Windows Analysis Report
Uhy4TvdjRw.exe

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 61.14.233.88:7707 -> 192.168.2.3:49739
Source: Traffic	Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 61.14.233.88:7707 -> 192.168.2.3:49739

Yara detected Generic Downloader

Source: Yara match	File source: Uhy4TvdjRw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN

Source: global traffic

TCP traffic: 192.168.2.3:49739 -> 61.14.233.88:7707

Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88
Source: unknown	TCP traffic detected without corresponding DNS query: 61.14.233.88

Source: svchost.exe, 0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 0000000B.00000002.534132653.0000000005115000.00000004.00000800.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.11.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: Uhy4TvdjRw.exe, 00000000.00000002.278002213.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

Key, Mouse, Clipboard, Microphone and Screen Capturing

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: Uhy4TvdjRw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

System Summary

Source: Uhy4TvdjRw.exe, type: SAMPLE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: dump.pcap, type: PCAP	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.304436416.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.280682459.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000003.269514411.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000002.526007263.0000000000A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.304383142.00000000051DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.304518771.0000000001439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.305975314.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 5208, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen

Source: Uhy4TvdjRw.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Uhy4TvdjRw.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: dump.pcap, type: PCAP	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.304436416.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.280682459.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000003.269514411.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000002.526007263.0000000000A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.304383142.00000000051DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.304518771.0000000001439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.305975314.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: svchost.exe PID: 5208, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys

Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_04EC91C8	11_2_04EC91C8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_04EC9EA0	11_2_04EC9EA0
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_04ECDB40	11_2_04ECDB40
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_04ECF7F8	11_2_04ECF7F8
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_04EC8E80	11_2_04EC8E80
Source: C:\Users\user\AppData\Roaming\svchost.exe	Code function: 11_2_057D32D8	11_2_057D32D8

Source: Uhy4TvdjRw.exe, 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamej% vs Uhy4TvdjRw.exe
Source: Uhy4TvdjRw.exe, 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamej% vs Uhy4TvdjRw.exe
Source: Uhy4TvdjRw.exe	Binary or memory string: OriginalFilenamej% vs Uhy4TvdjRw.exe

Source: Uhy4TvdjRw.exe	Virustotal: Detection: 67%
Source: Uhy4TvdjRw.exe	Metadefender: Detection: 57%
Source: Uhy4TvdjRw.exe	ReversingLabs: Detection: 96%

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File read: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Source: Uhy4TvdjRw.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\Uhy4TvdjRw.exe "C:\Users\user\Desktop\Uhy4TvdjRw.exe"
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat""
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3
Source: unknown	Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Windows\System32\conhost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File created: C:\Users\user\AppData\Local\Temp\tmp93E6.tmp

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/8@0/1

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File read: C:\Users\user\Desktop\desktop.ini

Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: Uhy4TvdjRw.exe, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: Uhy4TvdjRw.exe, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: svchost.exe.0.dr, FseaaQyFkS/YIdIJZaYgPiwszp.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: Uhy4TvdjRw.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: Uhy4TvdjRw.exe, cIBYexWXymf/VsHHNmuqOlgyY.cs	Base64 encoded string: 'rINKTV8RNDhUVTQ2UlmQxNLvun3m/IVV/oeeLlbJFNbMX3WsIpxtQwHfvqHSrqxB0pirqarn/CtEf7oWrPV+JA==', 'tKCcjiQJt2Hd++hlhtx+0yi/lZ1GNT0yK9NILXOeTmJ/r1zbNRgFr91mQbTrUbi8UZha2aMp3cP4sWtVOYvDXA==', 'ViSnkJU2TyD7eTm/mPt9N4FPgi66v7JKBBr2g1qHTGEcPnZ5xADq/6ZhMEtLRI1PceQ4kjE/pA5gWCJ2jIiiEQdMWzbE1b/ISE/DWiKMCMjnArPPaoVraLXpnepDakhVhJgaARm+GpIyBXMtpa57tm25QK1TUsycNK5fIETLwf8SDgA+OYdOU0mjjG+6D3Arflde41Heo5UAsPQXkl/68MJQciiWnCxA7GHgTK7EP02BGL/MGlPQWrqT6DO3Tp7wtQMaCHiII/L5UgbBENWkWk5+SvQTPleRGIP+IKheletffkYgkITvLKxytss1a7pGNOBAZR6gHxkr4g9G6Nr++95MAUYDctUvdvL8aMdNvDZF3UQf4OC8DAqscBqp0dbdmsfQUFVlST2dffHBIzDkwjlcXSbyLsP6351qtsy/djbnh8bcIjYLardsZFrbFaLVvZDMhqVxuvr240KxGGmqf9e17tgN5Yjhz6BDaoDFkv1vXpzFYAgdtnCcQCv7sTsWsIGJ4M+a0SLH0i9bdlA5E1w7S0AlWW96tQvL995EvEesmEHeCMtM4zeLshao24ugPhz6W7kRPiwVoUx2BTH6Qo/Bgs0GiFIBY6I1vbN4AL5LWE479S0b+ha+mTKVMMN3K7TJFS6xo30fs+WJ0SnHzBQo18AgSk9+jPqVNaSFr3G8OHb83jYq+D3r7edCCBesmgAuy2z/TNMEfhUOhnjZIAkLcy1uZoHxvoqUqL1dW3WMHCr/Lm0Y9D20u8r5keKrHmsOsXDfNdyrkDEcqJheNb2WStWclZExJNGYRgSjWSl7H9Q2DM1EBq0Z87kca6C1Y+EAf0lShvJhZYHWdk4fJYKiwnuZuOUoC32/uLzLpY6tN+LMVp231tEyjSsocb96q4D5MavacLXCqhVx3gAW3fv3l8eHE8AiPhR0js5OLKDgsoWva2qNFVF863ASInaFuBFz31UxSIHWFAcsElK/U+4frLy8HlTzP1VXU3dSfAO08uxqqdPeguvNmmPGDv3uQzeoY3+mzUx+Iu6KKEJVUe8diz9rYhPB28xPHU7sVS64bh5LX+R3ZOSpNZn/nJXUuuxvZoBOSmjMuMi67bE16mGQoX3SS2sZaNlSsTpcazv/Z6xdOVheVNPHwGDan4JfZbcS5soIgtMVUIKsmfUXjevbgoQFFlUWkUgOcFamoL/d+DBWVs2xrqiaHo6kyX4kt/rMq5Hu+XP0w0BX3XompFUVAtgyBPnkI5CGGmkiRAn4VWXMQ3e5+yg4XF05RdHp2z0Vh20Upyfu36jUpAN4qac+EUwa4j6pjz1Fqghk2lqHArzj9G14PprhVP7nW2YPG1gZ1jsTOjBVEgwtqWHAAMdWEQwvHMy5HykpeG21upiCUgDT86vZ1s1B8Vmr1R/cFsWcs+EzQAUfolK7ak0KaQv7xd2aAxuKjR5qS+0Uo152XJPLfJwDqqQyzn8vGF7dV3nmEwI82mwjD1QOJtKxX+J14SlT0MlNmCYhz2SEdb8e2I9Xv7Ea2qlvkIpvwT75OP/oJOsQxZKxb+huajW3tVpbnG6NybEC5SMXrCGxDbp1tJ1AZzjRcKfrbQ/pn3UvsZpy497nOiaYRJdugzARrGOI2+28Jw7O6KeDhdyFsLOeA4QKkhvRGt2U3ENVVOTfb3E0ewUgOKj69hJNJkaxL3h5oE+NdiuGQQ/IouUwmiaa30wjf+q2IcHkRZLfi9BNJERvRUaRCOYKktbt3+LfH0QnjxjtSDZjTPpovrBHMv1vmRy4Z0vOQ5RvNh7OzP6hipWoYCigQJVt4ciuKe/tjRpqPRBgr3w48FUlHdFvf3Uu8o/0JAz5jih5MZiCqCf2WJW7ThmhJ/XTD+JQfwCJJEQHmkR414M/ZjVhjBmSG97q5OaDB5QdAH3OzVqH7Z1j7LUC6c/xzkVf0b2m7zBckucWCMdx+ZRSdoyeKUvrKs3ShDt+LANsqi+4acNKlhZItqyFI+e2hizrnu/bLLIgmJXQb1EnmGYHcuawTDQK93sml4Ldc6uKOObo/kuX8tOHpjlNdKH/e9UHrvJJel5JjdXBS8eCAtzo0q/vF9TKX4JAf1OpC1b30hKe6T7gGVHYKUeJJXYbTcGXcDklxVUOumtZ03KJBOMcMXG++GTXj3KJvr3pUoZ3FkLe0x79Gkje8ShJWb+3OEnLS35sB/jZ8iIL5aIdQkoNNO1e16RcKmnW97Da7T8ud97UYgLW6gcjcjAPdJgJlt2X/+ANu7ohgrYAc7WsDQouQrMj/1+YVeYuo8U+CQ+TmCFK1bleNxPdsPP833f3klmIuuO9wA2J3hlVQjs2twFmaJsBaPy6414=', 'THP6gdgqES/ztFSmZNfuuRdaK9OeIa2tFJoxVdMD59uwoLhbiaBcM6BllBjS9lEiw2zMutxeOy1NImtebl7/Wl5tA2U6JjDKHsYN4gUI4qcmB3VJTHZp3A2uoQiwNflyIGzXiNpYW4U3QUsQfHtkP63bDG9GW40EB52CyAZVt8xd9nT4Svjjc9gfIlshrjJPkAYHTjg11RUi0bK8KzN37J7iZzKQNxM3luM3el0PnT6gq4nuHb7elUCFN3s/38aTeL/YEyx7b1PZlxIpKmxZiceXlCBeK16BeLe78NuqFjDqwMF8mlmJ1Ni4DpbcON/LL5CwCsmjxYxlQPYWWl8vC0BdjFfQ6/5xY6RC/UZdBhm/7RrovfU9y23+TQAzIaUafoRiZRMLQv25D6+dV7skJcEKVisSlMsHwCLN0iCzaw++ftJvPwwItCDneHWjx3iR5NeQdYHVXg/aFBe
