:48.032722950 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:48.086998940 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:48.193802118 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:48.195249081 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:48.200289965 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:48.200344086 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:48.205225945 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:49.663790941 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:49.712011099 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:49.827650070 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:49.869277954 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:53.837430000 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:53.842412949 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:53.842557907 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:53.847465038 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:54.160136938 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:54.213040113 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:54.317830086 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:54.319381952 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:54.324249983 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:54.324348927 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:54.329312086 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:57.228120089 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:57.232991934 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:57.233133078 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:57.237972975 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:57.553627968 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:57.602823973 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:57.725251913 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:57.727354050 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:57.732219934 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:57.732285976 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:57.737158060 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:58.107031107 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:58.113845110 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:58.114799976 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:58.119676113 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:58.433274031 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:58.477647066 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:58.590586901 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:58.592833042 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:58.597686052 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:58.597729921 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:58.602811098 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:58.962456942 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:58.967391014 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:58.967490911 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:58.973800898 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:59.290927887 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:59.337033987 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:59.448960066 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:59.454451084 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:59.459562063 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:58:59.459625959 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:58:59.464608908 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:01.809175968 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:01.814060926 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:01.814150095 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:01.818999052 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:02.132720947 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:02.181303978 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:02.293286085 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:02.296972990 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:02.301825047 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:02.301945925 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:02.306760073 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:07.949201107 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:07.962639093 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:07.962768078 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:07.967569113 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:08.137447119 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:08.142426014 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:08.142534018 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:08.147388935 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:08.283653021 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:08.337079048 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:08.449784994 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:08.454982042 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:08.459842920 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:08.459887981 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:08.464854002 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:08.649947882 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:08.686850071 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:08.691760063 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:08.691804886 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:08.696841002 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:14.274986029 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:14.280155897 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:14.280214071 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:14.285320997 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:14.616152048 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:14.665191889 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:14.774498940 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:14.775928974 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:14.780847073 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:14.780895948 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:14.785794020 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:18.263067961 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:18.268311024 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:18.268428087 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:18.273258924 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:18.587975025 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:18.633929968 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:18.746712923 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:18.772064924 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:18.776993990 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:18.777033091 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:18.781862020 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:19.666390896 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:19.712109089 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:19.827193975 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:19.883948088 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:24.430304050 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:24.435529947 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:24.437685966 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:24.443017006 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:24.761296034 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:24.837085962 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:24.921886921 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:24.923597097 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:24.928478003 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:24.928529024 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:24.934739113 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:30.540602922 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:30.628031969 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:30.628084898 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:30.633064985 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:30.941346884 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:31.040204048 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:31.109746933 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:31.111382961 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:31.116266966 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:31.116343975 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:31.121247053 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:36.681448936 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:36.686837912 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:36.686888933 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:36.691854954 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:37.250828981 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:37.251126051 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:37.251218081 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:37.252645016 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:37.254451036 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:37.254501104 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:37.257519007 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:37.257603884 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:37.262507915 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:42.822041035 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:42.827047110 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:42.827153921 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:42.832055092 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:43.145308971 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:43.196516037 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:43.304377079 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:43.306401014 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:43.311335087 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:43.311391115 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:43.316293001 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:48.962575912 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:48.967638016 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:48.967691898 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:48.972611904 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:49.286811113 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:49.337256908 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:49.446809053 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:49.448184967 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:49.453027964 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:49.453120947 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:49.458035946 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:49.665996075 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:49.715171099 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:49.766460896 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:49.821504116 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:53.951155901 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:53.956213951 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:53.957171917 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:53.962183952 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:54.278333902 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:54.337131977 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:54.437715054 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:54.440668106 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:54.445560932 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:54.445707083 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:54.450645924 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:57.509612083 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:57.514676094 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:57.514738083 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:57.519565105 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:57.835736036 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:57.884025097 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:57.993742943 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:57.995440006 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:58.000354052 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:58.000405073 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:58.005414009 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:59.119816065 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:59.124852896 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:59.124908924 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:59.129915953 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:59.445914984 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:59.493603945 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:59.631715059 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:59.638484001 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:59.643408060 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 20:59:59.646224022 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 20:59:59.651092052 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:05.259352922 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:05.264427900 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:05.266988039 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:05.271853924 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:05.666969061 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:05.712174892 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:05.748502016 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:05.750240088 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:05.755122900 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:05.755280018 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:05.760194063 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:11.400232077 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:11.405181885 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:11.405245066 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:11.411465883 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:12.321960926 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:12.634054899 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:12.718400955 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:12.718538046 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:12.718586922 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:12.718643904 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:12.718683004 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:12.718760967 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:12.718803883 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:12.721384048 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:12.721415043 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:12.738003016 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:12.742898941 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:12.742947102 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:12.747833014 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:13.035017967 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:13.052772045 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:13.052839994 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:13.079097033 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:13.084115982 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:13.084170103 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:13.089113951 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:18.462738991 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:18.467765093 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:18.467817068 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:18.472681046 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:18.783106089 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:18.837172031 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:18.942814112 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:18.944478989 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:18.949352026 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:18.949409008 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:18.954385042 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:19.670442104 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:19.712179899 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:19.830790997 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:19.884052038 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:24.603450060 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:24.609510899 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:24.609575033 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:24.614629984 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:24.939702988 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:24.993431091 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:25.103727102 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:25.105701923 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:25.110621929 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:25.110670090 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:25.115528107 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:30.743828058 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:30.748920918 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:30.749023914 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:30.753921032 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:31.064260960 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:31.118465900 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:31.224098921 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:31.226171970 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:31.231070042 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:31.231121063 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:31.235981941 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:32.869937897 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:32.875252008 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:32.875315905 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:32.880178928 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:33.200790882 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:33.243479013 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:33.361835957 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:33.363711119 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:33.368841887 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:33.368902922 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:33.374007940 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:39.009536028 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:39.014705896 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:39.014760017 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:39.019676924 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:39.243978024 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:39.252598047 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:39.255311012 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:39.260309935 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:39.335464001 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:39.446592093 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:39.497260094 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:39.500669003 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:39.505532980 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:39.507210970 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:39.512082100 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:39.655006886 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:39.656757116 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:39.661678076 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:39.661734104 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:39.666697025 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:45.384588003 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:45.389626980 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:45.389730930 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:45.394540071 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:45.709659100 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:45.759251118 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:45.908545017 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:45.912370920 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:45.918386936 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:45.918617964 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:45.924621105 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.009444952 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:49.016047001 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.016107082 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:49.021418095 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.333826065 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.370112896 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:49.375036955 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.375078917 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:49.379935026 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.496776104 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.527692080 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:49.532658100 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.532711029 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:49.537720919 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.662017107 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.683609962 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.683746099 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:49.838993073 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.878093004 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:49.883126974 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:49.883285046 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:49.888153076 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:55.384758949 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:55.389911890 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:55.389980078 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:55.394922018 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:55.708103895 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:55.763214111 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:55.867029905 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:55.873307943 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:55.878117085 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:00:55.885248899 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:00:55.890177011 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:01.525341988 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:01.530409098 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:01.530519009 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:01.535466909 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:01.866822958 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:01.917614937 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:02.042068958 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:02.045430899 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:02.050442934 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:02.050498962 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:02.055542946 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:07.666269064 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:07.671535969 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:07.671597004 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:07.676531076 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:07.987646103 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:08.040395021 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:08.145432949 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:08.196645021 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:08.413759947 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:08.418888092 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:08.418955088 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:08.423929930 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:08.769509077 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:08.821824074 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:08.930803061 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:08.935298920 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:08.940269947 CEST	4646	49730	82.9.14.4	192.168.2.4
Oct 20, 2024 21:01:08.947235107 CEST	49730	4646	192.168.2.4	82.9.14.4
Oct 20, 2024 21:01:08.952244997 CEST	4646	49730	82.9.14.4	192.168.2.4

