Edit tour

Windows Analysis Report
Sldl84wxy8.exe

Overview

General Information

Sample name:	Sldl84wxy8.exe renamed because original name is a hash value
Original sample name:	0b459466e3619d2a29bb93ea2dac077a.exe
Analysis ID:	1417125
MD5:	0b459466e3619d2a29bb93ea2dac077a
SHA1:	b55a18a2d13589b81cae82c691d83e7961799d44
SHA256:	a7adeed2290a6e7d4b061a44337ebbcdc91a9800e40cc96a31632e3e52d710ff
Tags:	32exe
Infos:

Detection

AsyncRAT, VenomRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected AntiVM3

Yara detected AsyncRAT

Yara detected UAC Bypass using CMSTP

Yara detected VenomRAT

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Drops executable to a common third party application directory

Drops large PE files

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Sample uses process hollowing technique

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file does not import any functions

Queries keyboard layouts

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Suspicious Schtasks From Env Var Folder

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

Sldl84wxy8.exe (PID: 6360 cmdline: "C:\Users\user\Desktop\Sldl84wxy8.exe" MD5: 0B459466E3619D2A29BB93EA2DAC077A)

svchost (3).exe (PID: 6728 cmdline: "C:\Users\user\AppData\Local\Temp\svchost (3).exe" MD5: 8CD2675E19A8B1DCCF0DBF082F42AB33)

RegSvcs.exe (PID: 1548 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

RegSvcs.exe (PID: 6064 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

WerFault.exe (PID: 1872 cmdline: C:\Windows\system32\WerFault.exe -u -p 6728 -s 1172 MD5: FD27D9F6D02763BDE32511B5DF7FF7A0)

build.exe (PID: 1036 cmdline: "C:\Users\user\AppData\Local\Temp\build.exe" MD5: 8701FCD188315FA69245FB99E07DF60D)

main.exe (PID: 2036 cmdline: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe MD5: 94F3E2F32CED13FD99CC314BEB587233)

main.exe (PID: 5540 cmdline: "C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: 94F3E2F32CED13FD99CC314BEB587233)

main.exe (PID: 5180 cmdline: "C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\main" --mojo-platform-channel-handle=2140 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: 94F3E2F32CED13FD99CC314BEB587233)

start.exe (PID: 5652 cmdline: "C:\Users\user\AppData\Local\Temp\start.exe" MD5: C1ADE258F05C512E98EBC4D9D1165F8A)

cmd.exe (PID: 4584 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 3800 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' MD5: 48C2FE20575769DE916F48EF0676A965)

cmd.exe (PID: 4268 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpC5CE.tmp.bat"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 4920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3848 cmdline: timeout 3 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

svchos.exe (PID: 3160 cmdline: "C:\Users\user\AppData\Roaming\svchos.exe" MD5: C1ADE258F05C512E98EBC4D9D1165F8A)

svchos.exe (PID: 6536 cmdline: C:\Users\user\AppData\Roaming\svchos.exe MD5: C1ADE258F05C512E98EBC4D9D1165F8A)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
AsyncRAT	AsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/asyncrat-onenote-dropper https://aidenmitchell.ca/asyncrat-via-vbs/ https://assets.virustotal.com/reports/2021trends.pdf https://blog.checkpoint.com/research/november-2023s-most-wanted-malware-new-asyncrat-campaign-discovered-while-fakeupdates-re-entered-the-top-ten-after-brief-hiatus/ https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns	https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: VenomRAT

{"Server": "leetboy.dynuddns.net", "Port": "1339", "Version": "| Edit 3LOSH RAT", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "true", "Group": "true"}

Threatname: AsyncRAT

{"Ports": ["1339"], "Server": ["leetboy.dynuddns.net"], "Mutex": "Exodus_Market", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "Server Signature": "F0xfEIJ635aPVzJ7TxUSC7Qq0Nvv0T62b4z7CBNsc9ph6RsbFVcdaGd7619j9z8vXELuNb6nAMNzxVh5zw431HAg8uxac4l65Js76iA5ua7oiXIZGJkyHmqqwsGIyAhRfW3MsonOqm07xD5N0vdfHey4r0Vncivg0lzclsA5ofF6Vyle+WewDOLGeL+PH3bGiw9F8dbBeBgH6rdzG7t0OHdgh/32iJ0W9BUzFgjiD7/KZV/QPYXp6Tbh4Mryl4lt9khPn2VmC2eApgyazrOKC5PRUCdNN2J/IPPN3z9F+7nIn/ILSg9vsh5nz/2Zm2/wZ7MqHWvJ9OwxPB1jIs4ojWX4YhQRQkiHSMSC/4aNkvrU+3rMVgLOeieTqhxXnI2G0+wE8pMh5N7fELuZ4oupmAo/Xvbvaaguc2KgGc42OFxAVDJE/pkCg4/wmytoKWH8IEMAd/41qAN22r4qtw95CqhVM6LI6Nqgz3MHHf3fMbkDAbPgOl2z+Hy/gYWl5SMamD6RVWFAC0gDcHpXzFMjzVv5LIuCdaHvFmlDuCUgnezy9oUmMMhEOtOINDtLBS7UoGjYGo2HtI54OJZIDUUHYaD3jIOFaVzq/18l0RKZo8mYWMHwKrdypWpZtd9an1cAHAHb8qmc5Jif/Xajgj4hvCTaGaOOo95NlNeawcWrm1M="}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	Windows_Trojan_DCRat_1aeea1ac	unknown	unknown	0x947b:$b2: DcRat By qwqdanchun1
dump.pcap	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x2a2c7:$x1: AsyncRAT 0x2a305:$x1: AsyncRAT

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\start.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
C:\Users\user\AppData\Local\Temp\start.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Users\user\AppData\Local\Temp\start.exe	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xc56e:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xf438:$a2: Stub.exe 0xf4c8:$a2: Stub.exe 0x8fdc:$a3: get_ActivatePong 0xc786:$a4: vmware 0xc5fe:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9ed7:$a6: get_SslClient
C:\Users\user\AppData\Local\Temp\start.exe	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc600:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
C:\Users\user\AppData\Roaming\svchos.exe	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
0000000A.00000002.1498443006.0000000002451000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x209fe:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000A.00000002.1498443006.0000000002451000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1e427:$x1: AsyncRAT 0x1e465:$x1: AsyncRAT
0000000A.00000000.1435545811.0000000000252000.00000002.00000001.01000000.0000000C.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000A.00000000.1435545811.0000000000252000.00000002.00000001.01000000.0000000C.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc400:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000012.00000002.1617321490.0000000002F41000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1e423:$x1: AsyncRAT 0x1e461:$x1: AsyncRAT
0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xd37e:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0x10248:$a2: Stub.exe 0x102d8:$a2: Stub.exe 0x9dec:$a3: get_ActivatePong 0xd596:$a4: vmware 0xd40e:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0xace7:$a6: get_SslClient
0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xd410:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
0000000A.00000002.1497624420.0000000000866000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x3a1d3:$x1: AsyncRAT 0x3a211:$x1: AsyncRAT
00000012.00000002.1605842437.00000000012F7000.00000004.00000020.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xaf4bb:$x1: AsyncRAT 0xaf4f9:$x1: AsyncRAT
Process Memory Space: svchost (3).exe PID: 6728	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
Process Memory Space: svchost (3).exe PID: 6728	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: svchost (3).exe PID: 6728	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: start.exe PID: 5652	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
Process Memory Space: start.exe PID: 5652	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: start.exe PID: 5652	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0x863e:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x15e69:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM 0x2b0f4:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
Process Memory Space: start.exe PID: 5652	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x81f8:$x1: AsyncRAT 0x822a:$x1: AsyncRAT 0x31500:$x1: AsyncRAT 0x31532:$x1: AsyncRAT 0x15f2f:$s6: VirtualBox 0x2b1ba:$s6: VirtualBox 0x15ee2:$s8: Win32_ComputerSystem 0x2b16d:$s8: Win32_ComputerSystem
Process Memory Space: svchos.exe PID: 6536	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x8569:$x1: AsyncRAT 0x859b:$x1: AsyncRAT 0x23645:$x1: AsyncRAT 0x23677:$x1: AsyncRAT
Click to see the 15 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
2.2.svchost (3).exe.242314dec30.1.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
2.2.svchost (3).exe.242314dec30.1.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xb330:$q1: Select * from Win32_CacheMemory 0xb370:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xb3be:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xb40c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
2.2.svchost (3).exe.242314ee870.0.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
2.2.svchost (3).exe.242314ee870.0.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xb330:$q1: Select * from Win32_CacheMemory 0xb370:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xb3be:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xb40c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
10.0.start.exe.250000.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
10.0.start.exe.250000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.0.start.exe.250000.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xc56e:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xf438:$a2: Stub.exe 0xf4c8:$a2: Stub.exe 0x8fdc:$a3: get_ActivatePong 0xc786:$a4: vmware 0xc5fe:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9ed7:$a6: get_SslClient
10.0.start.exe.250000.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc600:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
10.2.start.exe.2589e10.0.raw.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
10.2.start.exe.2589e10.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
10.2.start.exe.2589e10.0.raw.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xc56e:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xf438:$a2: Stub.exe 0xf4c8:$a2: Stub.exe 0x8fdc:$a3: get_ActivatePong 0xc786:$a4: vmware 0xc5fe:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x9ed7:$a6: get_SslClient
10.2.start.exe.2589e10.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xc600:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
10.2.start.exe.2589e10.0.unpack	JoeSecurity_AsyncRAT	Yara detected AsyncRAT	Joe Security
10.2.start.exe.2589e10.0.unpack	Windows_Trojan_Asyncrat_11a11ba1	unknown	unknown	0xa76e:$a1: /c schtasks /create /f /sc onlogon /rl highest /tn " 0xd638:$a2: Stub.exe 0xd6c8:$a2: Stub.exe 0x71dc:$a3: get_ActivatePong 0xa986:$a4: vmware 0xa7fe:$a5: \nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS 0x80d7:$a6: get_SslClient
10.2.start.exe.2589e10.0.unpack	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse	Detects file containing reversed ASEP Autorun registry keys	ditekSHen	0xa800:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
2.2.svchost (3).exe.242314ee870.0.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
2.2.svchost (3).exe.242314ee870.0.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd130:$q1: Select * from Win32_CacheMemory 0xd170:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1be:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd20c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
2.2.svchost (3).exe.242314dec30.1.raw.unpack	JoeSecurity_VenomRAT	Yara detected VenomRAT	Joe Security
2.2.svchost (3).exe.242314dec30.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice	Detects executables attemping to enumerate video devices using WMI	ditekSHen	0xd130:$q1: Select * from Win32_CacheMemory 0x1cd70:$q1: Select * from Win32_CacheMemory 0xd170:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0x1cdb0:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86} 0xd1be:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0x1cdfe:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86} 0xd20c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851} 0x1ce4c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
Click to see the 14 entries

Sigma Signatures

System Summary

Sigma detected: Invoke-Obfuscation CLIP+ Launcher

Source: Process started

Author: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\start.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\start.exe, ParentProcessId: 5652, ParentProcessName: start.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit, ProcessId: 4584, ProcessName: cmd.exe

Sigma detected: Invoke-Obfuscation VAR+ Launcher

Source: Process started

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 4584, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' , ProcessId: 3800, ProcessName: schtasks.exe

Snort Signatures

ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) - Source IP: 94.156.66.112 - Destination IP: 192.168.2.8

Timestamp:	03/28/24-16:25:04.014274
SID:	2850454
Source Port:	4449
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Generic AsyncRAT Style SSL Cert - Source IP: 185.196.11.223 - Destination IP: 192.168.2.8

Timestamp:	03/28/24-16:25:14.107425
SID:	2035595
Source Port:	1339
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) - Source IP: 185.196.11.223 - Destination IP: 192.168.2.8

Timestamp:	03/28/24-16:25:14.107425
SID:	2030673
Source Port:	1339
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) - Source IP: 94.156.66.112 - Destination IP: 192.168.2.8

Timestamp:	03/28/24-16:25:04.014274
SID:	2848152
Source Port:	4449
Destination Port:	49711
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Sldl84wxy8.exe