Source: svchost.exe.0.dr, cIBYexWXymf/VsHHNmuqOlgyY.cs	Base64 encoded string: 'rINKTV8RNDhUVTQ2UlmQxNLvun3m/IVV/oeeLlbJFNbMX3WsIpxtQwHfvqHSrqxB0pirqarn/CtEf7oWrPV+JA==', 'tKCcjiQJt2Hd++hlhtx+0yi/lZ1GNT0yK9NILXOeTmJ/r1zbNRgFr91mQbTrUbi8UZha2aMp3cP4sWtVOYvDXA==', 'ViSnkJU2TyD7eTm/mPt9N4FPgi66v7JKBBr2g1qHTGEcPnZ5xADq/6ZhMEtLRI1PceQ4kjE/pA5gWCJ2jIiiEQdMWzbE1b/ISE/DWiKMCMjnArPPaoVraLXpnepDakhVhJgaARm+GpIyBXMtpa57tm25QK1TUsycNK5fIETLwf8SDgA+OYdOU0mjjG+6D3Arflde41Heo5UAsPQXkl/68MJQciiWnCxA7GHgTK7EP02BGL/MGlPQWrqT6DO3Tp7wtQMaCHiII/L5UgbBENWkWk5+SvQTPleRGIP+IKheletffkYgkITvLKxytss1a7pGNOBAZR6gHxkr4g9G6Nr++95MAUYDctUvdvL8aMdNvDZF3UQf4OC8DAqscBqp0dbdmsfQUFVlST2dffHBIzDkwjlcXSbyLsP6351qtsy/djbnh8bcIjYLardsZFrbFaLVvZDMhqVxuvr240KxGGmqf9e17tgN5Yjhz6BDaoDFkv1vXpzFYAgdtnCcQCv7sTsWsIGJ4M+a0SLH0i9bdlA5E1w7S0AlWW96tQvL995EvEesmEHeCMtM4zeLshao24ugPhz6W7kRPiwVoUx2BTH6Qo/Bgs0GiFIBY6I1vbN4AL5LWE479S0b+ha+mTKVMMN3K7TJFS6xo30fs+WJ0SnHzBQo18AgSk9+jPqVNaSFr3G8OHb83jYq+D3r7edCCBesmgAuy2z/TNMEfhUOhnjZIAkLcy1uZoHxvoqUqL1dW3WMHCr/Lm0Y9D20u8r5keKrHmsOsXDfNdyrkDEcqJheNb2WStWclZExJNGYRgSjWSl7H9Q2DM1EBq0Z87kca6C1Y+EAf0lShvJhZYHWdk4fJYKiwnuZuOUoC32/uLzLpY6tN+LMVp231tEyjSsocb96q4D5MavacLXCqhVx3gAW3fv3l8eHE8AiPhR0js5OLKDgsoWva2qNFVF863ASInaFuBFz31UxSIHWFAcsElK/U+4frLy8HlTzP1VXU3dSfAO08uxqqdPeguvNmmPGDv3uQzeoY3+mzUx+Iu6KKEJVUe8diz9rYhPB28xPHU7sVS64bh5LX+R3ZOSpNZn/nJXUuuxvZoBOSmjMuMi67bE16mGQoX3SS2sZaNlSsTpcazv/Z6xdOVheVNPHwGDan4JfZbcS5soIgtMVUIKsmfUXjevbgoQFFlUWkUgOcFamoL/d+DBWVs2xrqiaHo6kyX4kt/rMq5Hu+XP0w0BX3XompFUVAtgyBPnkI5CGGmkiRAn4VWXMQ3e5+yg4XF05RdHp2z0Vh20Upyfu36jUpAN4qac+EUwa4j6pjz1Fqghk2lqHArzj9G14PprhVP7nW2YPG1gZ1jsTOjBVEgwtqWHAAMdWEQwvHMy5HykpeG21upiCUgDT86vZ1s1B8Vmr1R/cFsWcs+EzQAUfolK7ak0KaQv7xd2aAxuKjR5qS+0Uo152XJPLfJwDqqQyzn8vGF7dV3nmEwI82mwjD1QOJtKxX+J14SlT0MlNmCYhz2SEdb8e2I9Xv7Ea2qlvkIpvwT75OP/oJOsQxZKxb+huajW3tVpbnG6NybEC5SMXrCGxDbp1tJ1AZzjRcKfrbQ/pn3UvsZpy497nOiaYRJdugzARrGOI2+28Jw7O6KeDhdyFsLOeA4QKkhvRGt2U3ENVVOTfb3E0ewUgOKj69hJNJkaxL3h5oE+NdiuGQQ/IouUwmiaa30wjf+q2IcHkRZLfi9BNJERvRUaRCOYKktbt3+LfH0QnjxjtSDZjTPpovrBHMv1vmRy4Z0vOQ5RvNh7OzP6hipWoYCigQJVt4ciuKe/tjRpqPRBgr3w48FUlHdFvf3Uu8o/0JAz5jih5MZiCqCf2WJW7ThmhJ/XTD+JQfwCJJEQHmkR414M/ZjVhjBmSG97q5OaDB5QdAH3OzVqH7Z1j7LUC6c/xzkVf0b2m7zBckucWCMdx+ZRSdoyeKUvrKs3ShDt+LANsqi+4acNKlhZItqyFI+e2hizrnu/bLLIgmJXQb1EnmGYHcuawTDQK93sml4Ldc6uKOObo/kuX8tOHpjlNdKH/e9UHrvJJel5JjdXBS8eCAtzo0q/vF9TKX4JAf1OpC1b30hKe6T7gGVHYKUeJJXYbTcGXcDklxVUOumtZ03KJBOMcMXG++GTXj3KJvr3pUoZ3FkLe0x79Gkje8ShJWb+3OEnLS35sB/jZ8iIL5aIdQkoNNO1e16RcKmnW97Da7T8ud97UYgLW6gcjcjAPdJgJlt2X/+ANu7ohgrYAc7WsDQouQrMj/1+YVeYuo8U+CQ+TmCFK1bleNxPdsPP833f3klmIuuO9wA2J3hlVQjs2twFmaJsBaPy6414=', 'THP6gdgqES/ztFSmZNfuuRdaK9OeIa2tFJoxVdMD59uwoLhbiaBcM6BllBjS9lEiw2zMutxeOy1NImtebl7/Wl5tA2U6JjDKHsYN4gUI4qcmB3VJTHZp3A2uoQiwNflyIGzXiNpYW4U3QUsQfHtkP63bDG9GW40EB52CyAZVt8xd9nT4Svjjc9gfIlshrjJPkAYHTjg11RUi0bK8KzN37J7iZzKQNxM3luM3el0PnT6gq4nuHb7elUCFN3s/38aTeL/YEyx7b1PZlxIpKmxZiceXlCBeK16BeLe78NuqFjDqwMF8mlmJ1Ni4DpbcON/LL5CwCsmjxYxlQPYWWl8vC0BdjFfQ6/5xY6RC/UZdBhm/7RrovfU9y23+TQAzIaUafoRiZRMLQv25D6+dV7skJcEKVisSlMsHwCLN0iCzaw++ftJvPwwItCDneHWjx3iR5NeQdYHVXg/aFBe