Target ID:	0
Start time:	14:57:01
Start date:	20/10/2024
Path:	C:\Users\user\Desktop\G53ADrk4YR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\G53ADrk4YR.exe"
Imagebase:	0xae0000
File size:	67'584 bytes
MD5 hash:	E4FDFF5A89F062DFAD43059A9FBE8D80
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: Windows_Trojan_Asyncrat_11a11ba1, Description: unknown, Source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, Author: unknown Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.1670377455.0000000000AE2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4132627033.0000000005316000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.4131832511.0000000002E51000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Function 02DBD2F0 Relevance: 1.0, Instructions: 1022COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e8fe3ed9460066cfe317334020d76fd3758d422b449964e49f66b13b3c9d88
Instruction ID: 7cb89e276692543954506f26a9661ab90359a6897e71e91be47010071d07a118
Opcode Fuzzy Hash: d6e8fe3ed9460066cfe317334020d76fd3758d422b449964e49f66b13b3c9d88
Instruction Fuzzy Hash: C88249307002058FDB19EF69C8A4BAEB6E3FF88704F608569D1468B3A5CB75DD4ACB51

Function 02DB7040 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8288ba78a99d50227550d077692f334b891aca03e7037cc28fe3509f5af5e731
Instruction ID: 572139f860a91d26706e18e42b4d56d9b7e1f815586b3cfd4259580bcb299496
Opcode Fuzzy Hash: 8288ba78a99d50227550d077692f334b891aca03e7037cc28fe3509f5af5e731
Instruction Fuzzy Hash: 09B14A71E00209CFEB15CFA9C9957DDFBF2AF88304F148129E85AA7394EB749845CB91

Function 02DB7910 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec0fead402ead9ad9b245502b43962c058785ba3ffa5f759d3052d70bccb8a7
Instruction ID: eb0046e66b6f8d1ed79582131fec2316f4064747693493e4cad1219742f131d2
Opcode Fuzzy Hash: bec0fead402ead9ad9b245502b43962c058785ba3ffa5f759d3052d70bccb8a7
Instruction Fuzzy Hash: 38B15B71E04209CFEB11CFA9D8A17DDFBF2AF89314F148529D41AA7394EB749845CB81

Function 02DB20F0 Relevance: 5.4, Strings: 4, Instructions: 444COMMON

Download Yara Rule

Strings

xbq, xrefs: 02DB273E
,, xrefs: 02DB2238
a^q, xrefs: 02DB2704
a^q, xrefs: 02DB26A7

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: a^q$ a^q$,$xbq
API String ID: 0-2180861429
Opcode ID: 538015b753e4bf75587ae6a8b40deb3d54e21c3f41603124df644152b201b484
Instruction ID: baa8b9397ac415fa2b0324e030f3b64e735e59c536416da7763c1dcaf77b2b7e
Opcode Fuzzy Hash: 538015b753e4bf75587ae6a8b40deb3d54e21c3f41603124df644152b201b484
Instruction Fuzzy Hash: FC028E35600200DFCB1AEF29D464BADB7A2BF84314F208668D8469F7A9DB75DC85CB81

Function 02DB232A Relevance: 3.9, Strings: 3, Instructions: 183COMMON

Download Yara Rule

Strings

xbq, xrefs: 02DB273E
a^q, xrefs: 02DB2704
a^q, xrefs: 02DB26A7

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: a^q$ a^q$xbq
API String ID: 0-2081302502
Opcode ID: 9ae42be55147c12a2aded24eb7ac63861c0321ffdbb3d221baadf1ea185bf5df
Instruction ID: 0493af80dc0a60d5315a2be62a53b910a2504a388fc9f476f5f719a26e1c4e73
Opcode Fuzzy Hash: 9ae42be55147c12a2aded24eb7ac63861c0321ffdbb3d221baadf1ea185bf5df
Instruction Fuzzy Hash: D5616935600300CFD719AF29D464B9E7BA2FF84714F208668D94A9F7A9DBB5EC45CB80