Avira: detected

Antivirus detection for URL or domain

Source: leetboy.dynuddns.net

Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\start.exe

Avira: detection malicious, Label: TR/Dropper.Gen

Found malware configuration

Source: 0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: AsyncRAT {"Ports": ["1339"], "Server": ["leetboy.dynuddns.net"], "Mutex": "Exodus_Market", "Certificate": "MIIE8jCCAtqgAwIBAgIQAPeWQ4YJ3MvReCGwLzn7rTANBgkqhkiG9w0BAQ0FADAaMRgwFgYDVQQDDA9Bc3luY1JBVCBTZXJ2ZXIwIBcNMjIwNDI1MDA0MTA5WhgPOTk5OTEyMzEyMzU5NTlaMBoxGDAWBgNVBAMMD0FzeW5jUkFUIFNlcnZlcjCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKT9nYYTjYTZhY+g1tekZ8/F29gsEIDgf/8odvCbCmYKGGZZi2yND9NjtBXEMANM9PAXCyMapGvapDPbWgjYkLiMw/Vwa3kZRg7kLpXMpzInLQufe7Q587viilcsGDoVXmnf51/SwsKPjSysZUpyayezUlJ1j6aXkZGnasiqJ7iKANdSneQducOn6IwaEuJBmpXKWxhhq8R9JMfiWeOXL/hXoE/wCzwzvU/CrzPXd3uMsLfFMDHZJ+OQ9OXKU/CHZNCgSPs4VSgCgM4eK0YTbu1mLsWSo5th3/ingNFaTyYmGsmLIE2Jq5AR1A+xA+FEdC8zKL1bAwYQcRgIJs7QdedtAIufepPZ9D5HiOiy3ITYVonqwTiiIm20en7UICt+J8iDb4M2Q2iLWA7Yi9PN2cr0Xrs8A4/RL29Qe5Ly2k35i74RiBTiT7Jbl2r7PcYlUGcjTCbdB9PWt3dYaTysuamoq2Zuo2HVRhhoZpwnajS9vNcjuZCYVoQvUQBUnHTeRZrtHXU5JV59ZBlu7flZneMZnbrWXTxob6Bdt8+hrGoSDMWBFcO4jRzhT3hEFUpu4lSFeb9T3Vx4KWkHJhHtMvHuYgDTXERdEcI00sOUbVxgd/62LhGXNNommQKCyiAGj0V5uLD73Fyw8vJpm3jXf3NgNt/CjnlaMc40DJ+HlXE5AgMBAAGjMjAwMB0GA1UdDgQWBBQsT2WvtxGUK29SWs4sHz1xYye0fzAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4ICAQCK5sVfnYyT5MqnCg3uHV2ojf12fIVFCY02Cc7gy3DVoE6/xZCPjr22V/xZunZ7DG1nt0kOJKDwdQYnGoMc5UPh8jbNRoc1ojLOCaluaIYQyl8AGkmUSRA3Ltk0XetDescffrWT/nKuRvIEYU4Ra+B39f8ouGMCa7VXaxnGJ0z0BkUie8KsDLgNmJ7/kVfIYuRxl+YefoCsUTCogqf0fu3DuRHBpUVaSQQOf9YCbvFWH7Nupc3UIwpH5D8kSdpKusEfbRp8nfWN/Fm+lzF3THeHU6vNJ+5UoAWHYFW8wfJCbzQ/0L8QZeOv4uy74oQP2Ed0RdrWCwUL6SSsDPZdDEOy4K4vVYkDTl1nL5tleATguELAEbbT42oLce85z4C7sKvpEfa4DPbU55xBLwvHniILFfjB7VVsrgVckUL/lEf4Y92uJVKvLGruQt/mtKSqIuJjD8T9y7RIsk6g9624egV5UtLtv+36kLKhgIJlqC7Xx/PVwMc2yw8BiQlvxQZgqSd1k7QmV1AhV/3z2wqnYmb09ibTMYaMFjtamFegeFqc4jRLABhVQFEFv8z5E6G9vgKn5mQDWS/JykARBv9o2BjL/PTADfwAtc1b4nWo0l+CI8IjjYXu/mJOuwR+kFJ19INtwbffQvT9U12t4smpcZV+OK0opk4Yr9r1tZYm92ghXA==", "Server Signature": "F0xfEIJ635aPVzJ7TxUSC7Qq0Nvv0T62b4z7CBNsc9ph6RsbFVcdaGd7619j9z8vXELuNb6nAMNzxVh5zw431HAg8uxac4l65Js76iA5ua7oiXIZGJkyHmqqwsGIyAhRfW3MsonOqm07xD5N0vdfHey4r0Vncivg0lzclsA5ofF6Vyle+WewDOLGeL+PH3bGiw9F8dbBeBgH6rdzG7t0OHdgh/32iJ0W9BUzFgjiD7/KZV/QPYXp6Tbh4Mryl4lt9khPn2VmC2eApgyazrOKC5PRUCdNN2J/IPPN3z9F+7nIn/ILSg9vsh5nz/2Zm2/wZ7MqHWvJ9OwxPB1jIs4ojWX4YhQRQkiHSMSC/4aNkvrU+3rMVgLOeieTqhxXnI2G0+wE8pMh5N7fELuZ4oupmAo/Xvbvaaguc2KgGc42OFxAVDJE/pkCg4/wmytoKWH8IEMAd/41qAN22r4qtw95CqhVM6LI6Nqgz3MHHf3fMbkDAbPgOl2z+Hy/gYWl5SMamD6RVWFAC0gDcHpXzFMjzVv5LIuCdaHvFmlDuCUgnezy9oUmMMhEOtOINDtLBS7UoGjYGo2HtI54OJZIDUUHYaD3jIOFaVzq/18l0RKZo8mYWMHwKrdypWpZtd9an1cAHAHb8qmc5Jif/Xajgj4hvCTaGaOOo95NlNeawcWrm1M="}
Source: 0000000A.00000002.1498443006.0000000002451000.00000004.00000800.00020000.00000000.sdmp	Malware Configuration Extractor: VenomRAT {"Server": "leetboy.dynuddns.net", "Port": "1339", "Version": "\| Edit 3LOSH RAT", "MutexName": "AsyncMutex_6SI8OkPnk", "Autorun": "true", "Group": "true"}

Multi AV Scanner detection for domain / URL

Source: blue.o7lab.me	Virustotal: Detection: 16%	Perma Link
Source: leetboy.dynuddns.net	Virustotal: Detection: 8%	Perma Link
Source: leetboy.dynuddns.net	Virustotal: Detection: 8%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\build.exe

Virustotal: Detection: 14%

Perma Link

Multi AV Scanner detection for submitted file

Source: Sldl84wxy8.exe	ReversingLabs: Detection: 57%
Source: Sldl84wxy8.exe	Virustotal: Detection: 39%			Perma Link

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\start.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Sldl84wxy8.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost (3).exe PID: 6728, type: MEMORYSTR

Source: Sldl84wxy8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\LICENSE.electron.txt			Jump to behavior

Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\App3FAAL98\obj\Release\App3FAAL98.pdb source: svchost (3).exe, 00000002.00000000.1411851058.000002422F752000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D3DCompiler_47.pdb source: d3dcompiler_47.dll.6.dr
Source:	Binary string: `OTHER`TEMP`PACKED<%s return value>internal error: failed to write debug data to pdb streaminternal error: failed to add section contributioninternal warning: PDB Error string is "%S"internal error: failed to close debug infointernal error: failed to close PDBinternal error: failed to open PDB for writing in streaminternal error: failed to create debug info in PDBinternal error: failed to add code section to debug infointernal error: failed to add module to debug infointernal error: failed to create type info in PDBinternal error: failed to create inline type info in PDBinternal error: failed to create source file store in PDBinternal error: failed to close source file store in PDBinternal error: failed to close module in debug infointernal error: failed to commit type info in PDBinternal error: failed to commit inline type info in PDBinternal error: failed to add section header to debug infointernal error: failed to append section header to pdbinternal error: failed to close section header in debug infointernal error: failed to close debug info in PDBinternal error: failed to commit PDBinternal error: PDB data too largeinternal error: PDB stream truncatedinternal error: failed to close source file storeinternal error: failed to close type infointernal error: pdb append failedfxl_4_0too many arguments to target TXtoo many outputs to target TXclip not supported in texture shadersinvalid reference to input semantic '%s%d'invalid reference to output semantic '%s%d'0123456789abcdef.pdbVPosSV_ViewportArrayIndexColorFailed to log error, redirecting to debug output: source: d3dcompiler_47.dll.6.dr
Source:	Binary string: D3DCompiler_47.pdbGCTL source: d3dcompiler_47.dll.6.dr

Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\resources

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2850454 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT) 94.156.66.112:4449 -> 192.168.2.8:49711
Source: Traffic	Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 94.156.66.112:4449 -> 192.168.2.8:49711
Source: Traffic	Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 185.196.11.223:1339 -> 192.168.2.8:49716
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 185.196.11.223:1339 -> 192.168.2.8:49716

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: leetboy.dynuddns.net

Uses dynamic DNS services

Source: unknown

DNS query: name: leetboy.dynuddns.net

Yara detected Generic Downloader

Source: Yara match	File source: 10.0.start.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.start.exe.2589e10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED

Source: global traffic	TCP traffic: 192.168.2.8:49711 -> 94.156.66.112:4449
Source: global traffic	TCP traffic: 192.168.2.8:49716 -> 185.196.11.223:1339

Source: Joe Sandbox View	ASN Name: TERASYST-ASBG TERASYST-ASBG
Source: Joe Sandbox View	ASN Name: SIMPLECARRIERCH SIMPLECARRIERCH

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: blue.o7lab.me

Source: build.exe, 00000006.00000000.1434954851.000000000040A000.00000008.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: start.exe, 0000000A.00000002.1498443006.000000000257E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: icudtl.dat0.6.dr	String found in binary or memory: http://www.unicode.org/copyright.html
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://alekberg.net/privacy
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://alekberg.net/privacyalekberg.net
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://chrome-devtools-frontend.appspot.com/
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebC
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://chrome.cloudflare-dns.com/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://chrome.cloudflare-dns.com/dns-queryone.one.one.one1dot1dot1dot1.cloudflare-dns.com1.1.1.11.0
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore/category/extensions
Source: et.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u
Source: et.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=etOtsetee
Source: hi.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hi
Source: hi.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u
Source: hr.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hr&category=theme81https://myactivity.google.com/myactivity/?u
Source: hr.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=hrPre
Source: ml.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ml
Source: ml.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=ml&category=theme81https://myactivity.google.com/myactivity/?u
Source: te.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=te
Source: te.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=te&category=theme81https://myactivity.google.com/myactivity/?u
Source: th.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=th
Source: th.pak.6.dr	String found in binary or memory: https://chrome.google.com/webstore?hl=th&category=theme81https://myactivity.google.com/myactivity/?u
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://chromium.dns.nextdns.io
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://cleanbrowsing.org/privacy
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://cleanbrowsing.org/privacyCleanBrowsing
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/Cloudflare
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://developers.google.com/speed/public-dns/privacy
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://developers.google.com/speed/public-dns/privacyGoogle
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dns.google/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dns.quad9.net/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dns.quad9.net/dns-querydns.quad9.netdns9.quad9.net9.9.9.9149.112.112.1122620:fe::fe2620:fe::
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dns.sb/privacy/
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dns.sb/privacy/DNS.SBhttps://doh.dns.sb/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dns10.quad9.net/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dns10.quad9.net/dns-querydns10.quad9.net9.9.9.10149.112.112.102620:fe::102620:fe::fe:10
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dns11.quad9.net/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dns11.quad9.net/dns-querydns11.quad9.net9.9.9.11149.112.112.112620:fe::112620:fe::fe:11Pd
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dns64.dns.google/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://dnsnl.alekberg.net/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh-01.spectrum.com/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh-02.spectrum.com/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh.cleanbrowsing.org/doh/adult-filter
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh.cleanbrowsing.org/doh/family-filter
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh.cleanbrowsing.org/doh/security-filter
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh.cox.net/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh.cox.net/dns-querydot.cox.net68.105.28.1168.105.28.122001:578:3f::30
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh.dns.sb/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh.familyshield.opendns.com/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh.opendns.com/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh.quickline.ch/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://doh.xfinity.com/dns-query
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://myactivity.google.com/
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://nextdns.io/privacy
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://odvr.nic.cz/doh
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://odvr.nic.cz/dohodvr.nic.cz185.43.135.1193.17.47.12001:148f:fffe::12001:148f:ffff::1
Source: th.pak.6.dr	String found in binary or memory: https://passwords.google.com
Source: et.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://passwords.google.comGoogle
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://perfetto.dev/docs/contributing/getting-started#community).No
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://photos.google.com/settings?referrer=CHROME_NTP
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://policies.google.com/
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://public.dns.iij.jp/
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://public.dns.iij.jp/IIJ
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://public.dns.iij.jp/dns-query
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://public.dns.iij.jp/dns-queryIijUShttps://nextdns.io/privacyNextDNShttps://chromium.dns.nextdn
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://support.google.com/chrome/a/?p=block_warn
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://support.google.com/chromebook?p=app_intent
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.cisco.com/c/en/us/about/legal/privacy-full.html
Source: th.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.html
Source: et.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlHaldab
Source: hr.pak.6.dr	String found in binary or memory: https://www.google.com/chrome/privacy/eula_text.htmlPod
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.nic.cz/odvr/
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.nic.cz/odvr/CZ.NIC
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.quad9.net/home/privacy/
Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	String found in binary or memory: https://www.quad9.net/home/privacy/Quad9

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected AsyncRAT

Source: Yara match	File source: 10.0.start.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.start.exe.2589e10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.start.exe.2589e10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.1435545811.0000000000252000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: start.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchos.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.svchost (3).exe.242314dec30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314ee870.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314ee870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314dec30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost (3).exe PID: 6728, type: MEMORYSTR

Contains functionality to log keystrokes (.Net Source)

Source: start.exe.1.dr, LimeLogger.cs	.Net Code: KeyboardLayout
Source: svchos.exe.10.dr, LimeLogger.cs	.Net Code: KeyboardLayout
Source: 10.2.start.exe.2589e10.0.raw.unpack, LimeLogger.cs	.Net Code: KeyboardLayout

System Summary

Malicious sample detected (through community Yara rule)

