Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
af5Cop6pCN.exe

Overview

General Information

Sample Name:af5Cop6pCN.exe
Analysis ID:708255
MD5:32a56b4e67436bdd3d39809a9be949b8
SHA1:dac60ca2763d18ce9451b28f4d0a1d9fbdc3f4fc
SHA256:5f6475a6d18503fbc2eb916e32ed1d6b4769f58d364ef2f94c2fd1a52c9aa1df
Tags:AsyncRATexeRAT
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Yara detected DcRat
Yara detected AsyncRAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
.NET source code references suspicious native API functions
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • af5Cop6pCN.exe (PID: 4856 cmdline: "C:\Users\user\Desktop\af5Cop6pCN.exe" MD5: 32A56B4E67436BDD3D39809A9BE949B8)
    • cmd.exe (PID: 1236 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1592 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
    • cmd.exe (PID: 1256 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 3228 cmdline: timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18)
      • svchost.exe (PID: 1016 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 32A56B4E67436BDD3D39809A9BE949B8)
  • svchost.exe (PID: 1120 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 32A56B4E67436BDD3D39809A9BE949B8)
  • cleanup

Malware Configuration

Threatname: AsyncRAT

{"Server": "<!Cv", "Ports": "1", "Telegram C2": "https://api.telegram.org/bot{\"GI/sendMessage?chat_id=8ByH|?~", "Version": "'j%av_@4t#STz0 Gk@=FUPshK6IBYUZdY}n Is8k(3qgO@UJR?LLHr5HXCRE+ N}z^MR#RxeMW", "AES_key": "WPC4*(7Gweu7\\z>W{A|`", "Mutex": "TN-BG", "Certificate": "NjlPUmtsM1RoZjF0bWVMaUNuUm5Jd2JxS05FSXo2aFo=", "ServerSignature": "svchost.exe", "Group": "%AppData%"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
af5Cop6pCN.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    af5Cop6pCN.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x15e86:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x15dcb:$s2: L2Mgc2NodGFza3MgL2
    • 0x15d46:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x15d94:$s4: VmlydHVhbFByb3RlY3Q
    af5Cop6pCN.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x160fe:$q1: Select * from Win32_CacheMemory
    • 0x161da:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x1613e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x1618c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    af5Cop6pCN.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0x16576:$s1: DcRatBy

    PCAP (Network Traffic)

    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x1973d:$b2: DcRat By qwqdanchun1

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
      • 0x15e86:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
      • 0x15dcb:$s2: L2Mgc2NodGFza3MgL2
      • 0x15d46:$s3: QW1zaVNjYW5CdWZmZXI
      • 0x15d94:$s4: VmlydHVhbFByb3RlY3Q
      C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x160fe:$q1: Select * from Win32_CacheMemory
      • 0x161da:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x1613e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x1618c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
      C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
      • 0x16576:$s1: DcRatBy

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0xc6c8:$b2: DcRat By qwqdanchun1
      00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x1da1c:$b2: DcRat By qwqdanchun1
      00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
        00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x468c:$b2: DcRat By qwqdanchun1
        00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
          Click to see the 14 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
            • 0x15e86:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
            • 0x15dcb:$s2: L2Mgc2NodGFza3MgL2
            • 0x15d46:$s3: QW1zaVNjYW5CdWZmZXI
            • 0x15d94:$s4: VmlydHVhbFByb3RlY3Q
            0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
            • 0x160fe:$q1: Select * from Win32_CacheMemory
            • 0x161da:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
            • 0x1613e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
            • 0x1618c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
            0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
            • 0x16576:$s1: DcRatBy
            0.2.af5Cop6pCN.exe.12fb80c8.1.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
            • 0x14086:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
            • 0x13fcb:$s2: L2Mgc2NodGFza3MgL2
            • 0x13f46:$s3: QW1zaVNjYW5CdWZmZXI
            • 0x13f94:$s4: VmlydHVhbFByb3RlY3Q
            Click to see the 5 entries

            Sigma Signatures

            Persistence and Installation Behavior

            barindex
            Sigma detected: Schedule system process
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\af5Cop6pCN.exe" , ParentImage: C:\Users\user\Desktop\af5Cop6pCN.exe, ParentProcessId: 4856, ParentProcessName: af5Cop6pCN.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 1236, ProcessName: cmd.exe