Function 02DB0F80 Relevance: 3.9, Strings: 3, Instructions: 156COMMON

Download Yara Rule

Strings

d7p, xrefs: 02DB0FCD
(bq, xrefs: 02DB125A
Te^q, xrefs: 02DB0FB5

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: (bq$Te^q$d7p
API String ID: 0-1699803613
Opcode ID: 98e3bd20b3d5b678edaa3f3bc0fda111d67ba6cab74fe0ebb70263507ae6c6b3
Instruction ID: 1c50b133721e43b7bf8f780b298a5e9bde3d234a20cfa2fc13d097df10d662e8
Opcode Fuzzy Hash: 98e3bd20b3d5b678edaa3f3bc0fda111d67ba6cab74fe0ebb70263507ae6c6b3
Instruction Fuzzy Hash: 12516B75B101148FCB44DF69D468A9EBBF2FF88710F25C1A9E806EB3A5CA75DC018B91

Function 02DB0DE8 Relevance: 2.6, Strings: 2, Instructions: 127COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02DB0F08
dLdq, xrefs: 02DB0E23

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: Hbq$dLdq
API String ID: 0-411705877
Opcode ID: c671b191e305a435d181afd4a01eba855a8680291a6b3183336f163ec8b8e59a
Instruction ID: f355ea4627587947355cc80b5d0562c2ea9d3a54fae0eb3f09b040202ed7f00f
Opcode Fuzzy Hash: c671b191e305a435d181afd4a01eba855a8680291a6b3183336f163ec8b8e59a
Instruction Fuzzy Hash: 6C418C35B002048FDB159F69D458AAEBBF2FF89304F1485A9E406EB3A1CB759C05CB91

Function 02DBA6B8 Relevance: 2.6, Strings: 2, Instructions: 111COMMON

Download Yara Rule

Strings

$^q, xrefs: 02DBA6F7
$^q, xrefs: 02DBA6ED

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 6f8fe0db4f259aafc32c6047eb896f232ba09faf815e8b4f3e52e703d3e13678
Instruction ID: 6b73f7b52ef00b2d8ef498e1c5b85d0c638cc5dae2aa396472f48e666b3c9177
Opcode Fuzzy Hash: 6f8fe0db4f259aafc32c6047eb896f232ba09faf815e8b4f3e52e703d3e13678
Instruction Fuzzy Hash: 46414938B44501DBCB1E5F6AA028569BBB3BF847057688889E0478BB58CB36DC17CBC5

Function 02DB9DC8 Relevance: 1.6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02DBA03D

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: edea8cdc0fc7497226ea3af7a71b929cbb08ffbdfc4895ca7048df0d53aacfc9
Instruction ID: 4d6797ec221ff9e4b7b3f0a2b8fdb83fb21c90fe27b78d50cd34258c30c94b9d
Opcode Fuzzy Hash: edea8cdc0fc7497226ea3af7a71b929cbb08ffbdfc4895ca7048df0d53aacfc9
Instruction Fuzzy Hash: 4701F130F14141CFCB06DB7898207EE3BF1AF49700F1040AAE646DB394E7609E01CB92

Function 02DBB820 Relevance: 1.6, Instructions: 1574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce9b71e3a5526b4e2124df083c959bfb262b7e2dbc5c75bce64f0c0fc15f678f
Instruction ID: 9c189092be989cc48109b76a30649d50328ea70c9bd9fa09b02b43a50cb68cca
Opcode Fuzzy Hash: ce9b71e3a5526b4e2124df083c959bfb262b7e2dbc5c75bce64f0c0fc15f678f
Instruction Fuzzy Hash: DCD21534701314CFCB2AEB75D0A46AD37A3BF89205B608669D84B9B394DF7A9C42CF51

Function 02DB9DAD Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02DBA03D

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 5bcd56bf5cae7b1cc45f97975bdf120e117e4fa55da7099f100b5dd7204fe323
Instruction ID: a1fb430297ff05a48772e8c10043498f18b3916cff964c27330aecc17bee1828
Opcode Fuzzy Hash: 5bcd56bf5cae7b1cc45f97975bdf120e117e4fa55da7099f100b5dd7204fe323
Instruction Fuzzy Hash: 0C01D230F54241DFC706AB7889243EE3AA1AF49700F10459AD246DB394E6608E01CB92

Function 02DBAFB0 Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

xbq, xrefs: 02DBB2F6

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: xbq
API String ID: 0-73991425
Opcode ID: 1aea540533d330a46331a1b762875e7a0ebd41772cf499a899a868090d9ab0d2
Instruction ID: 4ef88db7dc83a0f9127b44a7b6a51e7103a02e037b14a344d9f095f7a8c4d8b6
Opcode Fuzzy Hash: 1aea540533d330a46331a1b762875e7a0ebd41772cf499a899a868090d9ab0d2
Instruction Fuzzy Hash: BE913A74902200CFD73ACF29E56479937A1BB85718F94421ACC8ADBF9ED77A9884CF41

Function 02DBAC68 Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02DBAD06

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: b5c7c244a1c3bd07ae7da742629128c63430665ab74fdbfb02bdb262dfda3582
Instruction ID: c191ff3de58b8d7ea1a35cf66fbdcc9565584288d24745bb2c0c3947e05ad7c8
Opcode Fuzzy Hash: b5c7c244a1c3bd07ae7da742629128c63430665ab74fdbfb02bdb262dfda3582
Instruction Fuzzy Hash: 58516934600205DFEB19DF2AD858BA9BBB2AF48715F208159E5129B3E5CBB1EC41CB40