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, cIBYexWXymf/VsHHNmuqOlgyY.cs	Base64 encoded string: 'rINKTV8RNDhUVTQ2UlmQxNLvun3m/IVV/oeeLlbJFNbMX3WsIpxtQwHfvqHSrqxB0pirqarn/CtEf7oWrPV+JA==', 'tKCcjiQJt2Hd++hlhtx+0yi/lZ1GNT0yK9NILXOeTmJ/r1zbNRgFr91mQbTrUbi8UZha2aMp3cP4sWtVOYvDXA==', 'ViSnkJU2TyD7eTm/mPt9N4FPgi66v7JKBBr2g1qHTGEcPnZ5xADq/6ZhMEtLRI1PceQ4kjE/pA5gWCJ2jIiiEQdMWzbE1b/ISE/DWiKMCMjnArPPaoVraLXpnepDakhVhJgaARm+GpIyBXMtpa57tm25QK1TUsycNK5fIETLwf8SDgA+OYdOU0mjjG+6D3Arflde41Heo5UAsPQXkl/68MJQciiWnCxA7GHgTK7EP02BGL/MGlPQWrqT6DO3Tp7wtQMaCHiII/L5UgbBENWkWk5+SvQTPleRGIP+IKheletffkYgkITvLKxytss1a7pGNOBAZR6gHxkr4g9G6Nr++95MAUYDctUvdvL8aMdNvDZF3UQf4OC8DAqscBqp0dbdmsfQUFVlST2dffHBIzDkwjlcXSbyLsP6351qtsy/djbnh8bcIjYLardsZFrbFaLVvZDMhqVxuvr240KxGGmqf9e17tgN5Yjhz6BDaoDFkv1vXpzFYAgdtnCcQCv7sTsWsIGJ4M+a0SLH0i9bdlA5E1w7S0AlWW96tQvL995EvEesmEHeCMtM4zeLshao24ugPhz6W7kRPiwVoUx2BTH6Qo/Bgs0GiFIBY6I1vbN4AL5LWE479S0b+ha+mTKVMMN3K7TJFS6xo30fs+WJ0SnHzBQo18AgSk9+jPqVNaSFr3G8OHb83jYq+D3r7edCCBesmgAuy2z/TNMEfhUOhnjZIAkLcy1uZoHxvoqUqL1dW3WMHCr/Lm0Y9D20u8r5keKrHmsOsXDfNdyrkDEcqJheNb2WStWclZExJNGYRgSjWSl7H9Q2DM1EBq0Z87kca6C1Y+EAf0lShvJhZYHWdk4fJYKiwnuZuOUoC32/uLzLpY6tN+LMVp231tEyjSsocb96q4D5MavacLXCqhVx3gAW3fv3l8eHE8AiPhR0js5OLKDgsoWva2qNFVF863ASInaFuBFz31UxSIHWFAcsElK/U+4frLy8HlTzP1VXU3dSfAO08uxqqdPeguvNmmPGDv3uQzeoY3+mzUx+Iu6KKEJVUe8diz9rYhPB28xPHU7sVS64bh5LX+R3ZOSpNZn/nJXUuuxvZoBOSmjMuMi67bE16mGQoX3SS2sZaNlSsTpcazv/Z6xdOVheVNPHwGDan4JfZbcS5soIgtMVUIKsmfUXjevbgoQFFlUWkUgOcFamoL/d+DBWVs2xrqiaHo6kyX4kt/rMq5Hu+XP0w0BX3XompFUVAtgyBPnkI5CGGmkiRAn4VWXMQ3e5+yg4XF05RdHp2z0Vh20Upyfu36jUpAN4qac+EUwa4j6pjz1Fqghk2lqHArzj9G14PprhVP7nW2YPG1gZ1jsTOjBVEgwtqWHAAMdWEQwvHMy5HykpeG21upiCUgDT86vZ1s1B8Vmr1R/cFsWcs+EzQAUfolK7ak0KaQv7xd2aAxuKjR5qS+0Uo152XJPLfJwDqqQyzn8vGF7dV3nmEwI82mwjD1QOJtKxX+J14SlT0MlNmCYhz2SEdb8e2I9Xv7Ea2qlvkIpvwT75OP/oJOsQxZKxb+huajW3tVpbnG6NybEC5SMXrCGxDbp1tJ1AZzjRcKfrbQ/pn3UvsZpy497nOiaYRJdugzARrGOI2+28Jw7O6KeDhdyFsLOeA4QKkhvRGt2U3ENVVOTfb3E0ewUgOKj69hJNJkaxL3h5oE+NdiuGQQ/IouUwmiaa30wjf+q2IcHkRZLfi9BNJERvRUaRCOYKktbt3+LfH0QnjxjtSDZjTPpovrBHMv1vmRy4Z0vOQ5RvNh7OzP6hipWoYCigQJVt4ciuKe/tjRpqPRBgr3w48FUlHdFvf3Uu8o/0JAz5jih5MZiCqCf2WJW7ThmhJ/XTD+JQfwCJJEQHmkR414M/ZjVhjBmSG97q5OaDB5QdAH3OzVqH7Z1j7LUC6c/xzkVf0b2m7zBckucWCMdx+ZRSdoyeKUvrKs3ShDt+LANsqi+4acNKlhZItqyFI+e2hizrnu/bLLIgmJXQb1EnmGYHcuawTDQK93sml4Ldc6uKOObo/kuX8tOHpjlNdKH/e9UHrvJJel5JjdXBS8eCAtzo0q/vF9TKX4JAf1OpC1b30hKe6T7gGVHYKUeJJXYbTcGXcDklxVUOumtZ03KJBOMcMXG++GTXj3KJvr3pUoZ3FkLe0x79Gkje8ShJWb+3OEnLS35sB/jZ8iIL5aIdQkoNNO1e16RcKmnW97Da7T8ud97UYgLW6gcjcjAPdJgJlt2X/+ANu7ohgrYAc7WsDQouQrMj/1+YVeYuo8U+CQ+TmCFK1bleNxPdsPP833f3klmIuuO9wA2J3hlVQjs2twFmaJsBaPy6414=', 'THP6gdgqES/ztFSmZNfuuRdaK9OeIa2tFJoxVdMD59uwoLhbiaBcM6BllBjS9lEiw2zMutxeOy1NImtebl7/Wl5tA2U6JjDKHsYN4gUI4qcmB3VJTHZp3A2uoQiwNflyIGzXiNpYW4U3QUsQfHtkP63bDG9GW40EB52CyAZVt8xd9nT4Svjjc9gfIlshrjJPkAYHTjg11RUi0bK8KzN37J7iZzKQNxM3luM3el0PnT6gq4nuHb7elUCFN3s/38aTeL/YEyx7b1PZlxIpKmxZiceXlCBeK16BeLe78NuqFjDqwMF8mlmJ1Ni4DpbcON/LL5CwCsmjxYxlQPYWWl8vC0BdjFfQ6/5xY6RC/UZdBhm/7RrovfU9y23+TQAzIaUafoRiZRMLQv25D6+dV7skJcEKVisSlMsHwCLN0iCzaw++ftJvPwwItCDneHWjx3iR5NeQdYHVXg/aFBe