            Snort Signatures

            Timestamp:3.72.110.63192.168.2.49087497082848152 09/23/22-08:16:16.887686
            SID:2848152
            Source Port:9087
            Destination Port:49708
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:3.72.110.63192.168.2.49087497082034847 09/23/22-08:16:16.887686
            SID:2034847
            Source Port:9087
            Destination Port:49708
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: af5Cop6pCN.exeReversingLabs: Detection: 92%
            Source: af5Cop6pCN.exeMetadefender: Detection: 45%Perma Link
            Antivirus / Scanner detection for submitted sample
            Source: af5Cop6pCN.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: HEUR/AGEN.1235730
            Multi AV Scanner detection for dropped file
            Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 92%
            Source: C:\Users\user\AppData\Roaming\svchost.exeMetadefender: Detection: 45%Perma Link
            Machine Learning detection for sample
            Source: af5Cop6pCN.exeJoe Sandbox ML: detected
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
            Source: 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "<!Cv", "Ports": "1", "Telegram C2": "https://api.telegram.org/bot{\"GI/sendMessage?chat_id=8ByH|?~", "Version": "'j%av_@4t#STz0 Gk@=FUPshK6IBYUZdY}n Is8k(3qgO@UJR?LLHr5HXCRE+ N}z^MR#RxeMW", "AES_key": "WPC4*(7Gweu7\\z>W{A|`", "Mutex": "TN-BG", "Certificate": "NjlPUmtsM1RoZjF0bWVMaUNuUm5Jd2JxS05FSXo2aFo=", "ServerSignature": "svchost.exe", "Group": "%AppData%"}
            Source: af5Cop6pCN.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.20.67.143:443 -> 192.168.2.4:49707 version: TLS 1.0
            Source: af5Cop6pCN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 3.72.110.63 9087Jump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeDomain query: pastebin.com
            Source: C:\Users\user\AppData\Roaming\svchost.exeDomain query: termsiya.duckdns.org
            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 104.20.67.143 443Jump to behavior
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 3.72.110.63:9087 -> 192.168.2.4:49708
            Source: TrafficSnort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 3.72.110.63:9087 -> 192.168.2.4:49708
            Yara detected Generic Downloader
            Source: Yara matchFile source: af5Cop6pCN.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
            C2 URLs / IPs found in malware configuration
            Source: Malware configuration extractorURLs: <!Cv
            Connects to a pastebin service (likely for C&C)
            Source: unknownDNS query: name: pastebin.com
            Uses dynamic DNS services
            Source: unknownDNS query: name: termsiya.duckdns.org
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: global trafficHTTP traffic detected: GET /raw/pffCggZp HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 104.20.67.143 104.20.67.143
            Source: Joe Sandbox ViewIP Address: 104.20.67.143 104.20.67.143
            Source: unknownHTTPS traffic detected: 104.20.67.143:443 -> 192.168.2.4:49707 version: TLS 1.0
            Source: global trafficTCP traffic: 192.168.2.4:49708 -> 3.72.110.63:9087
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: svchost.exe, 00000008.00000002.584593553.000000001BB13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: svchost.exe, 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?541049bf1a9dc
            Source: svchost.exe, 00000008.00000002.578858102.00000000033D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
            Source: af5Cop6pCN.exe, 00000000.00000002.324797185.0000000003246000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.578365156.0000000003376000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: svchost.exe, 00000008.00000002.578807116.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
            Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/pffCggZp
            Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com8
            Source: unknownDNS traffic detected: queries for: pastebin.com
            Source: global trafficHTTP traffic detected: GET /raw/pffCggZp HTTP/1.1Host: pastebin.comConnection: Keep-Alive