Function 02DBA6A1 Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

$^q, xrefs: 02DBA6ED

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: 092b0669fba21e238fcb958a6010de7142db47d617624422eb024e9dd5fb616c
Instruction ID: 98da4d2b8477fc7c5dadfcf148543ed6ab28a9189ce86e76fbf893b607c7cccd
Opcode Fuzzy Hash: 092b0669fba21e238fcb958a6010de7142db47d617624422eb024e9dd5fb616c
Instruction Fuzzy Hash: EA41BD38A48501CBCB1E1F29A028178BFB3BF847057288889E4438BB54CB36DC17CBC6

Function 02DB1402 Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02DB1453

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: acc4329343e2b320bf583fd4f84cedd52d12b489bae71aa34479b7f242785479
Instruction ID: 8d5ef3562acbf11a1a575df44f22c93d78e261473b891867e3ff15dafeb29e40
Opcode Fuzzy Hash: acc4329343e2b320bf583fd4f84cedd52d12b489bae71aa34479b7f242785479
Instruction Fuzzy Hash: F2318F30F002168FCB45EB79856166EBBF6BF89604B144169E54ADB364EE30DC02C792

Function 02DB0DDA Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

dLdq, xrefs: 02DB0E23

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: dLdq
API String ID: 0-3390252261
Opcode ID: a68e5e52324a8351720177de76648142a7d58a25c69d1d8fed5ec0bed31971e4
Instruction ID: c77a87024152ec8878e07574cfc268eeba120093d7f6b72bf9bf1bca15e12002
Opcode Fuzzy Hash: a68e5e52324a8351720177de76648142a7d58a25c69d1d8fed5ec0bed31971e4
Instruction Fuzzy Hash: CB318B75A10204CFDB15DF68C598BAEBBF2BF88305F148569E402AB3A1CB71DD44CB91

Function 02DBA599 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02DBA5EA

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: a30329ba6c7e5b6715d7d8d4a9e19c953dc4838fee3ee4b4224aeacbaa65704c
Instruction ID: 4bf7573b36298e2c724564a267bdbf90d5cdcb5c69af32aea471f92ac8662abf
Opcode Fuzzy Hash: a30329ba6c7e5b6715d7d8d4a9e19c953dc4838fee3ee4b4224aeacbaa65704c
Instruction Fuzzy Hash: D131A071B102848FDB169B38C828B9D7BF2AF89710F15409AE442DF3A2CB75DC09CB51

Function 02DB4673 Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

|, xrefs: 02DB46D0

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: 7b887c7a67c825901fd6d853407f6c007b9bb1760ffb31bbfd7697e1fa0ee0ea
Instruction ID: e886e4a7dea99d1ac7e2796c9d8cef959d7f8a32a76a2151d99a12afcfd78b88
Opcode Fuzzy Hash: 7b887c7a67c825901fd6d853407f6c007b9bb1760ffb31bbfd7697e1fa0ee0ea
Instruction Fuzzy Hash: 4E219A75B10225DFCB44AF78D814BAE7BF1EF49644F00846AE54ADB3A0DA35DC01CB81

Function 02DBA5D0 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02DBA5EA

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 8647547935c67bc20087e575244ec98ba7044304524c1c52dc31c9dd1a9eeed0
Instruction ID: 9ebfd114e07b5ec647cd76770f641337278043578b806b668bfdf18831e46b51
Opcode Fuzzy Hash: 8647547935c67bc20087e575244ec98ba7044304524c1c52dc31c9dd1a9eeed0
Instruction Fuzzy Hash: 92216A70750514CFDB199B38D468BAE7BF6AF88B10F20415AE502EB3A0CF759C04CB91

Function 02DBAB50 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02DBAB7B

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: 12a0022138141b122824efd66c1f1fef42f9fe9198693531de36d59634d4c6c3
Instruction ID: 2b5bdc743dbf3ca53ab6d4cfb5ace6aa30b88646e4c3161823b05f7929e134fe
Opcode Fuzzy Hash: 12a0022138141b122824efd66c1f1fef42f9fe9198693531de36d59634d4c6c3
Instruction Fuzzy Hash: B911D334B40200CFDB149F29D8A4BADBBF6EF88710F14405AE9029F3A1CA75AC40CB90

Function 02DBAB60 Relevance: 1.3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02DBAB7B

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: b3d300409c2363be20b9fbf9c37390bd0b748a794eb006b4ac857d1e9dcf6ad4
Instruction ID: a382b7c26434a8b2f4825063059f727336d96469dfad14401ea6364b6f14c8f6
Opcode Fuzzy Hash: b3d300409c2363be20b9fbf9c37390bd0b748a794eb006b4ac857d1e9dcf6ad4
Instruction Fuzzy Hash: AA114F74B40204DFDB159F69C4A8BADBBF6EF88710F144059E902AF3A5CAB5AC41CB90

Function 02DBD118 Relevance: 1.3, Strings: 1, Instructions: 53COMMON

Download Yara Rule

Strings

Te^q, xrefs: 02DBD145

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: Te^q
API String ID: 0-671973202
Opcode ID: c872a42fa1ef7f545497ec5020e24ec93cd69b3e75083ef59ffd1e2958a585ef
Instruction ID: 34094032f8cbc0e5f483495126182336881ba7178fa3f0e31556d2486aa59f91
Opcode Fuzzy Hash: c872a42fa1ef7f545497ec5020e24ec93cd69b3e75083ef59ffd1e2958a585ef
Instruction Fuzzy Hash: 1E11A030700114DBDB199B59D428BAE7BF2AF8CB00F104469E502E73A5CBB59D05CB90

Function 02DBA028 Relevance: 1.3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