Source: C:\Users\user\AppData\Roaming\svchost.exe	Mutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2936:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4412:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_01

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat""

Source: C:\Users\user\AppData\Roaming\svchost.exe

File read: C:\Windows\System32\drivers\etc\hosts

.NET source code contains potential unpacker

Source: Uhy4TvdjRw.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Uhy4TvdjRw.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: Uhy4TvdjRw.exe, IbbhSxkMmBWFzaYru/gxvoCtTjVDav.cs	.Net Code: FRvoUOlAqvBX System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: svchost.exe.0.dr, IbbhSxkMmBWFzaYru/gxvoCtTjVDav.cs	.Net Code: FRvoUOlAqvBX System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, IbbhSxkMmBWFzaYru/gxvoCtTjVDav.cs	.Net Code: FRvoUOlAqvBX System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

File created: C:\Users\user\AppData\Roaming\svchost.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: Yara match	File source: Uhy4TvdjRw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'

Source: C:\Users\user\AppData\Roaming\svchost.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Yara match	File source: Uhy4TvdjRw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Source: Uhy4TvdjRw.exe, svchost.exe.0.dr

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe TID: 1112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 5216	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 4780	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 6064	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 6064	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2244	Thread sleep count: 9799 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\AppData\Roaming\svchost.exe

Window / User API: threadDelayed 9799

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: svchost.exe.0.dr	Binary or memory string: vmware
Source: svchost.exe, 0000000B.00000003.304436416.00000000051E6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Memory allocated: page read and write | page guard

System process connects to network (likely due to code injection or exploit)

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\AppData\Roaming\svchost.exe

Network Connect: 61.14.233.88 7707

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat""	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 3	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"	Jump to behavior

Source: svchost.exe, 0000000B.00000002.528588986.00000000029FA000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.306525634.0000000005801000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.528776831.0000000002A38000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Queries volume information: C:\Users\user\Desktop\Uhy4TvdjRw.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings

Source: Yara match	File source: Uhy4TvdjRw.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct
Source: C:\Users\user\AppData\Roaming\svchost.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Source: svchost.exe, 0000000B.00000002.534132653.0000000005115000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Windows Management Instrumentation	2 Scheduled Task/Job	112 Process Injection	11 Masquerading	OS Credential Dumping	1 Query Registry	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	2 Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Scheduled Task/Job	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Non-Standard Port	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Scripting	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	112 Process Injection	NTDS	21 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Scripting	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	11 Obfuscated Files or Information	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	13 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Uhy4TvdjRw.exe	68%	Virustotal		Browse
Uhy4TvdjRw.exe	57%	Metadefender		Browse
Uhy4TvdjRw.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT
Uhy4TvdjRw.exe	100%	Avira	HEUR/AGEN.1202836
Uhy4TvdjRw.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\svchost.exe	100%	Avira	HEUR/AGEN.1202836
C:\Users\user\AppData\Roaming\svchost.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\svchost.exe	68%	Virustotal		Browse
C:\Users\user\AppData\Roaming\svchost.exe	57%	Metadefender		Browse
C:\Users\user\AppData\Roaming\svchost.exe	96%	ReversingLabs	ByteCode-MSIL.Backdoor.AsyncRAT

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.Uhy4TvdjRw.exe.6d0000.0.unpack	100%	Avira	HEUR/AGEN.1202836		Download File

Domains

Source	Detection	Scanner	Label	Link
windowsupdatebg.s.llnwi.net	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
windowsupdatebg.s.llnwi.net	95.140.230.192	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Uhy4TvdjRw.exe, 00000000.00000002.278002213.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
61.14.233.88	unknown	Viet Nam		45899	VNPT-AS-VNVNPTCorpVN	true

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	679246
Start date and time: 05/08/202213:06:17	2022-08-05 13:06:17 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 18s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Uhy4TvdjRw.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/8@0/1
EGA Information:	Successful, ratio: 33.3%
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 75 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe, wuapihost.exe
Excluded IPs from analysis (whitelisted): 23.211.6.115, 95.140.230.192, 8.238.189.126, 8.238.190.126, 8.248.141.254, 8.248.117.254, 67.26.139.254
Excluded domains from analysis (whitelisted): www.bing.com, fg.download.windowsupdate.com.c.footprint.net, fs.microsoft.com, client-office365-tas.msedge.net, store-images.s-microsoft.com-c.edgekey.net, ctldl.windowsupdate.com, arc.msn.com, wu-bg-shim.trafficmanager.net, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, config.edge.skype.com
Execution Graph export aborted for target Uhy4TvdjRw.exe, PID 2508 because it is empty
Execution Graph export aborted for target svchost.exe, PID 5208 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:07:36	Task Scheduler	Run new task: svchost path: "C:\Users\user\AppData\Roaming\svchost.exe"
13:07:47	API Interceptor	1x Sleep call for process: svchost.exe modified
13:08:49	API Interceptor	1x Sleep call for process: MpCmdRun.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
windowsupdatebg.s.llnwi.net	Statement of Account.exe	Get hash	malicious	Browse	41.63.96.128
	SecuriteInfo.com.W32.AIDetectNet.01.19566.exe	Get hash	malicious	Browse	95.140.236.128
	rgvtCFNUvb.exe	Get hash	malicious	Browse	95.140.230.128
	MAYBank-Payment-TT-Slip99484939399303003535355555-pdf.exe	Get hash	malicious	Browse	178.79.225.128
	#U2022MT103_Payment_slip_for -outstanding.pdf.exe	Get hash	malicious	Browse	178.79.225.128
	oRxTjKmJaR.exe	Get hash	malicious	Browse	95.140.230.192
	Quote#20220803-83827.pdf.exe	Get hash	malicious	Browse	95.140.236.128
	https://www.chockingpilotenergetic.com/	Get hash	malicious	Browse	95.140.230.128
	NHPUWUJUFDLFFTSGRWJKA.VBS	Get hash	malicious	Browse	178.79.225.128
	CLK3FhB5WQ.exe	Get hash	malicious	Browse	178.79.225.128
	triage_dropped_file.exe	Get hash	malicious	Browse	178.79.242.128
	https://veronica.craigslistpartner.club	Get hash	malicious	Browse	95.140.230.192
	https://veronica.craigslistpartner.club/	Get hash	malicious	Browse	95.140.230.128
	Agent_Install.exe	Get hash	malicious	Browse	95.140.230.192
	payment for invoice64249.docx	Get hash	malicious	Browse	178.79.225.0
	payment for invoice 64249.docx	Get hash	malicious	Browse	95.140.230.192
	ORDER ENQUIRY.exe	Get hash	malicious	Browse	178.79.242.0
	PROMORMA INVOICE.exe	Get hash	malicious	Browse	178.79.242.0
	JUSTIFICANTE DE PAGO.exe	Get hash	malicious	Browse	95.140.236.0
	PO from Proform Technologies Inc 15124.pdf.rar.exe	Get hash	malicious	Browse	41.63.96.128