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000000.00000002.322788717.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000000.00000002.323004882.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000007.00000002.394138023.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: svchost.exe PID: 1120, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: af5Cop6pCN.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000000.00000002.322788717.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000000.00000002.323004882.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000007.00000002.394138023.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: svchost.exe PID: 1120, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FF81640E8A28_2_00007FF81640E8A2
            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FF81640F33D8_2_00007FF81640F33D
            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FF81640DAF68_2_00007FF81640DAF6
            Source: af5Cop6pCN.exe, 00000000.00000002.322593978.0000000000F5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs af5Cop6pCN.exe
            Source: af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
            Source: af5Cop6pCN.exe, 00000000.00000000.303241374.0000000000B5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
            Source: af5Cop6pCN.exeBinary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
            Source: af5Cop6pCN.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: svchost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\svchost.exe 5F6475A6D18503FBC2EB916E32ED1D6B4769F58D364EF2F94C2FD1A52C9AA1DF
            Source: af5Cop6pCN.exeReversingLabs: Detection: 92%
            Source: af5Cop6pCN.exeMetadefender: Detection: 45%
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile read: C:\Users\user\Desktop\af5Cop6pCN.exeJump to behavior
            Source: af5Cop6pCN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\af5Cop6pCN.exe "C:\Users\user\Desktop\af5Cop6pCN.exe"
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exitJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5ECD.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@15/7@2/2
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: af5Cop6pCN.exe, u0002/u0004.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: af5Cop6pCN.exe, u0002/u0004.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: svchost.exe.0.dr, u0002/u0004.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: svchost.exe.0.dr, u0002/u0004.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: af5Cop6pCN.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
            Source: af5Cop6pCN.exe, u0004/u0001.csBase64 encoded string: 'jj1skaM2si1s7DQ2Ilc55WfTq9nhjYiwCreYrrAuuycpim5EMQvKizfaSHEG0B0ZxN438UhAH9DRBKJBZujURA==', '/JyVt1f/UKPdCPNDkTQZtyooN9UczrZHd6NldYLNuDeqXOCyFnrGrIbgnB3EDsg+kVfmexnYQd36fNvxt+pgyQ==', 'X0QYwAy8C54L4a6+T26nkP3B4QaHAzp9V1gm99/6Yi0wy9xhloL/07OTTcCm0oMxHAms5gWzCIV4FnVufLsShg==', 'xSui0O8U+DDW7db1zkRMSo+bY5176WoP0GYly5EdBd1o/zI1ksULpmhdO2lw1sMJxeSMhN6rV+8Z9ALSxyevwQ==', 'VmNyIzXmZ38XPwuZDuUCavc6B+pNC0wNg7DoHDOXTNKmjlzoOky9U7pq4vlslFGmgNFe79gq9qMupmBXlNA8RA==', 'o2bYOIFp6AZpWvxNIPcihIGfo9Ho55pISkQhGgXBZji3s012IQFLDYyEWJI2K1LHQcImJs2aoo7SwHnSJPNhVWmy7QDWcBjNtwJph4MGqwYCh/yeYbHhXo15g8iTdLzzt2TDmXqVtRG30+lCAUZlw1feEQgOuNOPBQexHmVu9jbtc1d95Zq2G+dM8WhkkEHgbp+Yk8HcI1uLdUnb2kmlT5T4ZeWNduSRCQRX/loCzc9SAg+0DLSuibjH0oLOh+oVnuCPy5/zo/AjPYoNsr6dpurwTBo8ujAVxHN3+HqcDTNwemUY5IcXe770/Mshye9ZGVZa+EDxq1ciq6dC/kw3w32lWdvBVZyB9/vj8whUjDlwg6QzaLvzg+y0Wz8HXijKTsuQVfT4olrfcHBala8oV9Uuo73jkENOaWC0MzGrZ2KQYti4c+bqr8RPNdvRKoThM30Yh+BGwxj1S/vvYYP3I0L9ef7md6+lm9GWLHXiWG3Y+DDvPTs0j+KxEWztRjnnukytDheUL1ukm9z1ylGU2V6wprM+p+XfDAkO8yoqio/noZw0iODf5xLumTJM7WZSwSeL8RYV+zehZi2nhOPWPFOgRlvXQQZxK7CWvp/u7ThLCeX5LfxYnPtNk87u7Ex5oxlPHDKnzIRHuSNxk/mvbh7cRYST/Ng92C1/tcK6U3o5Y1uXdj5pfTMBelz6KjeX6uez9yzNJZoRr8gR8RT4JM4AwlzOQtLEHF086gslMrpv6DqauwyEMUfYKzEGmukTzOYKLmTCuXyvA56yxZCRUuIlnaKVHi2tSa+pfyZNQulGmo79luX2w2AS0e5He89Q6m6uioAbE4W00S0U7rhb+xhhvtW3de6EAYoRpIPjOCcem32zTqA+iCzFxD8KwGz3otXtIsxD9jcT+L6seAlR5ER7OTftdjSq+TnFZcVxEe7Xr43yKzg7BMXu96NGrL/zDicbsXMisnIQ05/yRl/rnrN0U3ug3A/tVwl8yTGioM5o5p8Lu2ejzt+gbrF036M0C8fX7RQ8kq3wgf1f6TAKiV6s3xadnFkU6HwGNppKtX3s46iKx+Kfz1QwU0w5+iwQ', 'rWnm5zsP7PFLoFACDwnqzRiV1xnrKEWv/xFAdBaic0rIijxcHr23EBdVBiSQlF9td5AEbvAsbRY1OdNDSQW+8w=='
            Source: svchost.exe.0.dr, u0004/u0001.csBase64 encoded string: 'jj1skaM2si1s7DQ2Ilc55WfTq9nhjYiwCreYrrAuuycpim5EMQvKizfaSHEG0B0ZxN438UhAH9DRBKJBZujURA==', '/JyVt1f/UKPdCPNDkTQZtyooN9UczrZHd6NldYLNuDeqXOCyFnrGrIbgnB3EDsg+kVfmexnYQd36fNvxt+pgyQ==', 'X0QYwAy8C54L4a6+T26nkP3B4QaHAzp9V1gm99/6Yi0wy9xhloL/07OTTcCm0oMxHAms5gWzCIV4FnVufLsShg==', 'xSui0O8U+DDW7db1zkRMSo+bY5176WoP0GYly5EdBd1o/zI1ksULpmhdO2lw1sMJxeSMhN6rV+8Z9ALSxyevwQ==', 'VmNyIzXmZ38XPwuZDuUCavc6B+pNC0wNg7DoHDOXTNKmjlzoOky9U7pq4vlslFGmgNFe79gq9qMupmBXlNA8RA==', 'o2bYOIFp6AZpWvxNIPcihIGfo9Ho55pISkQhGgXBZji3s012IQFLDYyEWJI2K1LHQcImJs2aoo7SwHnSJPNhVWmy7QDWcBjNtwJph4MGqwYCh/yeYbHhXo15g8iTdLzzt2TDmXqVtRG30+lCAUZlw1feEQgOuNOPBQexHmVu9jbtc1d95Zq2G+dM8WhkkEHgbp+Yk8HcI1uLdUnb2kmlT5T4ZeWNduSRCQRX/loCzc9SAg+0DLSuibjH0oLOh+oVnuCPy5/zo/AjPYoNsr6dpurwTBo8ujAVxHN3+HqcDTNwemUY5IcXe770/Mshye9ZGVZa+EDxq1ciq6dC/kw3w32lWdvBVZyB9/vj8whUjDlwg6QzaLvzg+y0Wz8HXijKTsuQVfT4olrfcHBala8oV9Uuo73jkENOaWC0MzGrZ2KQYti4c+bqr8RPNdvRKoThM30Yh+BGwxj1S/vvYYP3I0L9ef7md6+lm9GWLHXiWG3Y+DDvPTs0j+KxEWztRjnnukytDheUL1ukm9z1ylGU2V6wprM+p+XfDAkO8yoqio/noZw0iODf5xLumTJM7WZSwSeL8RYV+zehZi2nhOPWPFOgRlvXQQZxK7CWvp/u7ThLCeX5LfxYnPtNk87u7Ex5oxlPHDKnzIRHuSNxk/mvbh7cRYST/Ng92C1/tcK6U3o5Y1uXdj5pfTMBelz6KjeX6uez9yzNJZoRr8gR8RT4JM4AwlzOQtLEHF086gslMrpv6DqauwyEMUfYKzEGmukTzOYKLmTCuXyvA56yxZCRUuIlnaKVHi2tSa+pfyZNQulGmo79luX2w2AS0e5He89Q6m6uioAbE4W00S0U7rhb+xhhvtW3de6EAYoRpIPjOCcem32zTqA+iCzFxD8KwGz3otXtIsxD9jcT+L6seAlR5ER7OTftdjSq+TnFZcVxEe7Xr43yKzg7BMXu96NGrL/zDicbsXMisnIQ05/yRl/rnrN0U3ug3A/tVwl8yTGioM5o5p8Lu2ejzt+gbrF036M0C8fX7RQ8kq3wgf1f6TAKiV6s3xadnFkU6HwGNppKtX3s46iKx+Kfz1QwU0w5+iwQ', 'rWnm5zsP7PFLoFACDwnqzRiV1xnrKEWv/xFAdBaic0rIijxcHr23EBdVBiSQlF9td5AEbvAsbRY1OdNDSQW+8w=='
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1416:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1948:120:WilError_01
            Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_stankakusust
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
            Source: af5Cop6pCN.exe, u0007/u0004.csCryptographic APIs: 'CreateDecryptor'
            Source: svchost.exe.0.dr, u0007/u0004.csCryptographic APIs: 'CreateDecryptor'
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: af5Cop6pCN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: af5Cop6pCN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            .NET source code contains potential unpacker
            Source: af5Cop6pCN.exe, u0007/u0001.cs.Net Code: \x04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: svchost.exe.0.dr, u0007/u0001.cs.Net Code: \x04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

            Persistence and Installation Behavior

            barindex
            Drops PE files with benign system names
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file