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 2.2.svchost (3).exe.242314dec30.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.svchost (3).exe.242314ee870.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 10.0.start.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 10.0.start.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 10.2.start.exe.2589e10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 10.2.start.exe.2589e10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 10.2.start.exe.2589e10.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 10.2.start.exe.2589e10.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 2.2.svchost (3).exe.242314ee870.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 2.2.svchost (3).exe.242314dec30.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0000000A.00000002.1498443006.0000000002451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000A.00000002.1498443006.0000000002451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000000.1435545811.0000000000252000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000012.00000002.1617321490.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: 0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000A.00000002.1497624420.0000000000866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000012.00000002.1605842437.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: start.exe PID: 5652, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: start.exe PID: 5652, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: svchos.exe PID: 6536, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Drops large PE files

Source: C:\Users\user\AppData\Local\Temp\build.exe	File dump: main.exe.6.dr 162036224			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File dump: main.exe0.6.dr 162036224			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B13E3E1	2_2_00007FFB4B13E3E1
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B1402C0	2_2_00007FFB4B1402C0
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B13DF59	2_2_00007FFB4B13DF59
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B140F69	2_2_00007FFB4B140F69
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B13B630	2_2_00007FFB4B13B630

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\ffmpeg.dll F11576BF7FFBC3669D1A5364378F35A1ED0811B7831528B6C4C55B0CDC7DC014

Source: C:\Users\user\AppData\Local\Temp\build.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe

Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6728 -s 1172

Source: main.exe.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: main.exe0.6.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: ffmpeg.dll0.6.dr	Static PE information: Number of sections : 11 > 10
Source: libEGL.dll.6.dr	Static PE information: Number of sections : 12 > 10
Source: main.exe.6.dr	Static PE information: Number of sections : 16 > 10
Source: vulkan-1.dll.6.dr	Static PE information: Number of sections : 12 > 10
Source: vk_swiftshader.dll.6.dr	Static PE information: Number of sections : 12 > 10
Source: vk_swiftshader.dll0.6.dr	Static PE information: Number of sections : 12 > 10
Source: libGLESv2.dll.6.dr	Static PE information: Number of sections : 12 > 10
Source: libGLESv2.dll0.6.dr	Static PE information: Number of sections : 12 > 10
Source: main.exe0.6.dr	Static PE information: Number of sections : 16 > 10
Source: ffmpeg.dll.6.dr	Static PE information: Number of sections : 11 > 10
Source: libEGL.dll0.6.dr	Static PE information: Number of sections : 12 > 10

Source: svchost (3).exe.1.dr

Static PE information: No import functions for PE file found

Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: windows.fileexplorer.common.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\start.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Roaming\svchos.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: kbdus.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: windows.ui.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: windowmanagementapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: inputhost.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: twinapi.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: mf.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: mfplat.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: rtworkq.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: msmpeg2vdec.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: mfperfhelper.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dxva2.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: msvproc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: ffmpeg.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: uiautomationcore.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dbghelp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dwrite.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Section loaded: kbdus.dll

Source: Sldl84wxy8.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: dump.pcap, type: PCAP	Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 2.2.svchost (3).exe.242314dec30.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.svchost (3).exe.242314ee870.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 10.0.start.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 10.0.start.exe.250000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 10.2.start.exe.2589e10.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 10.2.start.exe.2589e10.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 10.2.start.exe.2589e10.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 10.2.start.exe.2589e10.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 2.2.svchost (3).exe.242314ee870.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 2.2.svchost (3).exe.242314dec30.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0000000A.00000002.1498443006.0000000002451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000A.00000002.1498443006.0000000002451000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000000.1435545811.0000000000252000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000012.00000002.1617321490.0000000002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: 0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000A.00000002.1497624420.0000000000866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000012.00000002.1605842437.00000000012F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: start.exe PID: 5652, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: start.exe PID: 5652, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: svchos.exe PID: 6536, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED	Matched rule: Windows_Trojan_Asyncrat_11a11ba1 reference_sample = fe09cd1d13b87c5e970d3cbc1ebc02b1523c0a939f961fc02c1395707af1c6d1, os = windows, severity = x86, creation_date = 2021-08-05, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Asyncrat, fingerprint = 715ede969076cd413cebdfcf0cdda44e3a6feb5343558f18e656f740883b41b8, id = 11a11ba1-c178-4415-9c09-45030b500f50, last_modified = 2021-10-04
Source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: svchost (3).exe.1.dr, -.cs

Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: start.exe.1.dr, Settings.cs	Base64 encoded string: 'lBEW3RL3+jC7Y11fUmp229gPLDajXXwBna2G0XdxWmPaTNJ+wHxPHL4OLN3cL9gLPnD7tREj0IJYIGcPZg2Shw==', 'XthVhjEtlSYvTsMZQUgqztHFapykAIgUgUue102gtp4XFA3BPLaa3mgUoIr415m95px9jJpeRVpG5+ktCbRqgFTGwyZpUEmZLtiNAUxKSu4=', 'VJ5+m/RSOw2NXS5Yl0e1a7Hv21Ta5WkuE1euKHWcmw0N8151szE+hS+BNq7itkjUaJ7MR4/T7WaLFNrqeTUuKJROepkpb2aVM2wBDVbENFw=', 'N0xsrHU+PUP7j3kba/dXrZyKa3niCxiLj4vIHm9vEVjJJe9fwLgfTF0CB270i7kDFfENjmuaEwfk08tLoH4/vw==', 'sKV4qQSBUsaQMVjiGgAoozqOBwX75CNuskQUqLNmnM22n8vmIJ6nmTaZvY24mLlFfZc0D+lyDYH2Ho9P7U1+/GqD2esQRBqjSwUhroozsY8=', 'Jbamd/wBQkzxiJ8JZLbJpxlBkxbjcTRzFvvGaLNAtvBVksBrlMQfaWdYQjRiHAzZ8O7GvJJ76VAoXEBDq3CJV44Y3SHt4N8Jfe1oF9QfPusy0F+VwafyCTbwJfkECf2Jh9S2n7uWYPVMvQ7KzBoqbp2fW1SetT7IUu4J0J/KK+vliTpATvFrYbfVCRa9n/JDrcpv0mLG49GgtIGKTh8tKl8yZbhS5cQ5wQ+lx6NHclPkyP8Ilq3McxR7t88Q7by5skJ34GGnCgPMjQloibM3+7fm44QtxjTO088njXf5z4AzrUCyNUcnyKfm3PjoePtOcQoaBP2qCuDAKoOEg9E2qB4fyiBlDkpzBTe1iJ+d1fkhV14EtaRN4RVBtknoOYH0wJdOSpOYjgyGBFw2USlZ6X7q14WKjE9eXEeRveK1XdtuwKEiL5UkRrTkXsj0cdapCqbZ2zPwfbQ3xqHSk12R13uCosWhs7Rnn/W68cJplN9ORZ6Po8CtHmiytqsRrUj/YywaGAdGBCA0Jfqmg2pWIwdbV8nBgRePg3UAZc8e4/gutrTunWbp2tRdFxbUCLyHfaVV7++7uOGjbutwuQWidFSIzDzPBI4CmTph/Jaq1X4RamXuuAW7sGy1iWACwyVjG1UYYR4gPLwUBgcYfNAnbaxHrVfVeleE9h7lEeB4ypMQ8suf8Zd9IEqW/ei0v2baLgi4bp6GTUt1y9sZsigmV1NS1oKjoCGccTwEOTn7h0KutO7Qpw5IaYHBWe+tO7r/WpA7wfrDV3BhNTqAALqt65VMrKf4406JkZlltV/gdONbiBu7YSghVwCvAaf1GBXzODMgMrdn1fSz5H9NBbjSn3z59KVEAf7AKRSXCFaOEPsYVjVmRNsfjTbF5r4nYZJXdSB+OhrStR2qlwhnZNwK5YjduMPmygUwcBSm5HLW7GSUsppELfUoJdNkr01A8lcNzHt4McjS3AE9eBkEVHeuUg=='
Source: 2.2.svchost (3).exe.242314dec30.1.raw.unpack, Settings.cs	Base64 encoded string: 'VKknqP2uQzIaH21FCGVT22qaq4aykyWqrWmfPPRowcIoKM0VBcK0ElEggzsiV4WZbe8GPoiu2v55WByoWguhaw==', 'OlD/Av25kQgaR0LowKra910vmBCOykjmKOrRWqcwEFBCzpHZIQ1WVz4sPYbW6bjjmRDvJWPKIu4KcLNlS/WSMw==', 'SM2jUAZc85tLJuT7EZAsiJrhD1HmZ7MYFcRcPqX65o4ir8vBq2hDGCDkCDZkEqEmSiTg2MwjoHEht8jimP6j1kbvPmIsWd6TJBN+YE9SCyR3acALwLEqo147FqJR+8j1', 'JlRBim19qDl/Q0aZZ+CObUabIIAU5WdKxaFJIvwRZBWUV5CBMLqw+T34MFz8Jm6Glsw3BaakHOK1NkVvtF5lalfO0HfXDHcCsdmEyC7xaz6vO6FC+sCGBqs6G6yeqahDeFeJagX7rPF+Td6aAUmmiA0Cvksb8p1/3vEGoRverOtamg/5cdaz1xDqqIQPkxHNFsAfC3gOE3P3jHVwNg00ljS79moJTKEdS88cgGM6UKMkOFT0Ywrutwkxffd5BUqdjo7EUSJhoAmfxR//JZdqX+WhYlv7sWn3+dcMI6wHeqeBpwSuDpnBWrIZ3vjYYJZKT6ls3JHsiPelePB/LCWF8SoWpbDXmNZ3a0PPAvmGf0Jy3Tc+jsOTWMuggXoe+YtAoxcYeYzwwzjV162svGOVmuklO9Jhhr/xYi8RT8nV7RREaH8KquSefOvi+IpCj9s4T6j4AROBjXD/BMTNv6Cvac5vSdUBtXXIqmVw9qHoQtAlncnBKV9jlSR9zxknFZV2wpWykh9S4sFyWhYS7F7QzO2JTQxdhYF8frOWZZ7KJjWG+xmu7z6tdqQK7RpG0jwU058sE9M7Yep0U7KCsQ+/n46mvg87oWJQZBHZJBQuXtMJfGwO1YBPrF42xRsRAP3ayZnswpS8ZFZuWG9KxdZCJdYvHZlvqxDhxz6tOFAHq0OwGS/7FMR+7OcUHsLWPE2DGsO3bic3p6rwsHeOgxmPvMN2zwPwsCq10tkC5/KNTIVF5dimKSYe1r/hgIu2nf5HbJXgpMSzM+oLPVoYNvL9GsbPxtGCX4SU5Kxz2NYh9DYW/SVT45cuUzSPvkrzaRyWEcmqDxa0HYuyxJbkx7xB/HjX+yoGMiDTCDWD1KW+s6kVgXBRCf5001ePSzwE8R7KXUeE9VjqPRJF3Sfhx2N5iwd+opKsaVNT5hmgVDrJQ6ttgEgjYWaOCeL5DDqSDbY5j0RKLKnvGTBsJeiVG1Z4wAKrrn0UItgAIWsEQLAPcFCto+qM3V2e8fo4CjLXhMeJ2NiKnQ5U6cuXfhtCXNNJRpthHgN++nnBq4piyCZgIVMghHx41hP7EmZkLOth1D57', 'rJPxL9vFkgvrk7uGjmsZnwsb3uy8wQZ3W0bi9pseNOuyD5H7w41BaTGBDhoyt0UjVxaOeKIcf3c2ET98uLueNutxuwRF4DVuPHlUx3vAE/qvE69De+gUO6jNl7p5U/jtptYi3cgkenSyC0bfhix2MJfti3CCkViQDFbFHzbygcry7qagvHj+6wyv5ddIMQceBloyGCeit9skMad5A43xyDcnkilTBWXScYJBu7ix8ATzCrleWCcB/laQcAAIYrrzwOLD/SS/zD7q5nKjYd9zNo/LgIe+w5YH2zAKLUYC7Gc=', 'I45wSdXk1ODcSDzAfQhQ8aLF6LOGzi7up5xl1/1+tYwHa8Myr3cj/dTtAgmLIstDy9ktUeMgF7IJ7kLqfNoP8w==', 'kV73KGdlwoFqOWOcSRa1d/jO8D3Smg7SiDeemQxekzTSfio1vyjkvdVXEoC46pn8vu+HiUGZCEQVWA/R/Zc5ag==', '/S3RtOfinLqIYuA7pLVyRI6hCkZE2bISPtlJBWTzYEGDtcW6iNXZ3+aKL6jJUf5sJ2yxwdNNb6uNo/E4iVQ86w=='
Source: 2.2.svchost (3).exe.242314ee870.0.raw.unpack, Settings.cs	Base64 encoded string: 'VKknqP2uQzIaH21FCGVT22qaq4aykyWqrWmfPPRowcIoKM0VBcK0ElEggzsiV4WZbe8GPoiu2v55WByoWguhaw==', 'OlD/Av25kQgaR0LowKra910vmBCOykjmKOrRWqcwEFBCzpHZIQ1WVz4sPYbW6bjjmRDvJWPKIu4KcLNlS/WSMw==', 'SM2jUAZc85tLJuT7EZAsiJrhD1HmZ7MYFcRcPqX65o4ir8vBq2hDGCDkCDZkEqEmSiTg2MwjoHEht8jimP6j1kbvPmIsWd6TJBN+YE9SCyR3acALwLEqo147FqJR+8j1', 'JlRBim19qDl/Q0aZZ+CObUabIIAU5WdKxaFJIvwRZBWUV5CBMLqw+T34MFz8Jm6Glsw3BaakHOK1NkVvtF5lalfO0HfXDHcCsdmEyC7xaz6vO6FC+sCGBqs6G6yeqahDeFeJagX7rPF+Td6aAUmmiA0Cvksb8p1/3vEGoRverOtamg/5cdaz1xDqqIQPkxHNFsAfC3gOE3P3jHVwNg00ljS79moJTKEdS88cgGM6UKMkOFT0Ywrutwkxffd5BUqdjo7EUSJhoAmfxR//JZdqX+WhYlv7sWn3+dcMI6wHeqeBpwSuDpnBWrIZ3vjYYJZKT6ls3JHsiPelePB/LCWF8SoWpbDXmNZ3a0PPAvmGf0Jy3Tc+jsOTWMuggXoe+YtAoxcYeYzwwzjV162svGOVmuklO9Jhhr/xYi8RT8nV7RREaH8KquSefOvi+IpCj9s4T6j4AROBjXD/BMTNv6Cvac5vSdUBtXXIqmVw9qHoQtAlncnBKV9jlSR9zxknFZV2wpWykh9S4sFyWhYS7F7QzO2JTQxdhYF8frOWZZ7KJjWG+xmu7z6tdqQK7RpG0jwU058sE9M7Yep0U7KCsQ+/n46mvg87oWJQZBHZJBQuXtMJfGwO1YBPrF42xRsRAP3ayZnswpS8ZFZuWG9KxdZCJdYvHZlvqxDhxz6tOFAHq0OwGS/7FMR+7OcUHsLWPE2DGsO3bic3p6rwsHeOgxmPvMN2zwPwsCq10tkC5/KNTIVF5dimKSYe1r/hgIu2nf5HbJXgpMSzM+oLPVoYNvL9GsbPxtGCX4SU5Kxz2NYh9DYW/SVT45cuUzSPvkrzaRyWEcmqDxa0HYuyxJbkx7xB/HjX+yoGMiDTCDWD1KW+s6kVgXBRCf5001ePSzwE8R7KXUeE9VjqPRJF3Sfhx2N5iwd+opKsaVNT5hmgVDrJQ6ttgEgjYWaOCeL5DDqSDbY5j0RKLKnvGTBsJeiVG1Z4wAKrrn0UItgAIWsEQLAPcFCto+qM3V2e8fo4CjLXhMeJ2NiKnQ5U6cuXfhtCXNNJRpthHgN++nnBq4piyCZgIVMghHx41hP7EmZkLOth1D57', 'rJPxL9vFkgvrk7uGjmsZnwsb3uy8wQZ3W0bi9pseNOuyD5H7w41BaTGBDhoyt0UjVxaOeKIcf3c2ET98uLueNutxuwRF4DVuPHlUx3vAE/qvE69De+gUO6jNl7p5U/jtptYi3cgkenSyC0bfhix2MJfti3CCkViQDFbFHzbygcry7qagvHj+6wyv5ddIMQceBloyGCeit9skMad5A43xyDcnkilTBWXScYJBu7ix8ATzCrleWCcB/laQcAAIYrrzwOLD/SS/zD7q5nKjYd9zNo/LgIe+w5YH2zAKLUYC7Gc=', 'I45wSdXk1ODcSDzAfQhQ8aLF6LOGzi7up5xl1/1+tYwHa8Myr3cj/dTtAgmLIstDy9ktUeMgF7IJ7kLqfNoP8w==', 'kV73KGdlwoFqOWOcSRa1d/jO8D3Smg7SiDeemQxekzTSfio1vyjkvdVXEoC46pn8vu+HiUGZCEQVWA/R/Zc5ag==', '/S3RtOfinLqIYuA7pLVyRI6hCkZE2bISPtlJBWTzYEGDtcW6iNXZ3+aKL6jJUf5sJ2yxwdNNb6uNo/E4iVQ86w=='
Source: svchos.exe.10.dr, Settings.cs	Base64 encoded string: 'lBEW3RL3+jC7Y11fUmp229gPLDajXXwBna2G0XdxWmPaTNJ+wHxPHL4OLN3cL9gLPnD7tREj0IJYIGcPZg2Shw==', 'XthVhjEtlSYvTsMZQUgqztHFapykAIgUgUue102gtp4XFA3BPLaa3mgUoIr415m95px9jJpeRVpG5+ktCbRqgFTGwyZpUEmZLtiNAUxKSu4=', 'VJ5+m/RSOw2NXS5Yl0e1a7Hv21Ta5WkuE1euKHWcmw0N8151szE+hS+BNq7itkjUaJ7MR4/T7WaLFNrqeTUuKJROepkpb2aVM2wBDVbENFw=', 'N0xsrHU+PUP7j3kba/dXrZyKa3niCxiLj4vIHm9vEVjJJe9fwLgfTF0CB270i7kDFfENjmuaEwfk08tLoH4/vw==', 'sKV4qQSBUsaQMVjiGgAoozqOBwX75CNuskQUqLNmnM22n8vmIJ6nmTaZvY24mLlFfZc0D+lyDYH2Ho9P7U1+/GqD2esQRBqjSwUhroozsY8=', 'Jbamd/wBQkzxiJ8JZLbJpxlBkxbjcTRzFvvGaLNAtvBVksBrlMQfaWdYQjRiHAzZ8O7GvJJ76VAoXEBDq3CJV44Y3SHt4N8Jfe1oF9QfPusy0F+VwafyCTbwJfkECf2Jh9S2n7uWYPVMvQ7KzBoqbp2fW1SetT7IUu4J0J/KK+vliTpATvFrYbfVCRa9n/JDrcpv0mLG49GgtIGKTh8tKl8yZbhS5cQ5wQ+lx6NHclPkyP8Ilq3McxR7t88Q7by5skJ34GGnCgPMjQloibM3+7fm44QtxjTO088njXf5z4AzrUCyNUcnyKfm3PjoePtOcQoaBP2qCuDAKoOEg9E2qB4fyiBlDkpzBTe1iJ+d1fkhV14EtaRN4RVBtknoOYH0wJdOSpOYjgyGBFw2USlZ6X7q14WKjE9eXEeRveK1XdtuwKEiL5UkRrTkXsj0cdapCqbZ2zPwfbQ3xqHSk12R13uCosWhs7Rnn/W68cJplN9ORZ6Po8CtHmiytqsRrUj/YywaGAdGBCA0Jfqmg2pWIwdbV8nBgRePg3UAZc8e4/gutrTunWbp2tRdFxbUCLyHfaVV7++7uOGjbutwuQWidFSIzDzPBI4CmTph/Jaq1X4RamXuuAW7sGy1iWACwyVjG1UYYR4gPLwUBgcYfNAnbaxHrVfVeleE9h7lEeB4ypMQ8suf8Zd9IEqW/ei0v2baLgi4bp6GTUt1y9sZsigmV1NS1oKjoCGccTwEOTn7h0KutO7Qpw5IaYHBWe+tO7r/WpA7wfrDV3BhNTqAALqt65VMrKf4406JkZlltV/gdONbiBu7YSghVwCvAaf1GBXzODMgMrdn1fSz5H9NBbjSn3z59KVEAf7AKRSXCFaOEPsYVjVmRNsfjTbF5r4nYZJXdSB+OhrStR2qlwhnZNwK5YjduMPmygUwcBSm5HLW7GSUsppELfUoJdNkr01A8lcNzHt4McjS3AE9eBkEVHeuUg=='
Source: 10.2.start.exe.2589e10.0.raw.unpack, Settings.cs	Base64 encoded string: 'lBEW3RL3+jC7Y11fUmp229gPLDajXXwBna2G0XdxWmPaTNJ+wHxPHL4OLN3cL9gLPnD7tREj0IJYIGcPZg2Shw==', 'XthVhjEtlSYvTsMZQUgqztHFapykAIgUgUue102gtp4XFA3BPLaa3mgUoIr415m95px9jJpeRVpG5+ktCbRqgFTGwyZpUEmZLtiNAUxKSu4=', 'VJ5+m/RSOw2NXS5Yl0e1a7Hv21Ta5WkuE1euKHWcmw0N8151szE+hS+BNq7itkjUaJ7MR4/T7WaLFNrqeTUuKJROepkpb2aVM2wBDVbENFw=', 'N0xsrHU+PUP7j3kba/dXrZyKa3niCxiLj4vIHm9vEVjJJe9fwLgfTF0CB270i7kDFfENjmuaEwfk08tLoH4/vw==', 'sKV4qQSBUsaQMVjiGgAoozqOBwX75CNuskQUqLNmnM22n8vmIJ6nmTaZvY24mLlFfZc0D+lyDYH2Ho9P7U1+/GqD2esQRBqjSwUhroozsY8=', 'Jbamd/wBQkzxiJ8JZLbJpxlBkxbjcTRzFvvGaLNAtvBVksBrlMQfaWdYQjRiHAzZ8O7GvJJ76VAoXEBDq3CJV44Y3SHt4N8Jfe1oF9QfPusy0F+VwafyCTbwJfkECf2Jh9S2n7uWYPVMvQ7KzBoqbp2fW1SetT7IUu4J0J/KK+vliTpATvFrYbfVCRa9n/JDrcpv0mLG49GgtIGKTh8tKl8yZbhS5cQ5wQ+lx6NHclPkyP8Ilq3McxR7t88Q7by5skJ34GGnCgPMjQloibM3+7fm44QtxjTO088njXf5z4AzrUCyNUcnyKfm3PjoePtOcQoaBP2qCuDAKoOEg9E2qB4fyiBlDkpzBTe1iJ+d1fkhV14EtaRN4RVBtknoOYH0wJdOSpOYjgyGBFw2USlZ6X7q14WKjE9eXEeRveK1XdtuwKEiL5UkRrTkXsj0cdapCqbZ2zPwfbQ3xqHSk12R13uCosWhs7Rnn/W68cJplN9ORZ6Po8CtHmiytqsRrUj/YywaGAdGBCA0Jfqmg2pWIwdbV8nBgRePg3UAZc8e4/gutrTunWbp2tRdFxbUCLyHfaVV7++7uOGjbutwuQWidFSIzDzPBI4CmTph/Jaq1X4RamXuuAW7sGy1iWACwyVjG1UYYR4gPLwUBgcYfNAnbaxHrVfVeleE9h7lEeB4ypMQ8suf8Zd9IEqW/ei0v2baLgi4bp6GTUt1y9sZsigmV1NS1oKjoCGccTwEOTn7h0KutO7Qpw5IaYHBWe+tO7r/WpA7wfrDV3BhNTqAALqt65VMrKf4406JkZlltV/gdONbiBu7YSghVwCvAaf1GBXzODMgMrdn1fSz5H9NBbjSn3z59KVEAf7AKRSXCFaOEPsYVjVmRNsfjTbF5r4nYZJXdSB+OhrStR2qlwhnZNwK5YjduMPmygUwcBSm5HLW7GSUsppELfUoJdNkr01A8lcNzHt4McjS3AE9eBkEVHeuUg=='

Source: 2.2.svchost (3).exe.242314ee870.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.svchost (3).exe.242314ee870.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: svchos.exe.10.dr, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchos.exe.10.dr, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: start.exe.1.dr, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: start.exe.1.dr, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.2.start.exe.2589e10.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.start.exe.2589e10.0.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 2.2.svchost (3).exe.242314dec30.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 2.2.svchost (3).exe.242314dec30.1.raw.unpack, Methods.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@32/108@6/5

Source: C:\Users\user\AppData\Local\Temp\start.exe

File created: C:\Users\user\AppData\Roaming\svchos.exe

Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Mutant created: NULL
Source: C:\Users\user\AppData\Roaming\svchos.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4260:120:WilError_03
Source: C:\Windows\System32\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6728
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Venom_RAT_HVNC_Mutex_Venom RAT_HVNC
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4920:120:WilError_03

Source: C:\Users\user\Desktop\Sldl84wxy8.exe

File created: C:\Users\user\AppData\Local\Temp\svchost (3).exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\start.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpC5CE.tmp.bat""

Source: Sldl84wxy8.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Sldl84wxy8.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Sldl84wxy8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe

File read: C:\Windows\System32\drivers\etc\hosts

Source: Sldl84wxy8.exe	ReversingLabs: Detection: 57%
Source: Sldl84wxy8.exe	Virustotal: Detection: 39%

Source: unknown	Process created: C:\Users\user\Desktop\Sldl84wxy8.exe "C:\Users\user\Desktop\Sldl84wxy8.exe"
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost (3).exe "C:\Users\user\AppData\Local\Temp\svchost (3).exe"
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 6728 -s 1172
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Process created: C:\Users\user\AppData\Local\Temp\start.exe "C:\Users\user\AppData\Local\Temp\start.exe"
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpC5CE.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchos.exe C:\Users\user\AppData\Roaming\svchos.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchos.exe "C:\Users\user\AppData\Roaming\svchos.exe"
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\main" --mojo-platform-channel-handle=2140 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost (3).exe "C:\Users\user\AppData\Local\Temp\svchost (3).exe"	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Process created: C:\Users\user\AppData\Local\Temp\start.exe "C:\Users\user\AppData\Local\Temp\start.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpC5CE.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchos.exe "C:\Users\user\AppData\Roaming\svchos.exe"
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\main" --mojo-platform-channel-handle=2140 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

Source: C:\Users\user\Desktop\Sldl84wxy8.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Sldl84wxy8.exe