Strings

LR^q, xrefs: 02DBA03D

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 97eafce064696ac7650f868fffdab8560909bb18a8804f0bf80c28c1e0958f62
Instruction ID: 646fac65e7033b779df2c7f7faccfd0b0b2ecb60537f6b1d1fa511ce575d5050
Opcode Fuzzy Hash: 97eafce064696ac7650f868fffdab8560909bb18a8804f0bf80c28c1e0958f62
Instruction Fuzzy Hash: AF012C71F00115DFCB45EB6898656EE77A5EF48700F2045A9E60ADB354EA60AE018BD1

Function 02DB0F07 Relevance: 1.3, Strings: 1, Instructions: 43COMMON

Download Yara Rule

Strings

Hbq, xrefs: 02DB0F08

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: Hbq
API String ID: 0-1245868
Opcode ID: ad4c8bb8503074c6614b4e4d4983ac2c17ad8b8f5095017f03c684edee392c19
Instruction ID: 393a2ec53b4ce5e97801f6f573190bdaf6b50429257d0feadb5d80410d4d7dec
Opcode Fuzzy Hash: ad4c8bb8503074c6614b4e4d4983ac2c17ad8b8f5095017f03c684edee392c19
Instruction Fuzzy Hash: CCF0F6317041500FC3856B3DA4645BE6FE7EFDA25072544BAE149CB352DE398C078795

Function 02DB3328 Relevance: .9, Instructions: 931COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4366ab06a63998c2e529a794bcce1447783e378ebc8d2dfd68c7f99d548fee7
Instruction ID: 96400129d2623a6c29740c53a2ae3bac50ec1d7d8b0196d54e1b4688a14398f2
Opcode Fuzzy Hash: f4366ab06a63998c2e529a794bcce1447783e378ebc8d2dfd68c7f99d548fee7
Instruction Fuzzy Hash: D0926234301351CFCB6AEF35E45465977B2AB84309B208AAAC9468B39DDB36DC47CF91

Function 02DB32E8 Relevance: .7, Instructions: 726COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37591499299991c9b6cccf6dc21253914c417eae1118736eddf9103eb86dfae2
Instruction ID: f594a5d922a64e82150b0768e2f7d3a902e7a8a63c84dcdca825a9190d3a795b
Opcode Fuzzy Hash: 37591499299991c9b6cccf6dc21253914c417eae1118736eddf9103eb86dfae2
Instruction Fuzzy Hash: 9C62A434305351CFCB5AEF35E46466937B2AB84309B108AAAC946CB39DDB36DC46CF91

Function 02DBB430 Relevance: .4, Instructions: 429COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92fedd57a784c92693e99ba73900923155a0df458d04b4d593b721c74ed8aa73
Instruction ID: 522b03f85fcb42d7479fa9227876586fe1d381a37d2148e187537524812ed23c
Opcode Fuzzy Hash: 92fedd57a784c92693e99ba73900923155a0df458d04b4d593b721c74ed8aa73
Instruction Fuzzy Hash: 9EE0DF71A8920DEFDB45DFA8F91238DBBB5EB46200F10829AD808D7350EB309F089B41

Function 02DB7034 Relevance: .3, Instructions: 296COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9857e78f6364397b7bc03630829382d222064bde70829dca97533862d25fe86
Instruction ID: 463a63316d4a15dbeef61bf3938a5482d88abe5db92dd02ca720fa32848b99fc
Opcode Fuzzy Hash: b9857e78f6364397b7bc03630829382d222064bde70829dca97533862d25fe86
Instruction Fuzzy Hash: 20B14971E00209CFEB11CFA9C9957DDFBF2AF88304F149129E85AA7394EB749845CB91

Function 02DB7907 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6c46b8542ceb1128b3d76fd22e30f6885908d075f508d9ef03c4a44e9c6d293
Instruction ID: 93c64754468d35397b6a09a5a7a425949dffb18fa181e16e2dbee3720db99143
Opcode Fuzzy Hash: e6c46b8542ceb1128b3d76fd22e30f6885908d075f508d9ef03c4a44e9c6d293
Instruction Fuzzy Hash: 82A14971E0420ACFEB51CFA8D8A17DDFBF2AF89314F148129D41AA7394EB749845CB81

Function 02DB4258 Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2062dce25d3dd3e4aa435dfd46c556c628015c2adeeeb9cf6a436de5e59a670
Instruction ID: 0192af943fbd07ea8e5750e3a718991a345ce00f95950fb55c1025eb287f5cea
Opcode Fuzzy Hash: a2062dce25d3dd3e4aa435dfd46c556c628015c2adeeeb9cf6a436de5e59a670
Instruction Fuzzy Hash: 7D91CF31A00206CFCB16DF68D4A069EBBF2FF84314F1486A9D456AB356DB70ED46CB90

Function 02DBA868 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f985fbf6b84edd801f771bd50b3957b26806735f10d326431e4d880fb3a2b67d
Instruction ID: 64cb25580c1ed2014c94ca1f6c70c9669a0475d50bcaece5a64fa7ee6cd683ea
Opcode Fuzzy Hash: f985fbf6b84edd801f771bd50b3957b26806735f10d326431e4d880fb3a2b67d
Instruction Fuzzy Hash: B8519D34A00116CFCB15DF68C594AAEFBB2FF48310F5580A5E856AB766D731EC41CBA0

Function 02DB0B49 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa36c6c04d99906c4231b8694207d21f932717098a346e36945b3e353a7d7bd3
Instruction ID: 60e964327fc5a37a80adc3031274e597f43fd114f4f01f2d4aa049e9b4711d1a
Opcode Fuzzy Hash: aa36c6c04d99906c4231b8694207d21f932717098a346e36945b3e353a7d7bd3
Instruction Fuzzy Hash: C851F878102321DFCB1BEF25F954A49B772FB853857106768C8028B36CEB35988ACF81