            Boot Survival

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Icon mismatch, binary includes an icon from a different legit application in order to fool users
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: google.png
            Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
            Source: C:\Users\user\Desktop\af5Cop6pCN.exe TID: 5264Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2904Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3276Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3276Thread sleep count: 104 > 30Jump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 1032Thread sleep count: 9788 > 30Jump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 9788Jump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
            Source: svchost.exe, 00000008.00000003.369120788.000000001BC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585203181.000000001BC15000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585145466.000000001BC00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeMemory allocated: page read and write | page guardJump to behavior

            HIPS / PFW / Operating System Protection Evasion

            barindex
            System process connects to network (likely due to code injection or exploit)
            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 3.72.110.63 9087Jump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeDomain query: pastebin.com
            Source: C:\Users\user\AppData\Roaming\svchost.exeDomain query: termsiya.duckdns.org
            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 104.20.67.143 443Jump to behavior
            .NET source code references suspicious native API functions
            Source: af5Cop6pCN.exe, u0002/u0002.csReference to suspicious API methods: ('\\x01', 'OpenProcess@kernel32.dll')
            Source: af5Cop6pCN.exe, u0005/u0001.csReference to suspicious API methods: ('\\x01', 'GetProcAddress@kernel32'), ('\\x01', 'LoadLibraryA@kernel32')
            Source: svchost.exe.0.dr, u0002/u0002.csReference to suspicious API methods: ('\\x01', 'OpenProcess@kernel32.dll')
            Source: svchost.exe.0.dr, u0005/u0001.csReference to suspicious API methods: ('\\x01', 'GetProcAddress@kernel32'), ('\\x01', 'LoadLibraryA@kernel32')
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exitJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
            Source: svchost.exe, 00000008.00000002.577270093.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577294907.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577152515.00000000032A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager(
            Source: svchost.exe, 00000008.00000002.577270093.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577294907.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.584908795.000000001BB86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager0y
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeQueries volume information: C:\Users\user\Desktop\af5Cop6pCN.exe VolumeInformationJump to behavior
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Yara detected AsyncRAT
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.drBinary or memory string: MSASCui.exe
            Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.drBinary or memory string: procexp.exe
            Source: svchost.exe, 00000008.00000003.448206192.000000001BBCF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585203181.000000001BC15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Yara detected DcRat
            Source: Yara matchFile source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected DcRat
            Source: Yara matchFile source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Windows Management Instrumentation            		2
            Scheduled Task/Job            		112
            Process Injection            		1
            Disable or Modify Tools            		OS Credential Dumping1
            File and Directory Discovery            		Remote Services11
            Archive Collected Data            		Exfiltration Over Other Network Medium1
            Web Service            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Scripting            		Boot or Logon Initialization Scripts2
            Scheduled Task/Job            		1
            Deobfuscate/Decode Files or Information            		LSASS Memory13
            System Information Discovery            		Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Ingress Tool Transfer            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Native API            		Logon Script (Windows)Logon Script (Windows)1
            Scripting            		Security Account Manager1
            Query Registry            		SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
            Encrypted Channel            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts2
            Scheduled Task/Job            		Logon Script (Mac)Logon Script (Mac)11
            Obfuscated Files or Information            		NTDS121
            Security Software Discovery            		Distributed Component Object ModelInput CaptureScheduled Transfer1
            Non-Standard Port            		SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Software Packing            		LSA Secrets2
            Process Discovery            		SSHKeyloggingData Transfer Size Limits2
            Non-Application Layer Protocol            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common21
            Masquerading            		Cached Domain Credentials21
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureExfiltration Over C2 Channel23
            Application Layer Protocol            		Jamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items21
            Virtualization/Sandbox Evasion            		DCSync1
            Application Window Discovery            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job112
            Process Injection            		Proc Filesystem1
            Remote System Discovery            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 708255 Sample: af5Cop6pCN.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 12 other signatures 2->46 7 af5Cop6pCN.exe 7 2->7         started        11 svchost.exe 3 2->11         started        process3 file4 30 C:\Users\user\AppData\Roaming\svchost.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\...\af5Cop6pCN.exe.log, ASCII 7->32 dropped 50 Drops PE files with benign system names 7->50 13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        52 Antivirus detection for dropped file 11->52 54 System process connects to network (likely due to code injection or exploit) 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 signatures5 process6 signatures7 18 svchost.exe 1 2 13->18         started        22 conhost.exe 13->22         started        24 timeout.exe 1 13->24         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 15->60 26 conhost.exe 15->26         started        28 schtasks.exe 1 15->28         started        process8 dnsIp9 34 termsiya.duckdns.org 3.72.110.63, 49708, 9087 AMAZON-02US United States 18->34 36 pastebin.com 104.20.67.143, 443, 49707 CLOUDFLARENETUS United States 18->36 38 windowsupdatebg.s.llnwi.net 18->38 48 System process connects to network (likely due to code injection or exploit) 18->48 signatures10

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            af5Cop6pCN.exe92%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            af5Cop6pCN.exe46%MetadefenderBrowse
            af5Cop6pCN.exe100%AviraHEUR/AGEN.1235730
            af5Cop6pCN.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\svchost.exe100%AviraHEUR/AGEN.1235730
            C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            0.0.af5Cop6pCN.exe.b40000.0.unpack100%AviraHEUR/AGEN.1235730Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            <!Cv0%Avira URL Cloudsafe
            https://pastebin.com80%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            pastebin.com
            		104.20.67.143
            		truefalse
              		high
              termsiya.duckdns.org
              		3.72.110.63
              		truetrue
                		unknown
                windowsupdatebg.s.llnwi.net
                		95.140.230.192
                		truefalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  https://pastebin.com/raw/pffCggZpfalse
                    		high
                    <!Cvtrue
                    • Avira URL Cloud: safe
                    		low

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameaf5Cop6pCN.exe, 00000000.00000002.324797185.0000000003246000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.578365156.0000000003376000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://pastebin.comsvchost.exe, 00000008.00000002.578858102.00000000033D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        https://pastebin.comsvchost.exe, 00000008.00000002.578807116.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://pastebin.com8svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          3.72.110.63
                          		termsiya.duckdns.orgUnited States
                          		16509AMAZON-02UStrue
                          104.20.67.143
                          		pastebin.comUnited States
                          		13335CLOUDFLARENETUSfalse