Static file information: File size 66234368 > 1048576

Source: Sldl84wxy8.exe

Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x3f29800

Source:	Binary string: C:\Windows\Containers\Confidential\DotnetGenerator\Stub\Projects\App3FAAL98\obj\Release\App3FAAL98.pdb source: svchost (3).exe, 00000002.00000000.1411851058.000002422F752000.00000002.00000001.01000000.00000005.sdmp
Source:	Binary string: D3DCompiler_47.pdb source: d3dcompiler_47.dll.6.dr
Source:	Binary string: `OTHER`TEMP`PACKED<%s return value>internal error: failed to write debug data to pdb streaminternal error: failed to add section contributioninternal warning: PDB Error string is "%S"internal error: failed to close debug infointernal error: failed to close PDBinternal error: failed to open PDB for writing in streaminternal error: failed to create debug info in PDBinternal error: failed to add code section to debug infointernal error: failed to add module to debug infointernal error: failed to create type info in PDBinternal error: failed to create inline type info in PDBinternal error: failed to create source file store in PDBinternal error: failed to close source file store in PDBinternal error: failed to close module in debug infointernal error: failed to commit type info in PDBinternal error: failed to commit inline type info in PDBinternal error: failed to add section header to debug infointernal error: failed to append section header to pdbinternal error: failed to close section header in debug infointernal error: failed to close debug info in PDBinternal error: failed to commit PDBinternal error: PDB data too largeinternal error: PDB stream truncatedinternal error: failed to close source file storeinternal error: failed to close type infointernal error: pdb append failedfxl_4_0too many arguments to target TXtoo many outputs to target TXclip not supported in texture shadersinvalid reference to input semantic '%s%d'invalid reference to output semantic '%s%d'0123456789abcdef.pdbVPosSV_ViewportArrayIndexColorFailed to log error, redirecting to debug output: source: d3dcompiler_47.dll.6.dr
Source:	Binary string: D3DCompiler_47.pdbGCTL source: d3dcompiler_47.dll.6.dr

Data Obfuscation

.NET source code contains potential unpacker

Source: start.exe.1.dr, Packet.cs	.Net Code: Plugins System.AppDomain.Load(byte[])
Source: svchos.exe.10.dr, Packet.cs	.Net Code: Plugins System.AppDomain.Load(byte[])
Source: 10.2.start.exe.2589e10.0.raw.unpack, Packet.cs	.Net Code: Plugins System.AppDomain.Load(byte[])

Source: svchost (3).exe.1.dr

Static PE information: 0xC7E7BF4F [Sat Apr 11 18:02:55 2076 UTC]

Source: main.exe.6.dr	Static PE information: section name: .00cfg
Source: main.exe.6.dr	Static PE information: section name: .gxfg
Source: main.exe.6.dr	Static PE information: section name: .retplne
Source: main.exe.6.dr	Static PE information: section name: .rodata
Source: main.exe.6.dr	Static PE information: section name: .voltbl
Source: main.exe.6.dr	Static PE information: section name: CPADinfo
Source: main.exe.6.dr	Static PE information: section name: LZMADEC
Source: main.exe.6.dr	Static PE information: section name: _RDATA
Source: main.exe.6.dr	Static PE information: section name: malloc_h
Source: vk_swiftshader.dll.6.dr	Static PE information: section name: .00cfg
Source: vk_swiftshader.dll.6.dr	Static PE information: section name: .gxfg
Source: vk_swiftshader.dll.6.dr	Static PE information: section name: .retplne
Source: vk_swiftshader.dll.6.dr	Static PE information: section name: .voltbl
Source: vk_swiftshader.dll.6.dr	Static PE information: section name: _RDATA
Source: ffmpeg.dll.6.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll.6.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll.6.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll.6.dr	Static PE information: section name: .voltbl
Source: ffmpeg.dll.6.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.6.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.6.dr	Static PE information: section name: .gxfg
Source: libEGL.dll.6.dr	Static PE information: section name: .retplne
Source: libEGL.dll.6.dr	Static PE information: section name: .voltbl
Source: libEGL.dll.6.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll.6.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.6.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll.6.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll.6.dr	Static PE information: section name: .voltbl
Source: libGLESv2.dll.6.dr	Static PE information: section name: _RDATA
Source: main.exe0.6.dr	Static PE information: section name: .00cfg
Source: main.exe0.6.dr	Static PE information: section name: .gxfg
Source: main.exe0.6.dr	Static PE information: section name: .retplne
Source: main.exe0.6.dr	Static PE information: section name: .rodata
Source: main.exe0.6.dr	Static PE information: section name: .voltbl
Source: main.exe0.6.dr	Static PE information: section name: CPADinfo
Source: main.exe0.6.dr	Static PE information: section name: LZMADEC
Source: main.exe0.6.dr	Static PE information: section name: _RDATA
Source: main.exe0.6.dr	Static PE information: section name: malloc_h
Source: vk_swiftshader.dll0.6.dr	Static PE information: section name: .00cfg
Source: vk_swiftshader.dll0.6.dr	Static PE information: section name: .gxfg
Source: vk_swiftshader.dll0.6.dr	Static PE information: section name: .retplne
Source: vk_swiftshader.dll0.6.dr	Static PE information: section name: .voltbl
Source: vk_swiftshader.dll0.6.dr	Static PE information: section name: _RDATA
Source: vulkan-1.dll.6.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll.6.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll.6.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll.6.dr	Static PE information: section name: .voltbl
Source: vulkan-1.dll.6.dr	Static PE information: section name: _RDATA
Source: ffmpeg.dll0.6.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll0.6.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll0.6.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll0.6.dr	Static PE information: section name: .voltbl
Source: ffmpeg.dll0.6.dr	Static PE information: section name: _RDATA
Source: libEGL.dll0.6.dr	Static PE information: section name: .00cfg
Source: libEGL.dll0.6.dr	Static PE information: section name: .gxfg
Source: libEGL.dll0.6.dr	Static PE information: section name: .retplne
Source: libEGL.dll0.6.dr	Static PE information: section name: .voltbl
Source: libEGL.dll0.6.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll0.6.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.6.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll0.6.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll0.6.dr	Static PE information: section name: .voltbl
Source: libGLESv2.dll0.6.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B13B7D0 push eax; retf	2_2_00007FFB4B13B849
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B134FA8 push eax; iretd	2_2_00007FFB4B134FFD
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B132FE0 push eax; iretd	2_2_00007FFB4B134FFD
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B13D078 pushad ; iretd	2_2_00007FFB4B13D079
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B13CEBA push eax; retf	2_2_00007FFB4B13CED9
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B13CDAC push eax; retn 0008h	2_2_00007FFB4B13CDE4
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B13CDEC push eax; retn 0008h	2_2_00007FFB4B13CDE4
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B13C56C push eax; retf 0008h	2_2_00007FFB4B13C5A4
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Code function: 2_2_00007FFB4B23026B push esp; retf 4810h	2_2_00007FFB4B230312

Persistence and Installation Behavior

Drops executable to a common third party application directory

Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe

File written: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe

Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	File created: C:\Users\user\AppData\Local\Temp\start.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\main.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\start.exe	File created: C:\Users\user\AppData\Roaming\svchos.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\ffmpeg.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\UserData\Updater.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	File created: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	File created: C:\Users\user\AppData\Local\Temp\build.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\LICENSE.electron.txt			Jump to behavior

Boot Survival

Yara detected AsyncRAT

Source: Yara match	File source: 10.0.start.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.start.exe.2589e10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.start.exe.2589e10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.1435545811.0000000000252000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: start.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchos.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.svchost (3).exe.242314dec30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314ee870.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314ee870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314dec30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost (3).exe PID: 6728, type: MEMORYSTR

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"'

Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: Process Memory Space: svchost (3).exe PID: 6728, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: start.exe PID: 5652, type: MEMORYSTR

Yara detected AsyncRAT

Source: Yara match	File source: 10.0.start.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.start.exe.2589e10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.start.exe.2589e10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.1435545811.0000000000252000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: start.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchos.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.svchost (3).exe.242314dec30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314ee870.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314ee870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314dec30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost (3).exe PID: 6728, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp, start.exe, 0000000A.00000000.1435545811.0000000000252000.00000002.00000001.01000000.0000000C.sdmp, start.exe, 0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Memory allocated: 2422FA80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Memory allocated: 24249430000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe	Memory allocated: 2240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\start.exe	Memory allocated: 2450000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\start.exe	Memory allocated: 2280000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe	Memory allocated: 1530000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe	Memory allocated: 2F40000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe	Memory allocated: 2D80000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe	Memory allocated: 16C0000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe	Memory allocated: 3160000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Roaming\svchos.exe	Memory allocated: 1720000 memory reserve \| memory write watch

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchos.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchos.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 908	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 8901	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchos.exe	Window / User API: threadDelayed 9664

Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\resources\elevate.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libGLESv2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\libEGL.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\vulkan-1.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\vk_swiftshader.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\d3dcompiler_47.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\nsis7z.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\build.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\vk_swiftshader.dll	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\start.exe TID: 3116	Thread sleep count: 50 > 30
Source: C:\Users\user\AppData\Local\Temp\start.exe TID: 3284	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchos.exe TID: 3364	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchos.exe TID: 1308	Thread sleep count: 39 > 30
Source: C:\Users\user\AppData\Roaming\svchos.exe TID: 1308	Thread sleep time: -35971150943733603s >= -30000s
Source: C:\Users\user\AppData\Roaming\svchos.exe TID: 4940	Thread sleep count: 9664 > 30
Source: C:\Users\user\AppData\Roaming\svchos.exe TID: 4940	Thread sleep count: 162 > 30

Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\build.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchos.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\svchos.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user\AppData\Local\Temp
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	File opened: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\resources

Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: start.exe, 0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: start.exe, 0000000A.00000002.1497624420.0000000000866000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}=
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: start.exe, 0000000A.00000002.1497624420.00000000008C7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 06e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_C
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II

Source: C:\Users\user\AppData\Local\Temp\start.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\start.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\svchos.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: svchost (3).exe.1.dr, ----.cs	Reference to suspicious API methods: _FD4F.GetProcAddress(: _FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7("\u0610\ufdd0").Replace(_FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7("\u0600\ufdfe\u06e0\ufd4f"), ""), _FDDE_FDE3_FDE8_060D_0652: _FD4F.LoadLibrary(text.Replace(_FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7(""), "")))
Source: svchost (3).exe.1.dr, ----.cs	Reference to suspicious API methods: _FD4F.GetProcAddress(: _FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7("\u0610\ufdd0").Replace(_FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7("\u0600\ufdfe\u06e0\ufd4f"), ""), _FDDE_FDE3_FDE8_060D_0652: _FD4F.LoadLibrary(text.Replace(_FDEC_060C_FDDA_FD48_0617_061E._FDD6_FD45_FBB9_064E_FDEA_0654_06D7(""), "")))
Source: svchost (3).exe.1.dr, -.cs	Reference to suspicious API methods: ((_066C_FBBC_060F_FDDE_06D9_060E)Marshal.GetDelegateForFunctionPointer(GetProcAddress(LoadLibrary("kernel32.dll"), "VirtualProtect"), typeof(_066C_FBBC_060F_FDDE_06D9_060E)))(_FD47_0607_06EB, _FDCF_06DE_065E, _FBBB_FD49_FDE6_FBCB_FBBB_FDD4_061D_FDD5_0613_06D7_FBC1, out _FBB5_FD48_065B_0658_FDCD_FDDD)
Source: start.exe.1.dr, LimeLogger.cs	Reference to suspicious API methods: MapVirtualKey(vkCode, 0u)
Source: 2.2.svchost (3).exe.242314dec30.1.raw.unpack, DInvokeCore.cs	Reference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
Source: 2.2.svchost (3).exe.242314dec30.1.raw.unpack, AntiProcess.cs	Reference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe

Section unmapped: unknown base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 412000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 414000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 7D4008	Jump to behavior

Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Process created: C:\Users\user\AppData\Local\Temp\svchost (3).exe "C:\Users\user\AppData\Local\Temp\svchost (3).exe"	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Process created: C:\Users\user\AppData\Local\Temp\build.exe "C:\Users\user\AppData\Local\Temp\build.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Sldl84wxy8.exe	Process created: C:\Users\user\AppData\Local\Temp\start.exe "C:\Users\user\AppData\Local\Temp\start.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"' & exit
Source: C:\Users\user\AppData\Local\Temp\start.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpC5CE.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchos" /tr '"C:\Users\user\AppData\Roaming\svchos.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchos.exe "C:\Users\user\AppData\Roaming\svchos.exe"
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\main" --mojo-platform-channel-handle=2140 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8

Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "c:\users\user\appdata\local\temp\2ehfvuyszqzzl8quac9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\main" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1628 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "c:\users\user\appdata\local\temp\2ehfvuyszqzzl8quac9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\main" --mojo-platform-channel-handle=2140 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "c:\users\user\appdata\local\temp\2ehfvuyszqzzl8quac9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="c:\users\user\appdata\roaming\main" --gpu-preferences=uaaaaaaaaadgaaayaaaaaaaaaaaaaaaaaabgaaaaaaawaaaaaaaaaaaaaaaqaaaaaaaaaaaaaaaaaaaaaaaaaegaaaaaaaaasaaaaaaaaaayaaaaagaaabaaaaaaaaaagaaaaaaaaaaqaaaaaaaaaaaaaaaoaaaaeaaaaaaaaaabaaaadgaaaagaaaaaaaaacaaaaaaaaaa= --mojo-platform-channel-handle=1628 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:2
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Process created: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe "c:\users\user\appdata\local\temp\2ehfvuyszqzzl8quac9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.networkservice --lang=en-gb --service-sandbox-type=none --user-data-dir="c:\users\user\appdata\roaming\main" --mojo-platform-channel-handle=2140 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=sparerendererforsiteperprocess,winretrievesuggestionsonlyondemand /prefetch:8