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
VNPT-AS-VNVNPTCorpVN	Gpaw8cp28X	Get hash	malicious	Browse	113.181.189.131
	3pqbZUFmS5	Get hash	malicious	Browse	14.182.99.104
	N9vBk22I3t	Get hash	malicious	Browse	14.170.216.171
	W23578.xlsx	Get hash	malicious	Browse	103.255.237.74
	QAF2022-1553 EF.xlsx	Get hash	malicious	Browse	103.255.237.74
	SPM Strength_Vessel's Certificate.xlsx	Get hash	malicious	Browse	103.255.237.74
	W23578.xlsx	Get hash	malicious	Browse	103.255.237.74
	Todz6ncn8n	Get hash	malicious	Browse	14.175.10.231
	4mp5IYDycp	Get hash	malicious	Browse	14.170.198.215
	payment for invoice 64249.docx	Get hash	malicious	Browse	103.255.237.74
	payment for invoice 64249.docx	Get hash	malicious	Browse	103.255.237.74
	payment for invoice64249.docx	Get hash	malicious	Browse	103.255.237.74
	payment for invoice 64249.docx	Get hash	malicious	Browse	103.255.237.74
	Vrd6984wHv	Get hash	malicious	Browse	123.30.215.208
	dsUW8nBcj0	Get hash	malicious	Browse	14.241.252.216
	FLY PGS SOA.docx	Get hash	malicious	Browse	103.255.237.74
	FLY PGS SOA.docx	Get hash	malicious	Browse	103.255.237.74
	lUCh7X1XZ5	Get hash	malicious	Browse	123.29.248.241
	Justificantepago_ 080622045678345.xlsx	Get hash	malicious	Browse	103.207.38.192
	Jul Account.xlsx	Get hash	malicious	Browse	103.255.237.74

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	Microsoft Cabinet archive data, 61712 bytes, 1 file
Category:	dropped
Size (bytes):	61712
Entropy (8bit):	7.995044632446497
Encrypted:	true
SSDEEP:	1536:gzjJiDImMsrjCtGLaexX/zL09mX/lZHIxs:gPJiDI/sr0Hexv/0S/zx
MD5:	589C442FC7A0C70DCA927115A700D41E
SHA1:	66A07DACE3AFBFD1AA07A47E6875BEAB62C4BB31
SHA-256:	2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
SHA-512:	1B5FA79E52BE495C42CF49618441FB7012E28C02E7A08A91DA9213DB3AB810F0E83485BC1DD5F625A47D0BA7CFCDD5EA50ACC9A8DCEBB39F048C40F01E94155B
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	MSCF............,...................I........y.........Tf. .authroot.stl..W.`.4..CK..8U[...q.yL'sf!d.D..."2.2g.<dVI.!.....$).\...!2s..(...[.T7..{}...g....g.....w.km$.&\|..qe.n.8+..&...O...`...+..C......`h!0.I.(C..1Q*L.p..".s..B.....H......fUP@..5...(X#.t.2lX.>.y\|D.0Z0...M....I(.#.-... ...(.J....2..`.hO..{l+.bd7y.j..u.....3....<......3....s.T...._.'...%{v...s..............KgV.0..X=.A.9w9.Ea.x..........\.=.e.C2......9.......`.o... .......@pm.. a.....-M.....{...s.mW.....;.+...A......0.g..L9#.v.&O>./xSH.S.....GH.6.j...`2.(0g..... Lt........h4.iQ?....[.K.....uI......}.....d....M.....6q.Q~.0.\.'U^)`..u.....-........d..7...2.-.2+3.....A./.%Q...k...Q.,...H.B.%..O..x..5\...Hk.......B.';"Ym.'....X.l.E.6..a8.6..nq..x.r4..1t.....,..u.O..O.L...Uf...X.u.F .(.(.....".q...n{%U.-u....l6!....Z....~o0.}Q'.s.i....7...>4x...A.h.Mk].O.z.].6...53...b^;..>e..x.'1..\p.O.k..B1w..\|..K.R.....2.e0..X.^...I...w..!.v5B]x..z.6.G^uF..].b.W...'..I.;..p..@L{.E..@W..3.&...

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	data
Category:	modified
Size (bytes):	290
Entropy (8bit):	2.947388251222562
Encrypted:	false
SSDEEP:	6:kKf11+N+SkQlPlEGYRMY9z+4KlDA3RUe/:311NkPlE99SNxAhUe/
MD5:	AA449CC3E819D614B28CB03C1D01D8BF
SHA1:	782EF6F88E4BF68E6D5B823AE7DCFA73B3DB4DA5
SHA-256:	1477C8430F191DAD859F18B5B1511440B7E331BEED1A1BB18B7506A964D8FB76
SHA-512:	1DC5EC42331021DC9C8F27EE6DE63B1CF83485EDA11F5E46CBC1E64811579E89C518FFBFC05FC6C0CB56497AAD9505962C048A977A67C1D60BBC734E0A6F85AF
Malicious:	false
Preview:	p...... ...............(....................................................... .........L.........................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Uhy4TvdjRw.exe.log

