Click to jump to signature section
Source: Uhy4TvdjRw.exe | Virustotal: Detection: 67% | Perma Link |
Source: Uhy4TvdjRw.exe | Metadefender: Detection: 57% | Perma Link |
Source: Uhy4TvdjRw.exe | ReversingLabs: Detection: 96% |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Avira: detection malicious, Label: HEUR/AGEN.1202836 |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Virustotal: Detection: 67% | Perma Link |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Metadefender: Detection: 57% | Perma Link |
Source: C:\Users\user\AppData\Roaming\svchost.exe | ReversingLabs: Detection: 96% |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Joe Sandbox ML: detected |
Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp | Malware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1,61.14.233.88", "Ports": "6606,7707,8808", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "%AppData%"} |
Source: Uhy4TvdjRw.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: Uhy4TvdjRw.exe | Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Network Connect: 61.14.233.88 7707 |
Source: Traffic | Snort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 61.14.233.88:7707 -> 192.168.2.3:49739 |
Source: Traffic | Snort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 61.14.233.88:7707 -> 192.168.2.3:49739 |
Source: Yara match | File source: Uhy4TvdjRw.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED |
Source: Joe Sandbox View | ASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN |
Source: global traffic | TCP traffic: 192.168.2.3:49739 -> 61.14.233.88:7707 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: unknown | TCP traffic detected without corresponding DNS query: 61.14.233.88 |
Source: svchost.exe, 0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: svchost.exe, 0000000B.00000002.534132653.0000000005115000.00000004.00000800.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.11.dr | String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab |
Source: Uhy4TvdjRw.exe, 00000000.00000002.278002213.0000000002AC7000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: Yara match | File source: Uhy4TvdjRw.exe, type: SAMPLE |
Source: Yara match | File source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE |
Source: Yara match | File source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match | File source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match | File source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR |
Source: Yara match | File source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR |
Source: Yara match | File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED |
Source: Uhy4TvdjRw.exe, type: SAMPLE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: dump.pcap, type: PCAP | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000B.00000003.304436416.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000002.280682459.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000003.269514411.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0000000B.00000002.526007263.0000000000A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000B.00000003.304383142.00000000051DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000A.00000002.304518771.0000000001439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: 0000000A.00000002.305975314.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: svchost.exe PID: 5208, type: MEMORYSTR | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR | Matched rule: Detects AsyncRAT Author: ditekSHen |
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED | Matched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen |
Source: Uhy4TvdjRw.exe | Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: Uhy4TvdjRw.exe, type: SAMPLE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: dump.pcap, type: PCAP | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0.2.Uhy4TvdjRw.exe.2b00314.0.raw.unpack, type: UNPACKEDPE | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0000000B.00000002.534018978.0000000005100000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000B.00000003.304436416.00000000051E6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000002.280682459.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000003.269514411.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0000000B.00000002.526007263.0000000000A3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 00000000.00000002.277813823.0000000002A71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000B.00000003.304383142.00000000051DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000A.00000002.304518771.0000000001439000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: 0000000B.00000002.528272233.00000000029A4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: 0000000A.00000002.305975314.0000000003341000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: Uhy4TvdjRw.exe PID: 2508, type: MEMORYSTR | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: Process Memory Space: svchost.exe PID: 5208, type: MEMORYSTR | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: Process Memory Space: svchost.exe PID: 4152, type: MEMORYSTR | Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT |
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED | Matched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Code function: 11_2_04EC91C8 |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Code function: 11_2_04EC9EA0 |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Code function: 11_2_04ECDB40 |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Code function: 11_2_04ECF7F8 |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Code function: 11_2_04EC8E80 |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Code function: 11_2_057D32D8 |
Source: Uhy4TvdjRw.exe, 00000000.00000000.257007882.00000000006D2000.00000002.00000001.01000000.00000003.sdmp | Binary or memory string: OriginalFilenamej% vs Uhy4TvdjRw.exe |
Source: Uhy4TvdjRw.exe, 00000000.00000002.278048476.0000000002B00000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamej% vs Uhy4TvdjRw.exe |
Source: Uhy4TvdjRw.exe | Binary or memory string: OriginalFilenamej% vs Uhy4TvdjRw.exe |
Source: Uhy4TvdjRw.exe | Virustotal: Detection: 67% |
Source: Uhy4TvdjRw.exe | Metadefender: Detection: 57% |
Source: Uhy4TvdjRw.exe | ReversingLabs: Detection: 96% |
Source: Uhy4TvdjRw.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Source: unknown | Process created: C:\Users\user\Desktop\Uhy4TvdjRw.exe "C:\Users\user\Desktop\Uhy4TvdjRw.exe" |
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat"" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 |
Source: unknown | Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" |
Source: C:\Windows\System32\conhost.exe | Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable |
Source: C:\Program Files\Windows Defender\MpCmdRun.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe | Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit |
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe | Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp93E6.tmp.bat"" |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Windows\SysWOW64\timeout.exe timeout 3 |
Source: C:\Windows\SysWOW64\cmd.exe | Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" |
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 |
Source: classification engine | Classification label: mal100.troj.evad.winEXE@17/8@0/1 |
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, FseaaQyFkS/YIdIJZaYgPiwszp.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
Source: 0.0.Uhy4TvdjRw.exe.6d0000.0.unpack, FseaaQyFkS/YIdIJZaYgPiwszp.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: Uhy4TvdjRw.exe, FseaaQyFkS/YIdIJZaYgPiwszp.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
Source: Uhy4TvdjRw.exe, FseaaQyFkS/YIdIJZaYgPiwszp.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: svchost.exe.0.dr, FseaaQyFkS/YIdIJZaYgPiwszp.cs | Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() |
Source: svchost.exe.0.dr, FseaaQyFkS/YIdIJZaYgPiwszp.cs | Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) |
Source: Uhy4TvdjRw.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83% |
Source: C:\Users\user\Desktop\Uhy4TvdjRw.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll |
Source: C:\Users\user\AppData\Roaming\svchost.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll |
Source: Uhy4TvdjRw.exe, cIBYexWXymf/VsHHNmuqOlgyY.cs | Base64 encoded string: 'rINKTV8RNDhUVTQ2UlmQxNLvun3m/IVV/oeeLlbJFNbMX3WsIpxtQwHfvqHSrqxB0pirqarn/CtEf7oWrPV+JA==', 'tKCcjiQJt2Hd++hlhtx+0yi/lZ1GNT0yK9NILXOeTmJ/r1zbNRgFr91mQbTrUbi8UZha2aMp3cP4sWtVOYvDXA==', 'ViSnkJU2TyD7eTm/mPt9N4FPgi66v7JKBBr2g1qHTGEcPnZ5xADq/6ZhMEtLRI1PceQ4kjE/pA5gWCJ2jIiiEQdMWzbE1b/ISE/DWiKMCMjnArPPaoVraLXpnepDakhVhJgaARm+GpIyBXMtpa57tm25QK1TUsycNK5fIETLwf8SDgA+OYdOU0mjjG+6D3Arflde41Heo5UAsPQXkl/68MJQciiWnCxA7GHgTK7EP02BGL/MGlPQWrqT6DO3Tp7wtQMaCHiII/L5UgbBENWkWk5+SvQTPleRGIP+IKheletffkYgkITvLKxytss1a7pGNOBAZR6gHxkr4g9G6Nr++95MAUYDctUvdvL8aMdNvDZF3UQf4OC8DAqscBqp0dbdmsfQUFVlST2dffHBIzDkwjlcXSbyLsP6351qtsy/djbnh8bcIjYLardsZFrbFaLVvZDMhqVxuvr240KxGGmqf9e17tgN5Yjhz6BDaoDFkv1vXpzFYAgdtnCcQCv7sTsWsIGJ4M+a0SLH0i9bdlA5E1w7S0AlWW96tQvL995EvEesmEHeCMtM4zeLshao24ugPhz6W7kRPiwVoUx2BTH6Qo/Bgs0GiFIBY6I1vbN4AL5LWE479S0b+ha+mTKVMMN3K7TJFS6xo30fs+WJ0SnHzBQo18AgSk9+jPqVNaSFr3G8OHb83jYq+D3r7edCCBesmgAuy2z/TNMEfhUOhnjZIAkLcy1uZoHxvoqUqL1dW3WMHCr/Lm0Y9D20u8r5keKrHmsOsXDfNdyrkDEcqJheNb2WStWclZExJNGYRgSjWSl7H9Q2DM1EBq0Z87kca6C1Y+EAf0lShvJhZYHWdk4fJYKiwnuZuOUoC32/uLzLpY6tN+LMVp231tEyjSsocb96q4D5MavacLXCqhVx3gAW3fv3l8eHE8AiPhR0js5OLKDgsoWva2qNFVF863ASInaFuBFz31UxSIHWFAcsElK/U+4frLy8HlTzP1VXU3dSfAO08uxqqdPeguvNmmPGDv3uQzeoY3+mzUx+Iu6KKEJVUe8diz9rYhPB28xPHU7sVS64bh5LX+R3ZOSpNZn/nJXUuuxvZoBOSmjMuMi67bE16mGQoX3SS2sZaNlSsTpcazv/Z6xdOVheVNPHwGDan4JfZbcS5soIgtMVUIKsmfUXjevbgoQFFlUWkUgOcFamoL/d+DBWVs2xrqiaHo6kyX4kt/rMq5Hu+XP0w0BX3XompFUVAtgyBPnkI5CGGmkiRAn4VWXMQ3e5+yg4XF05RdHp2z0Vh20Upyfu36jUpAN4qac+EUwa4j6pjz1Fqghk2lqHArzj9G14PprhVP7nW2YPG1gZ1jsTOjBVEgwtqWHAAMdWEQwvHMy5HykpeG21upiCUgDT86vZ1s1B8Vmr1R/cFsWcs+EzQAUfolK7ak0KaQv7xd2aAxuKjR5qS+0Uo152XJPLfJwDqqQyzn8vGF7dV3nmEwI82mwjD1QOJtKxX+J14SlT0MlNmCYhz2SEdb8e2I9Xv7Ea2qlvkIpvwT75OP/oJOsQxZKxb+huajW3tVpbnG6NybEC5SMXrCGxDbp1tJ1AZzjRcKfrbQ/pn3UvsZpy497nOiaYRJdugzARrGOI2+28Jw7O6KeDhdyFsLOeA4QKkhvRGt2U3ENVVOTfb3E0ewUgOKj69hJNJkaxL3h5oE+NdiuGQQ/IouUwmiaa30wjf+q2IcHkRZLfi9BNJERvRUaRCOYKktbt3+LfH0QnjxjtSDZjTPpovrBHMv1vmRy4Z0vOQ5RvNh7OzP6hipWoYCigQJVt4ciuKe/tjRpqPRBgr3w48FUlHdFvf3Uu8o/0JAz5jih5MZiCqCf2WJW7ThmhJ/XTD+JQfwCJJEQHmkR414M/ZjVhjBmSG97q5OaDB5QdAH3OzVqH7Z1j7LUC6c/xzkVf0b2m7zBckucWCMdx+ZRSdoyeKUvrKs3ShDt+LANsqi+4acNKlhZItqyFI+e2hizrnu/bLLIgmJXQb1EnmGYHcuawTDQK93sml4Ldc6uKOObo/kuX8tOHpjlNdKH/e9UHrvJJel5JjdXBS8eCAtzo0q/vF9TKX4JAf1OpC1b30hKe6T7gGVHYKUeJJXYbTcGXcDklxVUOumtZ03KJBOMcMXG++GTXj3KJvr3pUoZ3FkLe0x79Gkje8ShJWb+3OEnLS35sB/jZ8iIL5aIdQkoNNO1e16RcKmnW97Da7T8ud97UYgLW6gcjcjAPdJgJlt2X/+ANu7ohgrYAc7WsDQouQrMj/1+YVeYuo |