Source: main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp

Binary or memory string: ..\..\electron\shell\browser\ui\views\electron_views_delegate_win.ccGetAppbarAutohideEdgesShell_TrayWnd

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Queries volume information: C:\Users\user\AppData\Local\Temp\svchost (3).exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\start.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\start.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\start.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchos.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchos.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\svchos.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Queries volume information: C:\Users\user VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Queries volume information: C:\Windows\System32\drivers\etc\hosts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	Queries volume information: C:\Windows\System32\spool\drivers\color\sRGB Color Space Profile.icm VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\svchost (3).exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Yara detected AsyncRAT

Source: Yara match	File source: 10.0.start.exe.250000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.start.exe.2589e10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.start.exe.2589e10.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000000.1435545811.0000000000252000.00000002.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.1498443006.0000000002589000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: start.exe PID: 5652, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\start.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchos.exe, type: DROPPED

Yara detected VenomRAT

Source: Yara match	File source: 2.2.svchost (3).exe.242314dec30.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314ee870.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314ee870.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost (3).exe.242314dec30.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: svchost (3).exe PID: 6728, type: MEMORYSTR

Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: svchost (3).exe, 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\AppData\Roaming\svchos.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	1 Disable or Modify Tools	1 Input Capture	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	412 Process Injection	1 Deobfuscate/Decode Files or Information	LSASS Memory	23 System Information Discovery	Remote Desktop Protocol	1 Input Capture	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	3 Scheduled Task/Job	3 Scheduled Task/Job	211 Obfuscated Files or Information	Security Account Manager	231 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Command and Scripting Interpreter	Login Hook	Login Hook	1 Software Packing	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	22 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	3 Scheduled Task/Job	Network Logon Script	Network Logon Script	1 Timestomp	LSA Secrets	41 Virtualization/Sandbox Evasion	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Masquerading	DCSync	1 Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	41 Virtualization/Sandbox Evasion	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	412 Process Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Sldl84wxy8.exe	58%	ReversingLabs	Win32.Dropper.Dapato
Sldl84wxy8.exe	40%	Virustotal		Browse
Sldl84wxy8.exe	100%	Avira	TR/Dropper.Gen
Sldl84wxy8.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\start.exe	100%	Avira	TR/Dropper.Gen
C:\Users\user\AppData\Local\Temp\start.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\svchost (3).exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\d3dcompiler_47.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\ffmpeg.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libEGL.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\libGLESv2.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\vk_swiftshader.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\build.exe	8%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\build.exe	15%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\d3dcompiler_47.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\ffmpeg.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\libEGL.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\libGLESv2.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\main.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsdAE7E.tmp\7z-out\main.exe	1%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
rentry.co	2%	Virustotal	Browse
blue.o7lab.me	16%	Virustotal	Browse
leetboy.dynuddns.net	9%	Virustotal	Browse
windowsupdatebg.s.llnwi.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://dns10.quad9.net/dns-query	0%	URL Reputation	safe
https://chromium.dns.nextdns.io	0%	URL Reputation	safe
https://doh.cleanbrowsing.org/doh/security-filter	0%	URL Reputation	safe
https://dns.google/dns-query	0%	URL Reputation	safe
https://public.dns.iij.jp/	0%	URL Reputation	safe
https://public.dns.iij.jp/	0%	URL Reputation	safe
https://dns11.quad9.net/dns-query	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	0%	URL Reputation	safe
https://doh.cleanbrowsing.org/doh/family-filter	0%	URL Reputation	safe
https://cleanbrowsing.org/privacy	0%	URL Reputation	safe
https://www.quad9.net/home/privacy/	0%	URL Reputation	safe
https://dns64.dns.google/dns-query	0%	URL Reputation	safe
https://doh.cleanbrowsing.org/doh/adult-filter	0%	URL Reputation	safe
https://passwords.google.comGoogle	0%	URL Reputation	safe
https://dns.quad9.net/dns-query	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	0%	URL Reputation	safe
https://chrome.cloudflare-dns.com/dns-query	0%	URL Reputation	safe
https://public.dns.iij.jp/dns-query	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist	0%	URL Reputation	safe
https://dns.sb/privacy/	0%	URL Reputation	safe
https://doh.dns.sb/dns-query	0%	URL Reputation	safe
https://alekberg.net/privacy	0%	URL Reputation	safe
https://dnsnl.alekberg.net/dns-query	0%	URL Reputation	safe
https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist	0%	URL Reputation	safe
https://www.quad9.net/home/privacy/Quad9	0%	Avira URL Cloud	safe
https://dns11.quad9.net/dns-querydns11.quad9.net9.9.9.11149.112.112.112620:fe::112620:fe::fe:11Pd	0%	Avira URL Cloud	safe
https://public.dns.iij.jp/dns-queryIijUShttps://nextdns.io/privacyNextDNShttps://chromium.dns.nextdn	0%	Avira URL Cloud	safe
https://perfetto.dev/docs/contributing/getting-started#community).No	0%	Avira URL Cloud	safe
https://chrome-devtools-frontend.appspot.com/	0%	Avira URL Cloud	safe
https://chrome-devtools-frontend.appspot.com/	0%	Virustotal		Browse
https://perfetto.dev/docs/contributing/getting-started#community).	0%	Avira URL Cloud	safe
https://public.dns.iij.jp/IIJ	0%	Avira URL Cloud	safe
https://dns10.quad9.net/dns-querydns10.quad9.net9.9.9.10149.112.112.102620:fe::102620:fe::fe:10	0%	Avira URL Cloud	safe
https://cleanbrowsing.org/privacyCleanBrowsing	0%	Avira URL Cloud	safe
https://perfetto.dev/docs/contributing/getting-started#community).	0%	Virustotal		Browse
https://dns10.quad9.net/dns-querydns10.quad9.net9.9.9.10149.112.112.102620:fe::102620:fe::fe:10	2%	Virustotal		Browse
https://nextdns.io/privacy	0%	Avira URL Cloud	safe
https://public.dns.iij.jp/dns-queryIijUShttps://nextdns.io/privacyNextDNShttps://chromium.dns.nextdn	1%	Virustotal		Browse
https://alekberg.net/privacyalekberg.net	0%	Avira URL Cloud	safe
https://perfetto.dev/docs/contributing/getting-started#community).No	0%	Virustotal		Browse
https://chrome.cloudflare-dns.com/dns-queryone.one.one.one1dot1dot1dot1.cloudflare-dns.com1.1.1.11.0	0%	Avira URL Cloud	safe
https://dns.quad9.net/dns-querydns.quad9.netdns9.quad9.net9.9.9.9149.112.112.1122620:fe::fe2620:fe::	0%	Avira URL Cloud	safe
https://nextdns.io/privacy	0%	Virustotal		Browse
https://alekberg.net/privacyalekberg.net	0%	Virustotal		Browse
https://www.quad9.net/home/privacy/Quad9	0%	Virustotal		Browse
https://dns.sb/privacy/DNS.SBhttps://doh.dns.sb/dns-query	0%	Avira URL Cloud	safe
https://dns11.quad9.net/dns-querydns11.quad9.net9.9.9.11149.112.112.112620:fe::112620:fe::fe:11Pd	4%	Virustotal		Browse
https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebC	0%	Avira URL Cloud	safe
leetboy.dynuddns.net	100%	Avira URL Cloud	phishing
https://chrome.cloudflare-dns.com/dns-queryone.one.one.one1dot1dot1dot1.cloudflare-dns.com1.1.1.11.0	0%	Virustotal		Browse
https://public.dns.iij.jp/IIJ	0%	Virustotal		Browse
https://cleanbrowsing.org/privacyCleanBrowsing	0%	Virustotal		Browse
https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebC	0%	Virustotal		Browse
leetboy.dynuddns.net	9%	Virustotal		Browse
https://dns.sb/privacy/DNS.SBhttps://doh.dns.sb/dns-query	0%	Virustotal		Browse
https://dns.quad9.net/dns-querydns.quad9.netdns9.quad9.net9.9.9.9149.112.112.1122620:fe::fe2620:fe::	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rentry.co	104.21.95.148	true	false	2%, Virustotal, Browse	unknown
cosmicdust.zip	192.236.232.25	true	false		unknown
cosmoplanets.net	172.67.142.111	true	false		unknown
blue.o7lab.me	94.156.66.112	true	true	16%, Virustotal, Browse	unknown
leetboy.dynuddns.net	185.196.11.223	true	true	9%, Virustotal, Browse	unknown
windowsupdatebg.s.llnwi.net	69.164.0.0	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
leetboy.dynuddns.net	true	9%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://doh.cox.net/dns-querydot.cox.net68.105.28.1168.105.28.122001:578:3f::30	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://support.google.com/chrome/answer/6098869	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false		high
https://dns10.quad9.net/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/privacy/eula_text.html	th.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false		high
https://chromium.dns.nextdns.io	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
http://www.unicode.org/copyright.html	icudtl.dat0.6.dr	false		high
https://www.google.com/chrome/privacy/eula_text.htmlPod	hr.pak.6.dr	false		high
https://doh.familyshield.opendns.com/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://chrome.google.com/webstore?hl=hrPre	hr.pak.6.dr	false		high
https://doh.cleanbrowsing.org/doh/security-filter	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=ml	ml.pak.6.dr	false		high
https://dns.google/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/chrome/privacy/eula_text.htmlHaldab	et.pak.6.dr	false		high
https://public.dns.iij.jp/	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=et&category=theme81https://myactivity.google.com/myactivity/?u	et.pak.6.dr	false		high
https://chrome.google.com/webstore?hl=te&category=theme81https://myactivity.google.com/myactivity/?u	te.pak.6.dr	false		high
https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/Cloudflare	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://photos.google.com/settings?referrer=CHROME_NTP	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false		high
https://doh.cox.net/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://myactivity.google.com/	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false		high
https://perfetto.dev/docs/contributing/getting-started#community).No	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dns11.quad9.net/dns-querydns11.quad9.net9.9.9.11149.112.112.112620:fe::112620:fe::fe:11Pd	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	4%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://doh.quickline.ch/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://www.nic.cz/odvr/	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://chrome-devtools-frontend.appspot.com/	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://developers.google.com/speed/public-dns/privacy	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://dns11.quad9.net/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://developers.cloudflare.com/1.1.1.1/privacy/public-dns-resolver/	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://chrome.google.com/webstore?hl=etOtsetee	et.pak.6.dr	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false	URL Reputation: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUrlList	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false	URL Reputation: safe	unknown
https://passwords.google.com	th.pak.6.dr	false		high
https://www.nic.cz/odvr/CZ.NIC	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://policies.google.com/	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false		high
https://doh-02.spectrum.com/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://chrome.google.com/webstore?hl=th&category=theme81https://myactivity.google.com/myactivity/?u	th.pak.6.dr	false		high
https://public.dns.iij.jp/dns-queryIijUShttps://nextdns.io/privacyNextDNShttps://chromium.dns.nextdn	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.quad9.net/home/privacy/Quad9	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	start.exe, 0000000A.00000002.1498443006.000000000257E000.00000004.00000800.00020000.00000000.sdmp	false		high
https://perfetto.dev/docs/contributing/getting-started#community).	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://public.dns.iij.jp/IIJ	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=te	te.pak.6.dr	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherEnabled	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false	URL Reputation: safe	unknown
https://dns10.quad9.net/dns-querydns10.quad9.net9.9.9.10149.112.112.102620:fe::102620:fe::fe:10	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cleanbrowsing.org/privacyCleanBrowsing	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://nextdns.io/privacy	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://odvr.nic.cz/doh	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://chrome.google.com/webstore/category/extensions	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false		high
https://doh.cleanbrowsing.org/doh/family-filter	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chromebook?p=app_intent	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false		high
https://doh.xfinity.com/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://alekberg.net/privacyalekberg.net	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://cleanbrowsing.org/privacy	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://www.quad9.net/home/privacy/	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=ml&category=theme81https://myactivity.google.com/myactivity/?u	ml.pak.6.dr	false		high
https://chrome.google.com/webstore?hl=th	th.pak.6.dr	false		high
https://developers.google.com/speed/public-dns/privacyGoogle	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://chrome.cloudflare-dns.com/dns-queryone.one.one.one1dot1dot1dot1.cloudflare-dns.com1.1.1.11.0	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://dns64.dns.google/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://doh.cleanbrowsing.org/doh/adult-filter	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://doh.opendns.com/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://passwords.google.comGoogle	et.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false	URL Reputation: safe	unknown
https://doh-01.spectrum.com/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	build.exe, 00000006.00000000.1434954851.000000000040A000.00000008.00000001.01000000.0000000B.sdmp	false		high
https://dns.quad9.net/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=hi&category=theme81https://myactivity.google.com/myactivity/?u	hi.pak.6.dr	false		high
https://www.cisco.com/c/en/us/about/legal/privacy-full.html	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://dns.quad9.net/dns-querydns.quad9.netdns9.quad9.net9.9.9.9149.112.112.1122620:fe::fe2620:fe::	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.google.com/webstore?hl=hr&category=theme81https://myactivity.google.com/myactivity/?u	hr.pak.6.dr	false		high
https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false	URL Reputation: safe	unknown
https://dns.sb/privacy/DNS.SBhttps://doh.dns.sb/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://chrome.cloudflare-dns.com/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://odvr.nic.cz/dohodvr.nic.cz185.43.135.1193.17.47.12001:148f:fffe::12001:148f:ffff::1	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false		high
https://chrome-devtools-frontend.appspot.com/%s%s/%s/NetworkResourceLoaderstreamWriteInspectableWebC	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://public.dns.iij.jp/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false	URL Reputation: safe	unknown
https://chrome.google.com/webstore?hl=hi	hi.pak.6.dr	false		high
https://dns.sb/privacy/	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://doh.dns.sb/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://support.google.com/chrome/a/?p=block_warn	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false		high
https://alekberg.net/privacy	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://dnsnl.alekberg.net/dns-query	main.exe, 00000017.00000000.1711768969.00007FF658C32000.00000002.00000001.01000000.00000011.sdmp	false	URL Reputation: safe	unknown
https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist	et.pak.6.dr, th.pak.6.dr, hr.pak.6.dr, hi.pak.6.dr, ml.pak.6.dr, te.pak.6.dr	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
94.156.66.112	blue.o7lab.me	Bulgaria	31420	TERASYST-ASBG	true
192.236.232.25	cosmicdust.zip	United States	54290	HOSTWINDSUS	false
172.67.142.111	cosmoplanets.net	United States	13335	CLOUDFLARENETUS	false
104.21.95.148	rentry.co	United States	13335	CLOUDFLARENETUS	false
185.196.11.223	leetboy.dynuddns.net	Switzerland	42624	SIMPLECARRIERCH	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1417125
Start date and time:	2024-03-28 16:23:57 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Sldl84wxy8.exe renamed because original name is a hash value
Original Sample Name:	0b459466e3619d2a29bb93ea2dac077a.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@32/108@6/5
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 81% Number of executed functions: 46 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 69.164.0.0, 20.42.65.92, 72.21.81.240
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu-bg-shim.trafficmanager.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, blobcollector.events.data.trafficmanager.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, umwatson.events.data.microsoft.com
Execution Graph export aborted for target start.exe, PID 5652 because it is empty
Execution Graph export aborted for target svchos.exe, PID 6536 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:25:03	API Interceptor	1x Sleep call for process: RegSvcs.exe modified
16:25:04	API Interceptor	1x Sleep call for process: WerFault.exe modified
16:25:05	Task Scheduler	Run new task: svchos path: "C:\Users\user\AppData\Roaming\svchos.exe"
16:25:45	API Interceptor	8259672x Sleep call for process: svchos.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
94.156.66.112	V1yLpoS3XR.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse
94.156.66.112	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse
192.236.232.25	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse
192.236.232.25	Tank-RevolutionDEMO.exe	Get hash	malicious	Unknown	Browse
172.67.142.111	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse
104.21.95.148	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse
	troca.msi	Get hash	malicious	Unknown	Browse
	Leak Porn MMS Teen Girl.js	Get hash	malicious	RHADAMANTHYS	Browse
185.196.11.223	V1yLpoS3XR.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse
185.196.11.223	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
blue.o7lab.me	V1yLpoS3XR.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	94.156.66.112
blue.o7lab.me	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	94.156.66.112
windowsupdatebg.s.llnwi.net	6sg60cSBIQ.dll	Get hash	malicious	Unknown	Browse	69.164.0.128
	https://www.rewardgateway.com/	Get hash	malicious	HTMLPhisher	Browse	69.164.0.0
	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	69.164.0.128
	https://www.attemplate.com/gcc/24f1e58b-b088-4195-ba46-839e73aec371/406eb232-0f42-45b3-8f82-5ddbf95d3c28/4526622a-5e47-4913-897d-b139c3f50e94/attachment?id=T3JlSlFGWnFzWFRVUk1mQzVwN1d5V3BvT0lIMGd1MmFSTncyMDRDRXRKY1dLWnk0bmZKanUwWkxaU0JRa1VvOGZhTkloMFNSY24vUTU3cFB2eGJmY090ZVc1ZUc0MHdldWRuVFdSWEtLem5UV3VXTlozS0kwTGpGTDNTT0d0SHAveERBQjJFUUNPTUhqWDY3MVJlZzhiSG14ZjVqMmdjNlVUMjh1NXpwazZLblFjeHdDQlBxblJwaVNKY1R6WUp6YnlhaHo5dTRpRFZUY2w2SGQwRW9oNzNXTFJ5MjdQN090UzNtWHIwZDVVK21OV095NHRLT0plZ29TT3EweVdZaDlhUW9lK2lmOWtpOUlmTFRYL3pDSVZzRCt2WEFBbjQyNVRQTDBoRE9IK1NXbmM3UndCdjk2dUg5QVF3MnRodGN3V2NjSCt1ZXZVbzR4VUt5dnEzcFhzOGRkRGUvYWROemJ4NDNHRkJLejRtU01ISmpOYVpEbi9GdUlJUFliMGQ1MHFBaHJCYnQzWWhMTExQcUtUU0RzQT09	Get hash	malicious	Unknown	Browse	69.164.0.128
	FindAll.xla	Get hash	malicious	Unknown	Browse	69.164.0.128
	SecuriteInfo.com.Trojan.Siggen27.33484.28759.31674.exe	Get hash	malicious	Unknown	Browse	69.164.0.0
	8tUCycu3Wq.exe	Get hash	malicious	PureLog Stealer, RHADAMANTHYS, zgRAT	Browse	69.164.0.0
	7294042_PDF.vbs	Get hash	malicious	GuLoader	Browse	69.164.0.0
	https://mail.profil.aktualisieren.87-121-52-217.cprapid.com/	Get hash	malicious	PayPal Phisher	Browse	69.164.0.128
	https://main.d3ugl75lhwl13s.amplifyapp.com/?serious-windows-defender-security-detection	Get hash	malicious	TechSupportScam	Browse	69.164.0.0
leetboy.dynuddns.net	V1yLpoS3XR.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	185.196.11.223
leetboy.dynuddns.net	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	185.196.11.223
rentry.co	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	104.21.95.148
	troca.msi	Get hash	malicious	Unknown	Browse	104.21.95.148
	Epdf_information.msi	Get hash	malicious	Unknown	Browse	172.67.145.129
	Tank-RevolutionDEMO.exe	Get hash	malicious	Unknown	Browse	172.67.145.129
	SecuriteInfo.com.Variant.Cerbu.203511.29180.28624.exe	Get hash	malicious	Unknown	Browse	172.67.145.129
	SecuriteInfo.com.Trojan.MulDrop24.59030.23050.13183.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	172.67.145.129
	SecuriteInfo.com.Variant.Cerbu.203511.29180.28624.exe	Get hash	malicious	Unknown	Browse	172.67.145.129
	SecuriteInfo.com.FileRepMalware.16037.9737.exe	Get hash	malicious	Python Stealer	Browse	172.67.145.129
	Leak Porn MMS Teen Girl.js	Get hash	malicious	RHADAMANTHYS	Browse	104.21.95.148
	SecuriteInfo.com.Trojan.GenericKD.70641791.20493.31768.exe	Get hash	malicious	Python Stealer, CStealer	Browse	51.83.3.90
cosmicdust.zip	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	192.236.232.25
cosmicdust.zip	Tank-RevolutionDEMO.exe	Get hash	malicious	Unknown	Browse	192.236.232.25
cosmoplanets.net	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	172.67.142.111
cosmoplanets.net	Tank-RevolutionDEMO.exe	Get hash	malicious	Unknown	Browse	191.101.104.58