Process:	C:\Users\user\Desktop\Uhy4TvdjRw.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.348034597186669
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat92n4M6:ML9E4Ks2wKDE4KhK3VZ9pKhg84j
MD5:	07FC10473CB7F0DEC42EE8079EB0DF28
SHA1:	90FA6D0B604991B3E5E8F6DB041651B10FD4284A
SHA-256:	A42B61DFB4AF366D05CE1815C88E2392C7C4AA9B6B17604234BEB7A7DADA7E4C
SHA-512:	D7240EE88D207E631990907AFA96C8384FB51729A16247BD4BDB96CBA3C4CDB9A68ADCD07819B2242A0F395690AD831B1B547EC91E988CBE39398F472055D56F
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

Process:	C:\Users\user\AppData\Roaming\svchost.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.340009400190196
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
MD5:	CC144808DBAF00E03294347EADC8E779
SHA1:	A3434FC71BA82B7512C813840427C687ADDB5AEA
SHA-256:	3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
SHA-512:	A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat

Process:	C:\Users\user\Desktop\Uhy4TvdjRw.exe
File Type:	DOS batch file, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	151
Entropy (8bit):	5.102625473568323
Encrypted:	false
SSDEEP:	3:mKDDCMNqTtvL5oWXp5cViEaKC5ZACSmqRDWXp5cViE2J5xAInTRI2WjVZPy:hWKqTtT6WXp+NaZ5Omq1WXp+N23fTXWq
MD5:	6D013B1CAFE4160FDC1F7B36C3145E1A
SHA1:	C80E8E5E33E867683564C8E649DB78ED5ED6A1D2
SHA-256:	254D27DCF87576D5221575F043F5BB32F4A2E508B4B7A98244AF933C678D7226
SHA-512:	301C4B0635C31D563B6286239A0711B753A453B02BC4623E21FF6A896186602F147E74956CD7B879EA0ECE8593F6A391C5C0FD87F66DCF98C6CF1988DE2631B4
Malicious:	false
Preview:	@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp93E6.tmp.bat" /f /q..

C:\Users\user\AppData\Roaming\svchost.exe

Process:	C:\Users\user\Desktop\Uhy4TvdjRw.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	5.575530706715254
Encrypted:	false
SSDEEP:	768:wuK49TH4EjZWUR+ejmo2qrw8sJrKKIixPIAoqVcg0b1G24HftYUpG5ilsga8yBDu:wuK49THf52HtuAo9rbMNYUpnfMdh+
MD5:	10135B39A4A6D8717BA8CEEC380EF060
SHA1:	3669C101670B0B373DEA1C7729718340196DA4BC
SHA-256:	45E87EE0B025A7E4A783A6786564982E7735C8C50D0B3D84A3D5DD90CE735CFE
SHA-512:	71CC73FBB213529A14FB94C56F1A056AE5DB940A7AAC22079AE9A238A9633DDD64B7D8FF9B3A023051C9D6CFBBED48E90F14F2E17A2F6893AE9B3B6F46DD31EE
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 68%, Browse Antivirus: Metadefender, Detection: 57%, Browse Antivirus: ReversingLabs, Detection: 96%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@.................................\...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........Y..`v.............................................................V..;...$0.xC.=VD..b......9A../.\.....(.....~............~............~............~............~............~............~............~.....~............~............~............(>......2~.....o?....s..........()...:(...(...:....(+...:....('...:....((...9.....(v...V(....s.... ...o....n~....9....~....o..........~~....(....9....(0...9....(@...Vr.%.p~....(o....#....s...

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

Process:	C:\Program Files\Windows Defender\MpCmdRun.exe
File Type:	Little-endian UTF-16 Unicode text, with CRLF, CR line terminators
Category:	modified
Size (bytes):	9062
Entropy (8bit):	3.1650995689703207
Encrypted:	false
SSDEEP:	192:cY+38+DJl+ibJ6+ioJJ+i3N+WtT+E9tD+Ett3d+E3zq+F:j+s+v+b+P+m+0+Q+q+5+F
MD5:	78B72556A96E740F02ADAB636DC17FB1
SHA1:	5382CFD5A6C1DE0541DE9CC4EE515CC2F63654F4
SHA-256:	915A96B1B706C95F06CF841A202296F34942DD69E7C7C83EDA9B2A79F93BF435
SHA-512:	1217A1B06E44EEF2BCC63BDC27C130932FEC307277722FD4E3DCDBA0A225918953BE239BCF19E0C2C35C5CD5B4E004893ACABB96F15A893B4D089DB2E0C5CE77
Malicious:	false
Preview:	..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....E.R.R.O.R.:. .M.p.W.D.E.n.a.b.l.e.(.T.R.U.E.). .f.a.i.l.e.d. .(.8.0.0.7.0.4.E.C.).....M.p.C.m.d.R.u.n.:. .E.n.d. .T.i.m.e.:. .. T.h.u. .. J.u.n. .. 2.7. .. 2.0.1.9. .0.1.:.2.9.:.4.9.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.............-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.

\Device\Null

Process:	C:\Windows\SysWOW64\timeout.exe
File Type:	ASCII text, with CRLF line terminators, with overstriking
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.41440934524794
Encrypted:	false
SSDEEP:	3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
MD5:	3DD7DD37C304E70A7316FE43B69F421F
SHA1:	A3754CFC33E9CA729444A95E95BCB53384CB51E4
SHA-256:	4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
SHA-512:	713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
Malicious:	false
Preview:	..Waiting for 3 seconds, press a key to continue ....2.1.0..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	5.575530706715254
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Uhy4TvdjRw.exe
File size:	49152
MD5:	10135b39a4a6d8717ba8ceec380ef060
SHA1:	3669c101670b0b373dea1c7729718340196da4bc
SHA256:	45e87ee0b025a7e4a783a6786564982e7735c8c50d0b3d84a3d5dd90ce735cfe
SHA512:	71cc73fbb213529a14fb94c56f1a056ae5db940a7aac22079ae9a238a9633ddd64b7d8ff9b3a023051c9d6cfbbed48e90f14f2e17a2f6893ae9b3b6f46dd31ee
SSDEEP:	768:wuK49TH4EjZWUR+ejmo2qrw8sJrKKIixPIAoqVcg0b1G24HftYUpG5ilsga8yBDu:wuK49THf52HtuAo9rbMNYUpnfMdh+
TLSH:	61233B003BE9822BF2BE4F789DF22145467AB1673607D64E6CC441D75A13FC19A42AFE
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^................................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General