Function 02DB4748 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 264cf0cb3cb40edd399258161a841f28c2ed93065b7f567d83f988c0e4507bc1
Instruction ID: 6befc176d8e9c3ee248547a4bc5763ce3236c1923f24feb8bb042d512d7904e4
Opcode Fuzzy Hash: 264cf0cb3cb40edd399258161a841f28c2ed93065b7f567d83f988c0e4507bc1
Instruction Fuzzy Hash: F2419D71B002448FCB19EBB994646AEBBF6EFC9314F24842DD14AAB750CF349C45CBA5

Function 02DB2D07 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea3306547b03d479e282399a42b89df71f6000fe306a6261f956a6c8b13eeef
Instruction ID: af3e51ae6065cb5f8821a999812c47358c9420958da8056173673461bdf3f422
Opcode Fuzzy Hash: 7ea3306547b03d479e282399a42b89df71f6000fe306a6261f956a6c8b13eeef
Instruction Fuzzy Hash: A0416D75B20238DFCF089BB9D91479D7BBBBB8C710F148519E809B3358CA31AC558BA5

Function 02DB1298 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d25b136a698f8f930cc3f56ebb04edc745b83c9dbb949777877a9a7d639ca89a
Instruction ID: a01059cecb76d546c55029410ab3533b42b3e69fc60d7045f2953e568fce21a4
Opcode Fuzzy Hash: d25b136a698f8f930cc3f56ebb04edc745b83c9dbb949777877a9a7d639ca89a
Instruction Fuzzy Hash: EF416071E00209AFCB04DBB9C5646AEBBFAFF88700F20C569D48AD7345DA34DD418BA5

Function 02DB09B8 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 206b30a27ac8b1b58874d836d2cc23c8f8703889ddbc4eb6e3a62c7c0179b188
Instruction ID: 9081f9fdaaaea3f1710e294961f0dc14285851a6531a25e0248862bbebfb9652
Opcode Fuzzy Hash: 206b30a27ac8b1b58874d836d2cc23c8f8703889ddbc4eb6e3a62c7c0179b188
Instruction Fuzzy Hash: 23318030714212CFDB2AAF7998246BF7AA5BF8564A714492DD847C6384EF24DC01CB96

Function 02DB09A8 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65aa92c65eb293da4063ced69b8fe26e17cf4a5e97a975f803a83300fcd2e26e
Instruction ID: 384946e4c8492ff54a20e986e194aa38c6ff7fc6e373266c5157fffd823a248d
Opcode Fuzzy Hash: 65aa92c65eb293da4063ced69b8fe26e17cf4a5e97a975f803a83300fcd2e26e
Instruction Fuzzy Hash: C341B030714202CFDB2AAF3998647BF3AA5BF8164A714492DD887C7784EF24DD01CB92

Function 02DB5554 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 837303a3f65fdb24ce20f6828a1252d011cc18150490fd3c20e1ba2f0978c851
Instruction ID: dff6ca055d1e4d0c195708095d963b22f86d2d3e2b13f80a07e11958a6d39c04
Opcode Fuzzy Hash: 837303a3f65fdb24ce20f6828a1252d011cc18150490fd3c20e1ba2f0978c851
Instruction Fuzzy Hash: DC41E0B0D00249DFDB10CFA9D594ADEBFB5BF48314F60842AE80AAB214DB75A945CB90

Function 02DB5560 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da37d4c4779a3f803ef8d983c1e0f2c5c1b008a053ea792d2645ce1f16c552b1
Instruction ID: 284ec55640c2b6a7038d62f92f026796eebb9148948ed1630c5c7b88ff7b0e0c
Opcode Fuzzy Hash: da37d4c4779a3f803ef8d983c1e0f2c5c1b008a053ea792d2645ce1f16c552b1
Instruction Fuzzy Hash: 4941F0B0D00249DFDB10CFA9D580ADEBFB5BF48314F10802AE80AAB214DB75A945CF90

Function 02DBA341 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f234ddf4481a25bc7f3ae1401b4e26bf3269ec0e337ea4988ae77768f874d4dd
Instruction ID: 309d2439eb496006fb107e65707bafe1b4348702157b5405e8ded73d32685c1e
Opcode Fuzzy Hash: f234ddf4481a25bc7f3ae1401b4e26bf3269ec0e337ea4988ae77768f874d4dd
Instruction Fuzzy Hash: E2216A31A00215CFCB1AEFB4C5646EE77F2EF89204F144528D406AB7A5DF359C4ACBA1

Function 02DBA4D0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34acb14509e828deb2c198810709eba80d77e6a09f77073a789d3d3655a10f3e
Instruction ID: 67aebef6628d04150f5f41fe8f425f8a1d9229ac0d00ac37768642cbd7963c4e
Opcode Fuzzy Hash: 34acb14509e828deb2c198810709eba80d77e6a09f77073a789d3d3655a10f3e
Instruction Fuzzy Hash: 49214971E00215CFDB15DFAAD5506EEB7F5AB88340F108166D84AE7344E7309E42CBA5

Function 02DBB811 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0ba0a4d3abd8cf7c729274f2098e056ecd50ec21ad9274a2dd9c9afa6f9d93c
Instruction ID: 32d287b50c9e633a6a4a422c79cf20115e6472bdc3a52554bc8e0b82745967cf
Opcode Fuzzy Hash: c0ba0a4d3abd8cf7c729274f2098e056ecd50ec21ad9274a2dd9c9afa6f9d93c
Instruction Fuzzy Hash: 8821C330A05215DFCB399B29D4642AE77A6EF88214F5048BAD95BC7384DB329C85CB42