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	http://www.rewardgateway.com	Get hash	malicious	HTMLPhisher	Browse	104.18.79.253
	https://www.rewardgateway.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.79.253
	securedoc_20240328T081124.html	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://airispharma1-my.sharepoint.com/:o:/g/personal/anagaraj_airispharma_com/EvmEpKGsyxtGnlrgsjVRxi4BOj2g3uhzHgNY6tXqx6wp5g?e=JtdJfI	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://credit-bittrex.com/creditor	Get hash	malicious	Phisher	Browse	172.67.213.53
	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	104.21.95.148
	Quarantined Messages (12).zip	Get hash	malicious	Unknown	Browse	1.1.1.1
	Receipt_2821-Overdue-PO.msg	Get hash	malicious	Unknown	Browse	172.67.144.70
	https://gcv.microsoft.us/kgRWagmalJ	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.25.14
	BL-SHIPPING INVOICE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
CLOUDFLARENETUS	http://www.rewardgateway.com	Get hash	malicious	HTMLPhisher	Browse	104.18.79.253
	https://www.rewardgateway.com/	Get hash	malicious	HTMLPhisher	Browse	104.18.79.253
	securedoc_20240328T081124.html	Get hash	malicious	Unknown	Browse	104.18.11.207
	https://airispharma1-my.sharepoint.com/:o:/g/personal/anagaraj_airispharma_com/EvmEpKGsyxtGnlrgsjVRxi4BOj2g3uhzHgNY6tXqx6wp5g?e=JtdJfI	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	https://credit-bittrex.com/creditor	Get hash	malicious	Phisher	Browse	172.67.213.53
	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	104.21.95.148
	Quarantined Messages (12).zip	Get hash	malicious	Unknown	Browse	1.1.1.1
	Receipt_2821-Overdue-PO.msg	Get hash	malicious	Unknown	Browse	172.67.144.70
	https://gcv.microsoft.us/kgRWagmalJ	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.25.14
	BL-SHIPPING INVOICE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
SIMPLECARRIERCH	V1yLpoS3XR.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	185.196.11.223
	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	185.196.11.223
	9NBx4Vmiuj.exe	Get hash	malicious	PureLog Stealer, XWorm, zgRAT	Browse	185.196.10.233
	UNca1snvkz.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	bd7kzboTUq.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	H6ZdQFux3W.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	jxJoK9xswU.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	29oAGfUZCW.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	pwybQt2eUG.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
	5sIvHoFITx.elf	Get hash	malicious	Mirai	Browse	185.196.10.155
HOSTWINDSUS	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	192.236.232.25
	Q9Jn6b7bIj.elf	Get hash	malicious	Mirai	Browse	198.84.69.50
	thurs20.exe	Get hash	malicious	Python Stealer	Browse	192.236.232.35
	thurs17.exe	Get hash	malicious	Python Stealer	Browse	192.236.232.35
	thurs21.exe	Get hash	malicious	Python Stealer	Browse	192.236.232.35
	thurs19.exe	Get hash	malicious	Python Stealer	Browse	192.236.232.35
	thurs18.exe	Get hash	malicious	Python Stealer	Browse	192.236.232.35
	thurs14.exe	Get hash	malicious	Python Stealer	Browse	192.236.232.35
	thurs9.exe	Get hash	malicious	Python Stealer	Browse	192.236.232.35
	thurs13.exe	Get hash	malicious	Python Stealer	Browse	192.236.232.35
TERASYST-ASBG	V1yLpoS3XR.exe	Get hash	malicious	AsyncRAT, VenomRAT	Browse	94.156.66.112
	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse	94.156.66.112
	LQ2sKCMmXw.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	94.156.69.232
	WFbZkwBBqG.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.71.205
	o7g23WWTSM.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.71.205
	drP2lFrTw8.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.71.205
	V0Ev61kN3E.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.71.205
	hxLoX40UD6.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.71.205
	a5nJUdCd2B.elf	Get hash	malicious	Gafgyt, Mirai	Browse	94.156.71.205
	i9nAGl38hA.elf	Get hash	malicious	Mirai, Gafgyt	Browse	94.156.71.205

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\d3dcompiler_47.dll	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse
	Mauqes.exe	Get hash	malicious	Unknown	Browse
	Tank-RevolutionDEMO.exe	Get hash	malicious	Unknown	Browse
	Google Digital Marketing .xlsx.exe	Get hash	malicious	Unknown	Browse
	Google Digital Marketing .xlsx.exe	Get hash	malicious	Unknown	Browse
	systemtest-standalone-10.12.3.exe	Get hash	malicious	Unknown	Browse
	systemtest-standalone-10.12.3.exe	Get hash	malicious	Unknown	Browse
	TrelloSetup.exe	Get hash	malicious	Unknown	Browse
	TrelloSetup.exe	Get hash	malicious	Unknown	Browse
	W1nnerFree CS2.exe	Get hash	malicious	LoaderBot, Xmrig	Browse
C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\ffmpeg.dll	rU6YAgkoAw.exe	Get hash	malicious	AsyncRAT	Browse
	Tank-RevolutionDEMO.exe	Get hash	malicious	Unknown	Browse
	Google Digital Marketing .xlsx.exe	Get hash	malicious	Unknown	Browse
	Google Digital Marketing .xlsx.exe	Get hash	malicious	Unknown	Browse
	systemtest-standalone-10.12.3.exe	Get hash	malicious	Unknown	Browse
	systemtest-standalone-10.12.3.exe	Get hash	malicious	Unknown	Browse
	ForestOfDream.exe	Get hash	malicious	Unknown	Browse
	ForestOfDream.exe	Get hash	malicious	Unknown	Browse
	sims4c.exe	Get hash	malicious	Unknown	Browse
	RemasterSouls Setup.exe	Get hash	malicious	Unknown	Browse

Process:	C:\Windows\System32\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.1436285878782433
Encrypted:	false
SSDEEP:	192:p6wm+L0UnU1aWj3OlTwd7ZFEszuiF/Z24lO8v:Ab+YUnU1aYou9zuiF/Y4lO8v
MD5:	E4A86785AE8C1FDC930FE8DF7C8ABAA3
SHA1:	5A66C17ACC0F96A4F82E8F0DDAD0A653DBA4EA64
SHA-256:	BC7B8DDD70B4DA0544C08086037B88B6091328AFA8AB04A0D573B36973B37223
SHA-512:	32DDF8F5F1231EDADF4313F9C474188383F95AC5D71235427A4AD613ABFEE47E9FDBA15229F426E6CC61BC961A4667608B8997091BE90702E16F21CB243737F6
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.6.1.1.3.0.9.8.6.6.6.4.3.3.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.6.1.1.3.0.9.9.7.4.4.5.6.0.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.8.7.2.1.a.a.2.-.c.7.2.7.-.4.7.e.9.-.b.f.e.6.-.3.2.b.f.9.b.d.b.2.4.f.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.c.8.3.7.5.b.3.-.f.5.c.4.-.4.0.6.5.-.a.3.a.c.-.1.1.2.1.6.d.e.3.d.7.f.d.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....N.s.A.p.p.N.a.m.e.=.s.v.c.h.o.s.t. .(.3.)...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.A.p.p.3.F.A.A.L.9.8...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.a.4.8.-.0.0.0.1.-.0.0.1.4.-.4.a.4.7.-.a.f.1.6.2.4.8.1.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.6.a.5.b.7.a.3.d.4.e.f.f.d.2.7.b.d.0.8.c.e.a.0.1.d.9.9.4.c.2.0.0.0.0.0.0.0.0.0.!.0.0.0.0.3.b.6.a.8.a.5.1.f.5.3.d.8.e.c.6.e.7.7.3.f.2.a.2.8.f.8.0.f.b.0.0.3.3.1.1.5.9.7.b.!.s.v.c.h.o.s.t.