Entrypoint:	0x40d0ae
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5EB79023 [Sun May 10 05:24:51 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xd05c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe000	0x8c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x10000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xb0b4	0xb200	False	0.5427273525280899	data	5.624119295582564	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe000	0x8c8	0xa00	False	0.3765625	data	5.0748901103993935	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x10000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xe0a0	0x394	data
RT_MANIFEST	0xe434	0x493	exported SGML document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
61.14.233.88192.168.2.37707497392035595 08/05/22-13:07:46.244143	TCP	2035595	ET TROJAN Generic AsyncRAT Style SSL Cert	7707	49739	61.14.233.88	192.168.2.3
61.14.233.88192.168.2.37707497392030673 08/05/22-13:07:46.244143	TCP	2030673	ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)	7707	49739	61.14.233.88	192.168.2.3

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 5, 2022 13:07:45.648207903 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:45.930344105 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:07:45.930579901 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:45.962605953 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:46.244143009 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:07:46.244194984 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:07:46.244291067 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:46.248120070 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:46.566440105 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:07:46.643579960 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:49.418629885 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:49.902847052 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:07:49.903542042 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:07:50.386825085 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:01.679904938 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:02.169430017 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:02.169563055 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:02.451380968 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:02.535649061 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:02.816046000 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:02.921156883 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:03.402391911 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:03.402510881 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:03.887619019 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:14.365777969 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:14.855849981 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:14.855950117 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:15.136513948 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:15.177320004 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:15.457210064 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:15.521085024 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:15.538252115 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:15.800976992 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:15.801150084 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:16.029189110 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:16.293257952 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:26.633465052 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:27.121565104 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:27.125171900 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:27.408021927 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:27.506469011 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:27.786192894 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:27.793873072 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:28.277340889 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:28.277441978 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:28.777179003 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:38.933715105 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:39.417967081 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:39.418081045 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:39.699002028 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:39.741934061 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:40.021214962 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:40.026793003 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:40.512087107 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:40.512187958 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:40.998488903 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:45.606575012 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:45.851788044 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:46.131325006 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:46.242445946 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:51.230092049 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:51.714715004 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:51.714873075 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:51.996316910 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:52.055486917 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:52.335429907 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:52.348324060 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:52.839986086 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:08:52.840198040 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:08:53.324326038 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:03.528692961 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:04.011859894 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:04.011940002 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:04.293437958 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:04.337769985 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:04.617676020 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:04.665924072 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:04.842731953 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:05.324264050 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:05.324431896 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:05.808985949 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:15.584073067 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:15.635601044 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:15.831409931 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:15.914891958 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:15.915205956 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:16.194834948 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:16.195557117 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:16.245033026 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:16.524821997 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:16.529345989 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:17.011609077 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:17.011742115 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:17.496249914 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:28.139405012 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:28.636779070 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:28.636989117 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:28.917084932 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:28.964931011 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:29.244489908 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:29.252217054 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:29.746784925 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:29.746962070 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:30.230319023 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:40.420351028 CEST	49739	7707	192.168.2.3	61.14.233.88
Aug 5, 2022 13:09:40.902712107 CEST	7707	49739	61.14.233.88	192.168.2.3
Aug 5, 2022 13:09:40.902875900 CEST	49739	7707	192.168.2.3	61.14.233.88

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 5, 2022 13:07:47.267018080 CEST	8.8.8.8	192.168.2.3	0xd471	No error (0)	windowsupdatebg.s.llnwi.net		95.140.230.192	A (IP address)	IN (0x0001)
Aug 5, 2022 13:07:47.267018080 CEST	8.8.8.8	192.168.2.3	0xd471	No error (0)	windowsupdatebg.s.llnwi.net		178.79.225.0	A (IP address)	IN (0x0001)

Target ID:	0
Start time:	13:07:25
Start date:	05/08/2022
Path:	C:\Users\user\Desktop\Uhy4TvdjRw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Uhy4TvdjRw.exe"
Imagebase:	0x6d0000
File size:	49152 bytes
MD5 hash:	10135B39A4A6D8717BA8CEEC380EF060
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.280682459.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000003.269514411.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Target ID:	4
Start time:	13:07:33
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	5
Start time:	13:07:33
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	6
Start time:	13:07:34
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat""
Imagebase:	0xc20000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	7
Start time:	13:07:34
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Imagebase:	0x9e0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	8
Start time:	13:07:35
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	9
Start time:	13:07:35
Start date:	05/08/2022
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout 3
Imagebase:	0x80000
File size:	26112 bytes
MD5 hash:	121A4EDAE60A7AF6F5DFA82F7BB95659
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	10
Start time:	13:07:36
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\svchost.exe
Imagebase:	0xc00000
File size:	49152 bytes
MD5 hash:	10135B39A4A6D8717BA8CEEC380EF060
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.304518771.0000000001439000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000A.00000002.305975314.0000000003341000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 68%, Virustotal, Browse Detection: 57%, Metadefender, Browse Detection: 96%, ReversingLabs
Reputation:	low

Target ID:	11
Start time:	13:07:38
Start date:	05/08/2022
Path:	C:\Users\user\AppData\Roaming\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\svchost.exe"
Imagebase:	0x260000
File size:	49152 bytes
MD5 hash:	10135B39A4A6D8717BA8CEEC380EF060
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000003.304436416.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.526007263.0000000000A3A000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000003.304383142.00000000051DA000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low

Target ID:	29
Start time:	13:08:48
Start date:	05/08/2022
Path:	C:\Program Files\Windows Defender\MpCmdRun.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Imagebase:	0x7ff7b0320000
File size:	455656 bytes
MD5 hash:	A267555174BFA53844371226F482B86B
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Target ID:	30
Start time:	13:08:49
Start date:	05/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7c9170000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high