Function 02DBAEB1 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 640e09570c4b7ad7081127b47611407d13da5e916812a3890b2205ad5dbf7424
Instruction ID: 6e6a2654869ff416c2c335dda639734a8ec20428e27f09427f4e8427674b8f9d
Opcode Fuzzy Hash: 640e09570c4b7ad7081127b47611407d13da5e916812a3890b2205ad5dbf7424
Instruction Fuzzy Hash: E3219D70A003459FCB46FB69E46069EBBA2EF85314F108729C1168B35ADB719E4A8F91

Function 02DBAEC0 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741d2e9efb063d037ce1df915783005a88ded231bc1f09deca99a0b4e4d99088
Instruction ID: 6f884bf1c3778b3fce072d9b2cec7cf76958643637f332d080fc470e48415d75
Opcode Fuzzy Hash: 741d2e9efb063d037ce1df915783005a88ded231bc1f09deca99a0b4e4d99088
Instruction Fuzzy Hash: BC217F70A003559FCB06FF35D46069DBBA2EF81310F108769C1168B35ADB719E0A8FD1

Function 02DB2BB8 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c70b00de2a6e16b8e930605fa625e7b868944c4dfcad61bc075aff8fc65c1224
Instruction ID: 91e245b2c510de587599ab268b48ecd5deffa1623cea260e3d486569c9e39c50
Opcode Fuzzy Hash: c70b00de2a6e16b8e930605fa625e7b868944c4dfcad61bc075aff8fc65c1224
Instruction Fuzzy Hash: 1D11E1BA6012028FD70ADF6AE954756FBE6FFC9210749C269D848CB71DE731E801CB50

Function 02DB14F9 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efe39e1e1cc1a76900ce21270f337b4baa8f57d680aa0c66df56e1bdc56e1904
Instruction ID: df9f4d87aabfab91ddb7242090cf70786567a99b02f2a1ea7e813eeab252631c
Opcode Fuzzy Hash: efe39e1e1cc1a76900ce21270f337b4baa8f57d680aa0c66df56e1bdc56e1904
Instruction Fuzzy Hash: 1A11E174B00215CFCB16EFB9D814AAA7BF6EF8864170408B9D40BCB358EA31DD41CB90

Function 02DB1508 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac98ca46dd76ca6fddf8c8e0a9c91934bb957cd97038e3dcf5a2966e07ad220c
Instruction ID: 733de13ae403ce515278c6e866e02e681d0588c70c963d701dfdfe4825c88e1e
Opcode Fuzzy Hash: ac98ca46dd76ca6fddf8c8e0a9c91934bb957cd97038e3dcf5a2966e07ad220c
Instruction Fuzzy Hash: 0511AD70B00219DFCB55EFB9D814A6A7BF6AF8864171008B9D40BCB368EA31DD41CB90

Function 02DB4743 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd6f9be1ef1702572702c1be90132b677fcccd8a6d8f524151d7683fabd7b0a
Instruction ID: 1485f69d1fe092cce2d06be11ea14b1cc5ca636e8915ad43ffc32dd14dc6746d
Opcode Fuzzy Hash: bbd6f9be1ef1702572702c1be90132b677fcccd8a6d8f524151d7683fabd7b0a
Instruction Fuzzy Hash: 6D01AD313002409BCA19AB7999A46AE72E7AFC5254714883CE10ACBB51DF30DC068BA1

Function 02DBA0B0 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72883c49ec3d6b3ffaa11d99ce8da696d9c0b18db0b064d4825a8ac9eba03f26
Instruction ID: 9c2718103c2644d0b430bca6178e051d43a7b6da50550ee5a08e8d8c79fb7392
Opcode Fuzzy Hash: 72883c49ec3d6b3ffaa11d99ce8da696d9c0b18db0b064d4825a8ac9eba03f26
Instruction Fuzzy Hash: D2113DB5800249CFCB20CF9AC584BDEBBF4EB08324F20841AD529A7300C339A944CFA5

Function 02DBA0B8 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32f126a8c0749c8b881d4e4d634cca61e2ea1674a3082e3facf4b833a0c69bcf
Instruction ID: 59b40c4d9f1a5feb1e63bd6bd96f3e722d6dc34c4724c0dd5df174761c39990f
Opcode Fuzzy Hash: 32f126a8c0749c8b881d4e4d634cca61e2ea1674a3082e3facf4b833a0c69bcf
Instruction Fuzzy Hash: 6B111EB5800349CFCB20DF9AC584BDEBBF4EB48324F208459D469A7350C339A944CFA5

Function 02DB1BD8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 879df1673a9bc633defe125ab19b06a33c50ca02af5b2ea74f4180c482440bf9
Instruction ID: ed933c654caf6978c6f3e4c6985d7d502e7993998452869aadcdbef429050b63
Opcode Fuzzy Hash: 879df1673a9bc633defe125ab19b06a33c50ca02af5b2ea74f4180c482440bf9
Instruction Fuzzy Hash: 1B01F934800219CFCB05FFB9D85969CB735EF81304B404224C8875734CEF349905CB96

Function 02DB1BC8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1167cf406241021135db3e66842ef35f038700baeb83aac191b0718cf55d5f00
Instruction ID: 31a7cbc3add71efeceff9b9c3c0e6a0b66cb1a141c5052f6d9cb60fa3ff6fa66
Opcode Fuzzy Hash: 1167cf406241021135db3e66842ef35f038700baeb83aac191b0718cf55d5f00
Instruction Fuzzy Hash: E2F0C235C05256CFC706EFA8D9A52AD7B32AF81308B404625C48AA6388EB34DA49CB56

Function 02DB2E8B Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d471513a56430005b9d51a1caa729075faf2a7a33bfbe04939ca7051603755e
Instruction ID: 61f6fa30d694ea734748b877b4fbc1471175387574f03905062854184ce162dd
Opcode Fuzzy Hash: 5d471513a56430005b9d51a1caa729075faf2a7a33bfbe04939ca7051603755e
Instruction Fuzzy Hash: 6501143515D3C48FD703AB79A924B507F756F43214F0A51DBC4C58B6ABCA29A84A8323

Function 02DB0F48 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29eff460cc5db34ee853cb3bfb9d8fa1c5546ee31a2ea705c39da677cd9afd65
Instruction ID: d9df60770d9f8580d574ee4d3994aa2b319932d73cb48a6311a295fadd96ed48
Opcode Fuzzy Hash: 29eff460cc5db34ee853cb3bfb9d8fa1c5546ee31a2ea705c39da677cd9afd65
Instruction Fuzzy Hash: 14E08C323011045F8344962EF88885AB7EAEBC952431408B9E50DC7325DE65CC014390

Function 02DB9BD0 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899fb74d421a0c3f8ef247462e037fb502d351194e0671d7745a47302708fb3c
Instruction ID: be96a1e70aba2c1fb487da9ba610bfbf38ba69f2b33612e9379600bcd2bec2e6
Opcode Fuzzy Hash: 899fb74d421a0c3f8ef247462e037fb502d351194e0671d7745a47302708fb3c
Instruction Fuzzy Hash: 7BE0C222310010DFC700A7FCA514A9E3796AF8A201B3450AFE008DB765CE20CC054791

Function 02DB2EC7 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d87d596a0283c02146ddf97303088e833da33af9346d914659e005aef03fbab
Instruction ID: 98a20f93947f9283490a90e89fa44fea4abdefebe091f3a929eeca6fe1917a85
Opcode Fuzzy Hash: 9d87d596a0283c02146ddf97303088e833da33af9346d914659e005aef03fbab
Instruction Fuzzy Hash: 98D02B30094344CECB22EF9AE8107C17758D740B04F00637188090654D6F29350543A2

Function 02DBB770 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bcb0750e9f14802e649a716d28afd76376103999732b515042145d4559dbcb5
Instruction ID: e48f381e8084c77329ed0a1d8025e965d325b7923d1ac8b4744ca4ebbe3dc88f
Opcode Fuzzy Hash: 4bcb0750e9f14802e649a716d28afd76376103999732b515042145d4559dbcb5
Instruction Fuzzy Hash: DDD0127094110DEFCB44DFA4F91155DBBB9EB44200F1082ADD409D7340DB719E049B41

Function 02DB2ED8 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e3e5831b6927ec1196491b4d729028635d8fd0be972374d24a263d098b1e04
Instruction ID: 48d387e50cf85170ffafe553528c658d04879c6b0454a085fae673609b6bcc09
Opcode Fuzzy Hash: 22e3e5831b6927ec1196491b4d729028635d8fd0be972374d24a263d098b1e04
Instruction Fuzzy Hash: 9ED012301543484EDE06FB69FD00B95775D9780744F44237581090B69E9F65784A53B7

Function 02DB0B19 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b166244267f5e2ebc50727f2b67c03d1750c3b915cf5caf69887cdac87215cb
Instruction ID: df52234319a4ae71ee31c3c53829cb8bf3b5d416272fe616b0ec584f3330f397
Opcode Fuzzy Hash: 5b166244267f5e2ebc50727f2b67c03d1750c3b915cf5caf69887cdac87215cb
Instruction Fuzzy Hash: 37C08030105148CAD7221B74D52C7693934DF4130FF700055E9C3405499E7D4C85C71F

Function 02DB0B35 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 301d90014b6dfde08ed2442cad284b6f20e98030ffc8e1f9afcce894013cd52f
Instruction ID: 564bfccf1134502d8d469a5be5cca50199e4819b0b427e1ad1ba8b79ed94efb4
Opcode Fuzzy Hash: 301d90014b6dfde08ed2442cad284b6f20e98030ffc8e1f9afcce894013cd52f
Instruction Fuzzy Hash: C3C08030105144CAD3112BB4D51C76939349F4130FF300050EDC3415499E7D4C44C31F

Function 02DB2EB0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d842fbb00dd6994c7ff12fe6c311625e842afcb9dc52035af9e946513f4fdedf
Instruction ID: 6afc80837b5538a9aa6c7f1d53f92f48fdd03e2fa5fd0891858b5c1ecffb6fef
Opcode Fuzzy Hash: d842fbb00dd6994c7ff12fe6c311625e842afcb9dc52035af9e946513f4fdedf
Instruction Fuzzy Hash: EDC09239260208CFC349EF9AE588C12B7ECFF58B013411099E5018B732CB21FC20DB61

Non-executed Functions

Function 02DB7E10 Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

$^q, xrefs: 02DB7E26
Xbq, xrefs: 02DB7E3F

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 065cfb9c257e7da2aab195e03b88b494231cae196a63dd67cff8b752d6aff741
Instruction ID: 9b8748190e7da794578df8be085c29dc660d788a4f73098d3b4c98653e3a4834
Opcode Fuzzy Hash: 065cfb9c257e7da2aab195e03b88b494231cae196a63dd67cff8b752d6aff741
Instruction Fuzzy Hash: 34817374B00218CBDB19AF79946467E7BB7BFC8750B148929E447EB388CE35CC029B95

Function 02DB6CF8 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4131734233.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2db0000_G53ADrk4YR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3273e6d3da0ea1197acf7a71ff40f7e41a9eadf286815241983a538357ebd39
Instruction ID: 2bf2b8a267bc7d8c7f2ef58758b009b7a8b591599db2c55f856801a375458f0f
Opcode Fuzzy Hash: a3273e6d3da0ea1197acf7a71ff40f7e41a9eadf286815241983a538357ebd39
Instruction Fuzzy Hash: 999128B1E00209CFDB11CFA9C9A57DDBBF6AF88314F148129E40AA7394EB34D845CB81

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report G53ADrk4YR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: AsyncRAT

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Statistics

Windows Analysis Report
G53ADrk4YR.exe