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	Microsoft Cabinet archive data, Windows 2000/XP setup, 69993 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
Category:	dropped
Size (bytes):	69993
Entropy (8bit):	7.99584879649948
Encrypted:	true
SSDEEP:	1536:iMveRG6BWC7T2g1wGUa5QUoaIB9ttiFJG+AOQOXl0Usvwr:feRG6BX6gUaHo9tkBHiUewr
MD5:	29F65BA8E88C063813CC50A4EA544E93
SHA1:	05A7040D5C127E68C25D81CC51271FFB8BEF3568
SHA-256:	1ED81FA8DFB6999A9FEDC6E779138FFD99568992E22D300ACD181A6D2C8DE184
SHA-512:	E29B2E92C496245BED3372578074407E8EF8882906CE10C35B3C8DEEBFEFE01B5FD7F3030ACAA693E175F4B7ACA6CD7D8D10AE1C731B09C5FA19035E005DE3AA
Malicious:	false
Preview:	MSCF....i.......,...................I.................oXAy .authroot.stl.Ez..Q6..CK..<Tk...p.k..1...3...[..%Y.f..."K.6)..[I.hOB."..rK.RQ..}f..f...}....9.\|.....gA...30.,O2L...0..%.U...U.t.....`dqM2.x..t...<(uad.c...x5V.x..t..agd.v......i...KD..q(. ...JJ......#..'=. ...3.x...}...+T.K..!.'.`w .!.x.r.......YafhG..O.3....'P[..'.D../....n..t....R<..=\E7L0?{..T.f...ID...,...r....3z..O/.b.Iwx.. .o...a\.s........."..'.......<;s.[...l...6.)ll..B.P.....k.... k0.".t!/.,........{...P8....B..0(.. .Q.....d...q,\.$.n.Q.\.p...R..:.hr./..8.S<a.s...+#3....D..h1.a.0....{.9.....:e.......n.~G.{.M.1..OU.....B.Q..y_>.P{...}i.=.a..QQT.U..\|!.pyCD@.....l..70..w..)...W^.`l...%Y.\................i..=hYV.O8W@P.=.r.=..1m..1....)\.p..\|.c.3..t..[...).....l.{.Y....\S.....y....[.mCt....Js;...H....Q..F.....g.O...[..A.=...F[..z....k...mo.lW{`....O...T.g.Y.Uh.;m.'.N..f..}4..9i..t4p_bI..`.....Ie..l.P.... ...Lg......[....5g...~D.s.h'>n.m.c.7...-..P.gG...i$...v.m.b[.yO.P/*.YH.

Process:	C:\Users\user\Desktop\Sldl84wxy8.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	65711823
Entropy (8bit):	7.999943485811978
Encrypted:	true
SSDEEP:	1572864:9rziNh/b8cKauEXEnREpwWGD5Pb2PKDLrWE36D77:Yh/Tu+W/kvEKf7
MD5:	8701FCD188315FA69245FB99E07DF60D
SHA1:	511FF357D2BA1EAE568E54627C115218AC9C2F27
SHA-256:	A60C94ED95D06FDEC41A1665413BDE68A9B501C2781417848AC3D60631163001
SHA-512:	826AA81D962EA6C1D8C8B3B4471136A5EA5AD1844D92289859D7A951B339FC7BA06386AD3D71BFBDD02538DDA98F107ED28BB1655E58BDA727798DBDEA67F21B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 8% Antivirus: Virustotal, Detection: 15%, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@...3............@..........................p.......{....@..........................................................................................................................................................text...'f.......h.................. ..`.rdata...............l..............@..@.data...............................@....ndata...................................rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	7.999988640433959
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Sldl84wxy8.exe
File size:	66'234'368 bytes
MD5:	0b459466e3619d2a29bb93ea2dac077a
SHA1:	b55a18a2d13589b81cae82c691d83e7961799d44
SHA256:	a7adeed2290a6e7d4b061a44337ebbcdc91a9800e40cc96a31632e3e52d710ff
SHA512:	ab1bd6465ce9e956bf4d9576552ab85541a6b6595817ca68e651264630d728388938b8f0b85353e2278bbee73b6ca427027fdfc8e1fc041a19467b41d29f320c
SSDEEP:	1572864:iFffrC4ndj0tJT5vMiaUMeRBFGkdWEeJFj3w:gf24dj6T5TaUTBbdheXw
TLSH:	A6E733102189D9B9D1F8A5BDDF2FD90214EC53A129D16BFF1C15C3250EBFEE2A89A1C1
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.................................................@..................................E.....................................

Entrypoint:	0x4014ad
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:
Time Stamp:	0x0 [Thu Jan 1 00:00:00 1970 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a9c887a4f18a3fede2cc29ceea138ed3

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3f2b480	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3f2d000	0x2f8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x3f2b4d0	0x58	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x640	0x800	9b1c7bee845c3a1478ec3077d89ce9ca	False	0.39892578125	data	4.621842099867178	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2000	0x3f29683	0x3f29800	58782a61c34662ad50ed94be32821d00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x3f2c000	0x4	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3f2d000	0x2f8	0x400	a059bed3e4dc9fe2c31e58a608b3e985	False	0.3603515625	data	4.300210635374267	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

DLL	Import
msvcrt.dll	malloc, memset, strcmp, strcpy, getenv, sprintf, fopen, fwrite, fclose, __argc, __argv, _environ, _XcptFilter, __set_app_type, _controlfp, __getmainargs, exit
shell32.dll	ShellExecuteA
kernel32.dll	SetUnhandledExceptionFilter

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 28, 2024 16:25:02.214812994 CET	56007	53	192.168.2.8	1.1.1.1
Mar 28, 2024 16:25:03.210558891 CET	56007	53	192.168.2.8	1.1.1.1
Mar 28, 2024 16:25:03.610177994 CET	53	56007	1.1.1.1	192.168.2.8
Mar 28, 2024 16:25:13.509314060 CET	53066	53	192.168.2.8	1.1.1.1
Mar 28, 2024 16:25:13.701056004 CET	53	53066	1.1.1.1	192.168.2.8
Mar 28, 2024 16:25:30.521038055 CET	61189	53	192.168.2.8	1.1.1.1
Mar 28, 2024 16:25:30.617383957 CET	53	61189	1.1.1.1	192.168.2.8
Mar 28, 2024 16:25:30.849320889 CET	61941	53	192.168.2.8	1.1.1.1
Mar 28, 2024 16:25:31.268229961 CET	53	61941	1.1.1.1	192.168.2.8
Mar 28, 2024 16:25:31.853373051 CET	53508	53	192.168.2.8	1.1.1.1
Mar 28, 2024 16:25:31.958045959 CET	53	53508	1.1.1.1	192.168.2.8

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Mar 28, 2024 16:25:02.323754072 CET	1.1.1.1	192.168.2.8	0x1b71	No error (0)	windowsupdatebg.s.llnwi.net	69.164.0.0	A (IP address)	IN (0x0001)	false
Mar 28, 2024 16:25:03.610177994 CET	1.1.1.1	192.168.2.8	0x3b02	No error (0)	blue.o7lab.me	94.156.66.112	A (IP address)	IN (0x0001)	false
Mar 28, 2024 16:25:13.701056004 CET	1.1.1.1	192.168.2.8	0x5b33	No error (0)	leetboy.dynuddns.net	185.196.11.223	A (IP address)	IN (0x0001)	false
Mar 28, 2024 16:25:30.617383957 CET	1.1.1.1	192.168.2.8	0x75c8	No error (0)	rentry.co	104.21.95.148	A (IP address)	IN (0x0001)	false
Mar 28, 2024 16:25:30.617383957 CET	1.1.1.1	192.168.2.8	0x75c8	No error (0)	rentry.co	172.67.145.129	A (IP address)	IN (0x0001)	false
Mar 28, 2024 16:25:31.268229961 CET	1.1.1.1	192.168.2.8	0x5f04	No error (0)	cosmicdust.zip	192.236.232.25	A (IP address)	IN (0x0001)	false
Mar 28, 2024 16:25:31.958045959 CET	1.1.1.1	192.168.2.8	0x39ef	No error (0)	cosmoplanets.net	172.67.142.111	A (IP address)	IN (0x0001)	false
Mar 28, 2024 16:25:31.958045959 CET	1.1.1.1	192.168.2.8	0x39ef	No error (0)	cosmoplanets.net	104.21.71.28	A (IP address)	IN (0x0001)	false

Target ID:	1
Start time:	16:24:55
Start date:	28/03/2024
Path:	C:\Users\user\Desktop\Sldl84wxy8.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Sldl84wxy8.exe"
Imagebase:	0x400000
File size:	66'234'368 bytes
MD5 hash:	0B459466E3619D2A29BB93EA2DAC077A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	16:24:56
Start date:	28/03/2024
Path:	C:\Users\user\AppData\Local\Temp\svchost (3).exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\svchost (3).exe"
Imagebase:	0x2422f750000
File size:	452'920 bytes
MD5 hash:	8CD2675E19A8B1DCCF0DBF082F42AB33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_VenomRAT, Description: Yara detected VenomRAT, Source: 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1507763481.0000024231491000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	true

Target ID:	4
Start time:	16:24:57
Start date:	28/03/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
Imagebase:	0x580000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Target ID:	6
Start time:	16:24:58
Start date:	28/03/2024
Path:	C:\Users\user\AppData\Local\Temp\build.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\build.exe"
Imagebase:	0x400000
File size:	65'711'823 bytes
MD5 hash:	8701FCD188315FA69245FB99E07DF60D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 8%, ReversingLabs Detection: 15%, Virustotal, Browse
Reputation:	low
Has exited:	true

Target ID:	19
Start time:	16:25:07
Start date:	28/03/2024
Path:	C:\Users\user\AppData\Roaming\svchos.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\svchos.exe"
Imagebase:	0xd40000
File size:	64'512 bytes
MD5 hash:	C1ADE258F05C512E98EBC4D9D1165F8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	23
Start time:	16:25:25
Start date:	28/03/2024
Path:	C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe
Imagebase:	0x7ff650e10000
File size:	162'036'224 bytes
MD5 hash:	94F3E2F32CED13FD99CC314BEB587233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs Detection: 1%, Virustotal, Browse
Has exited:	true

Target ID:	25
Start time:	16:25:30
Start date:	28/03/2024
Path:	C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\main" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Imagebase:	0x7ff650e10000
File size:	162'036'224 bytes
MD5 hash:	94F3E2F32CED13FD99CC314BEB587233
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	26
Start time:	16:25:31
Start date:	28/03/2024
Path:	C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\main.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\main" --mojo-platform-channel-handle=2140 --field-trial-handle=1804,i,13840549230161023294,8166055529436649355,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Imagebase:	0x7ff650e10000
File size:	162'036'224 bytes
MD5 hash:	94F3E2F32CED13FD99CC314BEB587233
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Execution Coverage:	78.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	10
Total number of Limit Nodes:	1

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Sldl84wxy8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: VenomRAT

Threatname: AsyncRAT

Yara Signatures

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost (3).exe_6122bbe2fa8fede73f613859bbd18b79843c243_1f2af782_88721aa2-c727-47e9-bfe6-32bf9bdb24f2\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERAF87.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB247.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB267.tmp.xml

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\start.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchos.exe.log

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\LICENSE.electron.txt

C:\Users\user\AppData\Local\Temp\2eHfvuySzqzZl8qUAC9nldhe9q6\LICENSES.chromium.html

Windows Analysis Report
Sldl84wxy8.exe

Execution Coverage:	13.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre