Windows Analysis Report
af5Cop6pCN.exe

Overview

General Information

Sample Name: af5Cop6pCN.exe
Analysis ID: 708255
MD5: 32a56b4e67436bdd3d39809a9be949b8
SHA1: dac60ca2763d18ce9451b28f4d0a1d9fbdc3f4fc
SHA256: 5f6475a6d18503fbc2eb916e32ed1d6b4769f58d364ef2f94c2fd1a52c9aa1df
Tags: AsyncRATexeRAT
Infos:

Detection

AsyncRAT, DcRat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Yara detected DcRat
Yara detected AsyncRAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
.NET source code references suspicious native API functions
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: af5Cop6pCN.exe ReversingLabs: Detection: 92%
Source: af5Cop6pCN.exe Metadefender: Detection: 45% Perma Link
Antivirus / Scanner detection for submitted sample
Source: af5Cop6pCN.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe Avira: detection malicious, Label: HEUR/AGEN.1235730
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Roaming\svchost.exe Metadefender: Detection: 45% Perma Link
Machine Learning detection for sample
Source: af5Cop6pCN.exe Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe Joe Sandbox ML: detected
Source: 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: AsyncRAT {"Server": "<!Cv", "Ports": "1", "Telegram C2": "https://api.telegram.org/bot{\"GI/sendMessage?chat_id=8ByH|?~", "Version": "'j%av_@4t#STz0 Gk@=FUPshK6IBYUZdY}n Is8k(3qgO@UJR?LLHr5HXCRE+ N}z^MR#RxeMW", "AES_key": "WPC4*(7Gweu7\\z>W{A|`", "Mutex": "TN-BG", "Certificate": "NjlPUmtsM1RoZjF0bWVMaUNuUm5Jd2JxS05FSXo2aFo=", "ServerSignature": "svchost.exe", "Group": "%AppData%"}
Uses 32bit PE files
Source: af5Cop6pCN.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.20.67.143:443 -> 192.168.2.4:49707 version: TLS 1.0
Source: af5Cop6pCN.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 3.72.110.63 9087 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Domain query: pastebin.com
Source: C:\Users\user\AppData\Roaming\svchost.exe Domain query: termsiya.duckdns.org
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 104.20.67.143 443 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 3.72.110.63:9087 -> 192.168.2.4:49708
Source: Traffic Snort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 3.72.110.63:9087 -> 192.168.2.4:49708
Yara detected Generic Downloader
Source: Yara match File source: af5Cop6pCN.exe, type: SAMPLE
Source: Yara match File source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: <!Cv
Connects to a pastebin service (likely for C&C)
Source: unknown DNS query: name: pastebin.com
Uses dynamic DNS services
Source: unknown DNS query: name: termsiya.duckdns.org
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AMAZON-02US AMAZON-02US
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /raw/pffCggZp HTTP/1.1Host: pastebin.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.20.67.143 104.20.67.143
Source: Joe Sandbox View IP Address: 104.20.67.143 104.20.67.143
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.20.67.143:443 -> 192.168.2.4:49707 version: TLS 1.0
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49708 -> 3.72.110.63:9087
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: svchost.exe, 00000008.00000002.584593553.000000001BB13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: svchost.exe, 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.8.dr String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?541049bf1a9dc
Source: svchost.exe, 00000008.00000002.578858102.00000000033D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://pastebin.com
Source: af5Cop6pCN.exe, 00000000.00000002.324797185.0000000003246000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.578365156.0000000003376000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000008.00000002.578807116.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com
Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com/raw/pffCggZp
Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://pastebin.com8
Source: unknown DNS traffic detected: queries for: pastebin.com
Source: global traffic HTTP traffic detected: GET /raw/pffCggZp HTTP/1.1Host: pastebin.comConnection: Keep-Alive

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected AsyncRAT
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Source: 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.322788717.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000000.00000002.323004882.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: 00000007.00000002.394138023.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: svchost.exe PID: 1120, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: Detects executables containing the string DcRatBy Author: ditekSHen
Uses 32bit PE files
Source: af5Cop6pCN.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: af5Cop6pCN.exe, type: SAMPLE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: dump.pcap, type: PCAP Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Source: 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.322788717.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000000.00000002.323004882.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: 00000007.00000002.394138023.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: svchost.exe PID: 1120, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR Matched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 8_2_00007FF81640E8A2 8_2_00007FF81640E8A2
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 8_2_00007FF81640F33D 8_2_00007FF81640F33D
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 8_2_00007FF81640DAF6 8_2_00007FF81640DAF6
Sample file is different than original file name gathered from version info
Source: af5Cop6pCN.exe, 00000000.00000002.322593978.0000000000F5A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs af5Cop6pCN.exe
Source: af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
Source: af5Cop6pCN.exe, 00000000.00000000.303241374.0000000000B5C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
Source: af5Cop6pCN.exe Binary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
PE file contains strange resources
Source: af5Cop6pCN.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: svchost.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\svchost.exe 5F6475A6D18503FBC2EB916E32ED1D6B4769F58D364EF2F94C2FD1A52C9AA1DF
Source: af5Cop6pCN.exe ReversingLabs: Detection: 92%
Source: af5Cop6pCN.exe Metadefender: Detection: 45%
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File read: C:\Users\user\Desktop\af5Cop6pCN.exe Jump to behavior
Source: af5Cop6pCN.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\af5Cop6pCN.exe "C:\Users\user\Desktop\af5Cop6pCN.exe"
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3
Source: unknown Process created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File created: C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@15/7@2/2
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: af5Cop6pCN.exe, u0002/u0004.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: af5Cop6pCN.exe, u0002/u0004.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, u0002/u0004.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: svchost.exe.0.dr, u0002/u0004.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: af5Cop6pCN.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: af5Cop6pCN.exe, u0004/u0001.cs Base64 encoded string: 'jj1skaM2si1s7DQ2Ilc55WfTq9nhjYiwCreYrrAuuycpim5EMQvKizfaSHEG0B0ZxN438UhAH9DRBKJBZujURA==', '/JyVt1f/UKPdCPNDkTQZtyooN9UczrZHd6NldYLNuDeqXOCyFnrGrIbgnB3EDsg+kVfmexnYQd36fNvxt+pgyQ==', 'X0QYwAy8C54L4a6+T26nkP3B4QaHAzp9V1gm99/6Yi0wy9xhloL/07OTTcCm0oMxHAms5gWzCIV4FnVufLsShg==', 'xSui0O8U+DDW7db1zkRMSo+bY5176WoP0GYly5EdBd1o/zI1ksULpmhdO2lw1sMJxeSMhN6rV+8Z9ALSxyevwQ==', 'VmNyIzXmZ38XPwuZDuUCavc6B+pNC0wNg7DoHDOXTNKmjlzoOky9U7pq4vlslFGmgNFe79gq9qMupmBXlNA8RA==', 'o2bYOIFp6AZpWvxNIPcihIGfo9Ho55pISkQhGgXBZji3s012IQFLDYyEWJI2K1LHQcImJs2aoo7SwHnSJPNhVWmy7QDWcBjNtwJph4MGqwYCh/yeYbHhXo15g8iTdLzzt2TDmXqVtRG30+lCAUZlw1feEQgOuNOPBQexHmVu9jbtc1d95Zq2G+dM8WhkkEHgbp+Yk8HcI1uLdUnb2kmlT5T4ZeWNduSRCQRX/loCzc9SAg+0DLSuibjH0oLOh+oVnuCPy5/zo/AjPYoNsr6dpurwTBo8ujAVxHN3+HqcDTNwemUY5IcXe770/Mshye9ZGVZa+EDxq1ciq6dC/kw3w32lWdvBVZyB9/vj8whUjDlwg6QzaLvzg+y0Wz8HXijKTsuQVfT4olrfcHBala8oV9Uuo73jkENOaWC0MzGrZ2KQYti4c+bqr8RPNdvRKoThM30Yh+BGwxj1S/vvYYP3I0L9ef7md6+lm9GWLHXiWG3Y+DDvPTs0j+KxEWztRjnnukytDheUL1ukm9z1ylGU2V6wprM+p+XfDAkO8yoqio/noZw0iODf5xLumTJM7WZSwSeL8RYV+zehZi2nhOPWPFOgRlvXQQZxK7CWvp/u7ThLCeX5LfxYnPtNk87u7Ex5oxlPHDKnzIRHuSNxk/mvbh7cRYST/Ng92C1/tcK6U3o5Y1uXdj5pfTMBelz6KjeX6uez9yzNJZoRr8gR8RT4JM4AwlzOQtLEHF086gslMrpv6DqauwyEMUfYKzEGmukTzOYKLmTCuXyvA56yxZCRUuIlnaKVHi2tSa+pfyZNQulGmo79luX2w2AS0e5He89Q6m6uioAbE4W00S0U7rhb+xhhvtW3de6EAYoRpIPjOCcem32zTqA+iCzFxD8KwGz3otXtIsxD9jcT+L6seAlR5ER7OTftdjSq+TnFZcVxEe7Xr43yKzg7BMXu96NGrL/zDicbsXMisnIQ05/yRl/rnrN0U3ug3A/tVwl8yTGioM5o5p8Lu2ejzt+gbrF036M0C8fX7RQ8kq3wgf1f6TAKiV6s3xadnFkU6HwGNppKtX3s46iKx+Kfz1QwU0w5+iwQ', 'rWnm5zsP7PFLoFACDwnqzRiV1xnrKEWv/xFAdBaic0rIijxcHr23EBdVBiSQlF9td5AEbvAsbRY1OdNDSQW+8w=='
Source: svchost.exe.0.dr, u0004/u0001.cs Base64 encoded string: 'jj1skaM2si1s7DQ2Ilc55WfTq9nhjYiwCreYrrAuuycpim5EMQvKizfaSHEG0B0ZxN438UhAH9DRBKJBZujURA==', '/JyVt1f/UKPdCPNDkTQZtyooN9UczrZHd6NldYLNuDeqXOCyFnrGrIbgnB3EDsg+kVfmexnYQd36fNvxt+pgyQ==', 'X0QYwAy8C54L4a6+T26nkP3B4QaHAzp9V1gm99/6Yi0wy9xhloL/07OTTcCm0oMxHAms5gWzCIV4FnVufLsShg==', 'xSui0O8U+DDW7db1zkRMSo+bY5176WoP0GYly5EdBd1o/zI1ksULpmhdO2lw1sMJxeSMhN6rV+8Z9ALSxyevwQ==', 'VmNyIzXmZ38XPwuZDuUCavc6B+pNC0wNg7DoHDOXTNKmjlzoOky9U7pq4vlslFGmgNFe79gq9qMupmBXlNA8RA==', 'o2bYOIFp6AZpWvxNIPcihIGfo9Ho55pISkQhGgXBZji3s012IQFLDYyEWJI2K1LHQcImJs2aoo7SwHnSJPNhVWmy7QDWcBjNtwJph4MGqwYCh/yeYbHhXo15g8iTdLzzt2TDmXqVtRG30+lCAUZlw1feEQgOuNOPBQexHmVu9jbtc1d95Zq2G+dM8WhkkEHgbp+Yk8HcI1uLdUnb2kmlT5T4ZeWNduSRCQRX/loCzc9SAg+0DLSuibjH0oLOh+oVnuCPy5/zo/AjPYoNsr6dpurwTBo8ujAVxHN3+HqcDTNwemUY5IcXe770/Mshye9ZGVZa+EDxq1ciq6dC/kw3w32lWdvBVZyB9/vj8whUjDlwg6QzaLvzg+y0Wz8HXijKTsuQVfT4olrfcHBala8oV9Uuo73jkENOaWC0MzGrZ2KQYti4c+bqr8RPNdvRKoThM30Yh+BGwxj1S/vvYYP3I0L9ef7md6+lm9GWLHXiWG3Y+DDvPTs0j+KxEWztRjnnukytDheUL1ukm9z1ylGU2V6wprM+p+XfDAkO8yoqio/noZw0iODf5xLumTJM7WZSwSeL8RYV+zehZi2nhOPWPFOgRlvXQQZxK7CWvp/u7ThLCeX5LfxYnPtNk87u7Ex5oxlPHDKnzIRHuSNxk/mvbh7cRYST/Ng92C1/tcK6U3o5Y1uXdj5pfTMBelz6KjeX6uez9yzNJZoRr8gR8RT4JM4AwlzOQtLEHF086gslMrpv6DqauwyEMUfYKzEGmukTzOYKLmTCuXyvA56yxZCRUuIlnaKVHi2tSa+pfyZNQulGmo79luX2w2AS0e5He89Q6m6uioAbE4W00S0U7rhb+xhhvtW3de6EAYoRpIPjOCcem32zTqA+iCzFxD8KwGz3otXtIsxD9jcT+L6seAlR5ER7OTftdjSq+TnFZcVxEe7Xr43yKzg7BMXu96NGrL/zDicbsXMisnIQ05/yRl/rnrN0U3ug3A/tVwl8yTGioM5o5p8Lu2ejzt+gbrF036M0C8fX7RQ8kq3wgf1f6TAKiV6s3xadnFkU6HwGNppKtX3s46iKx+Kfz1QwU0w5+iwQ', 'rWnm5zsP7PFLoFACDwnqzRiV1xnrKEWv/xFAdBaic0rIijxcHr23EBdVBiSQlF9td5AEbvAsbRY1OdNDSQW+8w=='
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1416:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1948:120:WilError_01
Source: C:\Users\user\AppData\Roaming\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_stankakusust
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
Source: af5Cop6pCN.exe, u0007/u0004.cs Cryptographic APIs: 'CreateDecryptor'
Source: svchost.exe.0.dr, u0007/u0004.cs Cryptographic APIs: 'CreateDecryptor'
Source: C:\Users\user\AppData\Roaming\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: af5Cop6pCN.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: af5Cop6pCN.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: af5Cop6pCN.exe, u0007/u0001.cs .Net Code: \x04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: svchost.exe.0.dr, u0007/u0001.cs .Net Code: \x04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file

Boot Survival
barindex
Yara detected AsyncRAT
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'

Hooking and other Techniques for Hiding and Protection
barindex
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Source: initial sample Icon embedded in binary file: icon matches a legit application icon: google.png
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Roaming\svchost.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AsyncRAT
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\af5Cop6pCN.exe TID: 5264 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2904 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3276 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3276 Thread sleep count: 104 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 1032 Thread sleep count: 9788 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\svchost.exe Window / User API: threadDelayed 9788 Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: svchost.exe, 00000008.00000003.369120788.000000001BC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585203181.000000001BC15000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585145466.000000001BC00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Enables debug privileges
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 3.72.110.63 9087 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Domain query: pastebin.com
Source: C:\Users\user\AppData\Roaming\svchost.exe Domain query: termsiya.duckdns.org
Source: C:\Users\user\AppData\Roaming\svchost.exe Network Connect: 104.20.67.143 443 Jump to behavior
.NET source code references suspicious native API functions
Source: af5Cop6pCN.exe, u0002/u0002.cs Reference to suspicious API methods: ('\\x01', 'OpenProcess@kernel32.dll')
Source: af5Cop6pCN.exe, u0005/u0001.cs Reference to suspicious API methods: ('\\x01', 'GetProcAddress@kernel32'), ('\\x01', 'LoadLibraryA@kernel32')
Source: svchost.exe.0.dr, u0002/u0002.cs Reference to suspicious API methods: ('\\x01', 'OpenProcess@kernel32.dll')
Source: svchost.exe.0.dr, u0005/u0001.cs Reference to suspicious API methods: ('\\x01', 'GetProcAddress@kernel32'), ('\\x01', 'LoadLibraryA@kernel32')
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
Source: svchost.exe, 00000008.00000002.577270093.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577294907.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577152515.00000000032A9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager(
Source: svchost.exe, 00000008.00000002.577270093.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577294907.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.584908795.000000001BB86000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager0y
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Queries volume information: C:\Users\user\Desktop\af5Cop6pCN.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\af5Cop6pCN.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Yara detected AsyncRAT
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\svchost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
AV process strings found (often used to terminate AV products)
Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.dr Binary or memory string: MSASCui.exe
Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.dr Binary or memory string: procexp.exe
Source: svchost.exe, 00000008.00000003.448206192.000000001BBCF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585203181.000000001BC15000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected DcRat
Source: Yara match File source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected DcRat
Source: Yara match File source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708255 Sample: af5Cop6pCN.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 12 other signatures 2->46 7 af5Cop6pCN.exe 7 2->7         started        11 svchost.exe 3 2->11         started        process3 file4 30 C:\Users\user\AppData\Roaming\svchost.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\...\af5Cop6pCN.exe.log, ASCII 7->32 dropped 50 Drops PE files with benign system names 7->50 13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        52 Antivirus detection for dropped file 11->52 54 System process connects to network (likely due to code injection or exploit) 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 signatures5 process6 signatures7 18 svchost.exe 1 2 13->18         started        22 conhost.exe 13->22         started        24 timeout.exe 1 13->24         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 15->60 26 conhost.exe 15->26         started        28 schtasks.exe 1 15->28         started        process8 dnsIp9 34 termsiya.duckdns.org 3.72.110.63, 49708, 9087 AMAZON-02US United States 18->34 36 pastebin.com 104.20.67.143, 443, 49707 CLOUDFLARENETUS United States 18->36 38 windowsupdatebg.s.llnwi.net 18->38 48 System process connects to network (likely due to code injection or exploit) 18->48 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
3.72.110.63
 termsiya.duckdns.org United States
16509 AMAZON-02US true
104.20.67.143
 pastebin.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
pastebin.com 104.20.67.143 true
termsiya.duckdns.org 3.72.110.63 true
windowsupdatebg.s.llnwi.net 95.140.230.192 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://pastebin.com/raw/pffCggZp false
    		high
    <!Cv true
    • Avira URL Cloud: safe
    		 low