                          General Information

                          Joe Sandbox Version:36.0.0 Rainbow Opal
                          Analysis ID:708255
                          Start date and time:2022-09-23 08:14:53 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 8m 47s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Sample file name:af5Cop6pCN.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:22
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@15/7@2/2
                          EGA Information:
                          • Successful, ratio: 33.3%
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 93%
                          • Number of executed functions: 83
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                          • Excluded IPs from analysis (whitelisted): 95.140.230.192
                          • Excluded domains from analysis (whitelisted): login.live.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, arc.msn.com, wu-bg-shim.trafficmanager.net
                          • Execution Graph export aborted for target af5Cop6pCN.exe, PID 4856 because it is empty
                          • Execution Graph export aborted for target svchost.exe, PID 1120 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: af5Cop6pCN.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          08:15:56Task SchedulerRun new task: svchost path: "C:\Users\user\AppData\Roaming\svchost.exe"

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          104.20.67.143cAYjhxqo3T.exeGet hashmaliciousBrowse
                          • pastebin.com/raw/f1TMQySv
                          ovVFbnqzTY.exeGet hashmaliciousBrowse
                          • pastebin.com/raw/ubFNTPjt
                          PI-INVTRD13022020_pdf.jsGet hashmaliciousBrowse
                          • pastebin.com/raw/UBFKq2Rw
                          Proforma_Invoice_10022020_pdf.jsGet hashmaliciousBrowse
                          • pastebin.com/raw/UBFKq2Rw
                          Feb-Proforma-Invoice-pdf.jsGet hashmaliciousBrowse
                          • pastebin.com/raw/UBFKq2Rw
                          Jan-14-proforma-Invoice-pdf.jsGet hashmaliciousBrowse
                          • pastebin.com/raw/kux21KmL

                          Domains

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          termsiya.duckdns.org9DDA529B0771FC5B9C6BDFAD049D25CB487542B0C5AEA.exeGet hashmaliciousBrowse
                          • 18.197.115.91
                          NECDkgbHzM.exeGet hashmaliciousBrowse
                          • 18.195.52.80
                          pastebin.comcAYjhxqo3T.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          3129375.exeGet hashmaliciousBrowse
                          • 172.67.34.170
                          TROLL RULES.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          exT9jsv0E7.exeGet hashmaliciousBrowse
                          • 104.20.68.143
                          Uaad942948d9434654f6eb321.exeGet hashmaliciousBrowse
                          • 172.67.34.170
                          yJUE9b41ID.msiGet hashmaliciousBrowse
                          • 104.20.67.143
                          file.exeGet hashmaliciousBrowse
                          • 172.67.34.170
                          56464850801241284AE026A58BF65CF22D5B7F0800A10.exeGet hashmaliciousBrowse
                          • 172.67.34.170
                          file.exeGet hashmaliciousBrowse
                          • 172.67.34.170
                          N86qdMB7fe.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          2C3382E9EB5BBBFE86A88F9D8A75557C3F60707AF088C.exeGet hashmaliciousBrowse
                          • 172.67.34.170
                          file.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          qVGkNiY4Py.exeGet hashmaliciousBrowse
                          • 172.67.34.170
                          file.exeGet hashmaliciousBrowse
                          • 104.20.68.143
                          c787c9a5f407a656478efc835f1a0f8f738030bf26ced.exeGet hashmaliciousBrowse
                          • 104.20.68.143
                          IrTwVqhCXg.exeGet hashmaliciousBrowse
                          • 172.67.34.170
                          bUevPCUuw6.dllGet hashmaliciousBrowse
                          • 104.20.67.143
                          HEUR-Backdoor.MSIL.Crysan.gen-75b757d8dc23d5a.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          gratograto.dmp.dllGet hashmaliciousBrowse
                          • 104.20.68.143
                          dbBeTFrC1s.msiGet hashmaliciousBrowse
                          • 172.67.34.170

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          AMAZON-02UShttp://marketing.secdatacom.dk/a/plink/redir/ca72681201c5c2f46014d46c57a36f225bf9c8c039a0e947095872548bcebe349d77c47f/aHR0cHM6Ly9hZmZvcmRyZXBsYXkudG9wP2U9WVdSeWFXVnNZMmhoYmtCb1lXNW5iSFZ1Wnk1amIyMD0=/scramble_/0.htmlGet hashmaliciousBrowse
                          • 52.51.105.57
                          textview34532.exeGet hashmaliciousBrowse
                          • 75.2.115.196
                          MaBmnx6c9G.exeGet hashmaliciousBrowse
                          • 99.83.154.118
                          https://tompeters.cbintouch.com/forms/message/tc/?tracking=7a44Z9pbNfHRJ6-gXIapflFVCZNeBV5aHb7GntZ7MQh3I6vTjUz1eMiFGLfiBKt1EGc-4iUWAecFY4kAjMON5dqELOF-tDVQB2ieRitg6cHyCMRjjnPUXStPw9EBO19pecae7c9e29bc089ecc8041f65e19a64c&url=aHR0cHM6Ly9tYW4tZi5idXp6P2U9WjNOcGJHOTNZWE5vUUc1dmNuZHBZMmd1WldSMQ==&encoder=base64&trackingguid=12aa2025a85d4da5b20229696a9ffd1fGet hashmaliciousBrowse
                          • 108.157.214.124
                          https://stpete.mobirisesite.com/Get hashmaliciousBrowse
                          • 99.84.88.129
                          https://ipfs.io/ipfs/QmNoZzpvgr32tUZfQAVWEJddVaxZPPKfnbaH4ipiB6ZsQx#harnold@viaseating.comGet hashmaliciousBrowse
                          • 99.84.88.4
                          http://url1985.yellowbook-cpe.com/ls/click?upn=uYTz-2BQ28Ogl8-2FJZ5WWt7uGi9lFefeVIgHHKTxOK4Lcrl-2FjecAOblWQSsBgU471wYge-2BU7CHL0VESSgMh5UUQ4P33weUYcdQCjsHKCIsIg05QrgQwN1LUtEZ89-2Fazbpst0OuON7TQvqUuMi-2FTNeXhtmbQt9-2Bw3b9D-2Bttf1brLZd3BpBayVQ0mCS-2FS7pJMLrjQh4Aip-2FMqiDFIdvwSp72KdA-3D-3DHKk5_xyJJTCg5g4AbLZDRNq5Vayn-2BQt1czNRXn2wuQz4y5vDBEOldDI9Bctadt0wT6pf-2FzcahxaRGizFZZ-2FJwBfroiOcQ4Utc5K2NDQ66aan-2FQaGpuTZiLnZqCkODKn1H4GHXrtrn45-2F-2FaVZqXG8gPT1Z6yjNvsNGcEPXH-2FGV4kDYWW7hpY9u0i6k8NlFwMsUih91Yl2a7MsT0gC8b8Gpm6riww-3D-3DGet hashmaliciousBrowse
                          • 65.1.253.31
                          http://fmtrack.s2mtraining.com/v1/clk/rDxCyCxeQc2N451FGA-XnA,69pDe2NrTb2BBhvNfbKJnw,0,aHR0cHM6Ly9vLXVyLm9ubGluZT9lPWJXRnlheTV5YVdWc1FHaHdhRzl2WkM1amIyMD0=Get hashmaliciousBrowse
                          • 3.108.150.84
                          http://fmtrack.s2mtraining.com/v1/clk/rDxCyCxeQc2N451FGA-XnA,69pDe2NrTb2BBhvNfbKJnw,0,aHR0cHM6Ly9vLXVyLm9ubGluZT9lPWJXRnlheTV5YVdWc1FHaHdhRzl2WkM1amIyMD0=Get hashmaliciousBrowse
                          • 65.1.253.31
                          http://fmtrack.s2mtraining.com/v1/clk/rDxCyCxeQc2N451FGA-XnA,69pDe2NrTb2BBhvNfbKJnw,0,aHR0cHM6Ly9vLXVyLm9ubGluZT9lPWJXRnlheTV5YVdWc1FHaHdhRzl2WkM1amIyMD0=Get hashmaliciousBrowse
                          • 65.1.253.31
                          http://my-business-105499-100618.square.site:80/Get hashmaliciousBrowse
                          • 44.235.202.207
                          http://erisinfo.comGet hashmaliciousBrowse
                          • 99.84.88.18
                          HEUR-Trojan-Spy.MSIL.Noon.gen-ff56d2fbd1ea5ca.exeGet hashmaliciousBrowse
                          • 34.252.184.100
                          http://my-business-105499-100618.square.site/Get hashmaliciousBrowse
                          • 44.235.202.207
                          bia.gov-20220921143348.0162EE1D3036C574@jmepartner.com.htmGet hashmaliciousBrowse
                          • 99.84.88.46
                          obGcrODTrD.exeGet hashmaliciousBrowse
                          • 3.124.67.191
                          https://www.foretprivee.ca/Get hashmaliciousBrowse
                          • 52.29.86.212
                          https://sendgrid@developer-sendgridapp.azurefd.net/Get hashmaliciousBrowse
                          • 52.217.132.233
                          O5DZ3w4gij.elfGet hashmaliciousBrowse
                          • 54.254.156.162
                          g2EQhyk6v4.elfGet hashmaliciousBrowse
                          • 108.147.25.226
                          CLOUDFLARENETUShttps://cloudfil.es/ly7mR8utBQ5Get hashmaliciousBrowse
                          • 104.17.69.176
                          https://slideexpo.com/Get hashmaliciousBrowse
                          • 104.19.146.56
                          Comprobante transferencia.xlxs.pdf.exeGet hashmaliciousBrowse
                          • 104.18.115.97
                          SecuriteInfo.com.MSIL.Kryptik.AGMJ.tr.27252.exeGet hashmaliciousBrowse
                          • 188.114.97.3
                          http://marketing.secdatacom.dk/a/plink/redir/ca72681201c5c2f46014d46c57a36f225bf9c8c039a0e947095872548bcebe349d77c47f/aHR0cHM6Ly9hZmZvcmRyZXBsYXkudG9wP2U9WVdSeWFXVnNZMmhoYmtCb1lXNW5iSFZ1Wnk1amIyMD0=/scramble_/0.htmlGet hashmaliciousBrowse
                          • 104.16.169.131
                          textview34532.exeGet hashmaliciousBrowse
                          • 188.114.97.3
                          QT 70090.exeGet hashmaliciousBrowse
                          • 162.159.134.233
                          https://tompeters.cbintouch.com/forms/message/tc/?tracking=7a44Z9pbNfHRJ6-gXIapflFVCZNeBV5aHb7GntZ7MQh3I6vTjUz1eMiFGLfiBKt1EGc-4iUWAecFY4kAjMON5dqELOF-tDVQB2ieRitg6cHyCMRjjnPUXStPw9EBO19pecae7c9e29bc089ecc8041f65e19a64c&url=aHR0cHM6Ly9tYW4tZi5idXp6P2U9WjNOcGJHOTNZWE5vUUc1dmNuZHBZMmd1WldSMQ==&encoder=base64&trackingguid=12aa2025a85d4da5b20229696a9ffd1fGet hashmaliciousBrowse
                          • 104.16.169.131
                          https://w50axrlbxmvawqtsharefile.evalandgo.com/form/449781/s/?id=JTk5ciU5MXAlOTklQUI=&a=JTk4bSU5QW8lOUUlQUE=Get hashmaliciousBrowse
                          • 104.17.25.14
                          https://app-a.nipamail.com/track/click?u=AU8542923822&campaign=AC2956819722&subscriber=AS2946119108&url=AL9541819658&ab=&v=2&link=https%3A%2F%2Ft.ly%2FJk5EGet hashmaliciousBrowse
                          • 172.67.38.66
                          https://stpete.mobirisesite.com/Get hashmaliciousBrowse
                          • 104.17.25.14
                          Radicado generado relacionado F.-0932 Sept 2022.exeGet hashmaliciousBrowse
                          • 162.159.133.233
                          https://gravamatinshare1-secondary.z13.web.core.windows.net/Get hashmaliciousBrowse
                          • 104.18.11.207
                          https://alice-print.com/never-complain-never-explain-queenGet hashmaliciousBrowse
                          • 104.16.132.229
                          http://url1985.yellowbook-cpe.com/ls/click?upn=uYTz-2BQ28Ogl8-2FJZ5WWt7uGi9lFefeVIgHHKTxOK4Lcrl-2FjecAOblWQSsBgU471wYge-2BU7CHL0VESSgMh5UUQ4P33weUYcdQCjsHKCIsIg05QrgQwN1LUtEZ89-2Fazbpst0OuON7TQvqUuMi-2FTNeXhtmbQt9-2Bw3b9D-2Bttf1brLZd3BpBayVQ0mCS-2FS7pJMLrjQh4Aip-2FMqiDFIdvwSp72KdA-3D-3DHKk5_xyJJTCg5g4AbLZDRNq5Vayn-2BQt1czNRXn2wuQz4y5vDBEOldDI9Bctadt0wT6pf-2FzcahxaRGizFZZ-2FJwBfroiOcQ4Utc5K2NDQ66aan-2FQaGpuTZiLnZqCkODKn1H4GHXrtrn45-2F-2FaVZqXG8gPT1Z6yjNvsNGcEPXH-2FGV4kDYWW7hpY9u0i6k8NlFwMsUih91Yl2a7MsT0gC8b8Gpm6riww-3D-3DGet hashmaliciousBrowse
                          • 104.17.25.14
                          bia.gov-20220921224915.806E5C37AD18E896@jmepartner.com.htmGet hashmaliciousBrowse
                          • 104.17.25.14
                          http://erisinfo.comGet hashmaliciousBrowse
                          • 104.22.10.11
                          HEUR-Trojan-Spy.MSIL.Noon.gen-ff56d2fbd1ea5ca.exeGet hashmaliciousBrowse
                          • 104.26.13.31
                          PItnO94pXq.exeGet hashmaliciousBrowse
                          • 162.159.130.233
                          cAYjhxqo3T.exeGet hashmaliciousBrowse
                          • 172.67.34.170

                          JA3 Fingerprints

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          54328bd36c14bd82ddaa0c04b25ed9ad9a9a25f4.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          LNzviyqGfr.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          cAYjhxqo3T.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          XfWO80eWaZ.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          hoH3yEebut.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          tI4GWOgS0J.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          Payment Confirmation for 09293448.vbsGet hashmaliciousBrowse
                          • 104.20.67.143
                          2VZhMUePgF.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          Statement-N-2565325.batGet hashmaliciousBrowse
                          • 104.20.67.143
                          Statement-N-2565349.imgGet hashmaliciousBrowse
                          • 104.20.67.143
                          d616314c.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          SecuriteInfo.com.HEUR.Trojan.Script.Generic.18657.xlsxGet hashmaliciousBrowse
                          • 104.20.67.143
                          b4Th8TP3DY.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          71363327.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          exT9jsv0E7.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          Jt8Q8FuhSy.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          DDpfZJZtSQ.exeGet hashmaliciousBrowse
                          • 104.20.67.143
                          1655194-Invoice.vbsGet hashmaliciousBrowse
                          • 104.20.67.143
                          image001.vbsGet hashmaliciousBrowse
                          • 104.20.67.143
                          payment.exeGet hashmaliciousBrowse
                          • 104.20.67.143

                          Dropped Files

                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                          C:\Users\user\AppData\Roaming\svchost.exe9DDA529B0771FC5B9C6BDFAD049D25CB487542B0C5AEA.exeGet hashmaliciousBrowse

                            Created / dropped Files

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                            Download File
                            Process:C:\Users\user\AppData\Roaming\svchost.exe
                            File Type:Microsoft Cabinet archive data, 61745 bytes, 1 file
                            Category:dropped
                            Size (bytes):61745
                            Entropy (8bit):7.9946980850644
                            Encrypted:true
                            SSDEEP:768:chu+lK9x0bQ39uYFd7JuxDYQpxtxbVUt1bgZZisGRGL1V0u17ifoio8w/FFdG1Cb:klKIEvJJQjlZw9kEuQ1mFdGcLjx/eWL
                            MD5:6C6A24456559F305308CB1FB6C5486B3
                            SHA1:3273AC27D78572F16C3316732B9756EBC22CB6ED
                            SHA-256:EFC3C579BD619CEAB040C4B8C1B821B2D82C64FDDD9E80A00EC0D7F6577ED973
                            SHA-512:587D4A9175A6AA82CD8BB1C11CA6508F95CD218F76AC322DDBD1BC7146A0E25F8937EE426A6FB0FB0BB045CEDB24D8C8A9EDFE9F654112F293D8701220F726B4
                            Malicious:false
                            Preview:MSCF....1.......,...................I........z.........T.M .authroot.stl.7....4..CK..<Tk...c.5..!g..R#DdwE..Y.e..AH......$E.KB..D..%*J....T7....}......9....o..$.&<..qE.^.8+..&...O....`...+..C......`h!...@.(K..1Q.L.p.g.i...B..u..H..g$...f.**"..5x.%.E.-.#..,.....E#Q.m.W.....*.$T...Bp{.2.|.f....S...L0...Z.=..C.....u\......Y..s.ls.M.K...Y_..9F*iF.F......;3.H....ql.Q..K..~.%3+z..S..."....b.H..M.lk..Y..q.Ln.y"._......K...d..`.o...!....|..pm..!....|.#-.....{...s.cW0.....;.....Ba....r0.w..L.#.v.&_!.?hcp.SI....GH.6.j...P..(8g..... Lt.`......h<.i.0............v......{.!........4E...q.*im.#.J.j[...M..R..w.;.3 ...U`eK2'...\n.. d.F.dV.#......J.....'..U.4...p.b.E.."y%|x..5\...Oo.......B.'.D..L<.'.......o...pbM.......eh,.b...m.:XJ...wa........dM.j.........+./......."4...t..5..r9.l.. "h.{.n.....E...9.uk.....eM..)['.F.#.6m...wY.L...T9..E.L...j.q.....!_u....-a..r,.H.B <..t..8S.....'.2.........w.3.....~...m|-.IA......F9G.......1...\..\)6.H.<...

                            C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                            Download File
                            Process:C:\Users\user\AppData\Roaming\svchost.exe
                            File Type:data
                            Category:modified
                            Size (bytes):290
                            Entropy (8bit):2.9849106129347183
                            Encrypted:false
                            SSDEEP:6:kKKUw6joSN+SkQlPlEGYRMY9z+4KlDA3RUe/:iPkPlE99SNxAhUe/
                            MD5:0A24000D2533F1DB86BCDD6B1D3A67C5
                            SHA1:E1CB7831AD96C125559F2C2EA100F1B06A35D631
                            SHA-256:1E0841BFC0239DDBBD3EDCAB1B695741525F1A61D2E620857C2E753FCBC19E42
                            SHA-512:B5A11055321A905CF4ED90885954DA66D982660CD08F4D9A90AF618FB2D075FF2D54A4C6980D2AA2F0FFC5E68E20DD01A6FB6A6183CF2A21306E71A16F4DCA42
                            Malicious:false
                            Preview:p...... ........A.......(....................................................... ........$_C....................1...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\af5Cop6pCN.exe.log

                            Download File
                            Process:C:\Users\user\Desktop\af5Cop6pCN.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):425
                            Entropy (8bit):5.351599573976469
                            Encrypted:false
                            SSDEEP:12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhav:ML9E4KrgKDE4KGKN08AKhk
                            MD5:BEBB66F4CB83D5C34857FE75DE3A8610
                            SHA1:66FB475AADAE0D4542125C8E272D9D6BBFA555BB
                            SHA-256:C1A8084313E66497C9F53D0F65E85AC2D4A840AF7FEBCCCFB3924F54BCF1BADC
                            SHA-512:45181B8B60B7F0FD0D841F50592B9E83F7BADF1FFED040DFCAF5779BF5F653633D78B28E5AFA92A53E9DA965113E4A8E7A16456AE3A8FDF786B7DF6B3FEE5CE8
                            Malicious:true
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..

                            C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                            Download File
                            Process:C:\Users\user\AppData\Roaming\svchost.exe
                            File Type:ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):425
                            Entropy (8bit):5.351599573976469
                            Encrypted:false
                            SSDEEP:12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhav:ML9E4KrgKDE4KGKN08AKhk
                            MD5:BEBB66F4CB83D5C34857FE75DE3A8610
                            SHA1:66FB475AADAE0D4542125C8E272D9D6BBFA555BB
                            SHA-256:C1A8084313E66497C9F53D0F65E85AC2D4A840AF7FEBCCCFB3924F54BCF1BADC
                            SHA-512:45181B8B60B7F0FD0D841F50592B9E83F7BADF1FFED040DFCAF5779BF5F653633D78B28E5AFA92A53E9DA965113E4A8E7A16456AE3A8FDF786B7DF6B3FEE5CE8
                            Malicious:false
                            Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..

                            C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat

                            Download File
                            Process:C:\Users\user\Desktop\af5Cop6pCN.exe
                            File Type:DOS batch file, ASCII text, with CRLF line terminators
                            Category:dropped
                            Size (bytes):151
                            Entropy (8bit):5.01924739101347
                            Encrypted:false
                            SSDEEP:3:mKDDCMNqTtvL5ot+kiEaKC5ZACSmqRDt+kiE2J5xAInTRI6fIV5ZPy:hWKqTtT6wknaZ5Omq1wkn23fTbok
                            MD5:0275960B1A2EDAF670AECD394006F2F0
                            SHA1:0514DE3160222AD806EF30F1249BF8F3131E78D2
                            SHA-256:26DF3ED9CE964E53E16A1CC530C5171A90CF36BD79F916A3C9E036C75C03A596
                            SHA-512:D710C4276828455E9E54207F448674A64CC455F546F70FF0F5C204DB0FDED2AD5D63DE4E5C812040D037DFD35A04681B3437909EAFD6F0742D811D01A9657B17
                            Malicious:false
                            Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp5ECD.tmp.bat" /f /q..

                            C:\Users\user\AppData\Roaming\svchost.exe

                            Download File
                            Process:C:\Users\user\Desktop\af5Cop6pCN.exe
                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Category:dropped
                            Size (bytes):282112
                            Entropy (8bit):5.43867724754543
                            Encrypted:false
                            SSDEEP:3072:KxWdQMVESKpObIWR9NmLp9yei5KG4ZGYV8cVpFY:KxWGYKg94rJZt
                            MD5:32A56B4E67436BDD3D39809A9BE949B8
                            SHA1:DAC60CA2763D18CE9451B28F4D0A1D9FBDC3F4FC
                            SHA-256:5F6475A6D18503FBC2EB916E32ED1D6B4769F58D364EF2F94C2FD1A52C9AA1DF
                            SHA-512:70B8DC7B1509CFA3975C97BAA4A2B49746FAC2438307AB97AE67BDD0E98D2D26E05F2E83C0349234B4DEB9314715AEA01084FD11E7F77B2D4BBA856AA7726E47
                            Malicious:true
                            Yara Hits:
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                            • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                            • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                            Antivirus:
                            • Antivirus: Avira, Detection: 100%
                            • Antivirus: Joe Sandbox ML, Detection: 100%
                            Joe Sandbox View:
                            • Filename: 9DDA529B0771FC5B9C6BDFAD049D25CB487542B0C5AEA.exe, Detection: malicious, Browse
                            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.b............................R.... ........@.. ....................................@.....................................J.......V............................................................................ ............... ..H............text...X.... ...................... ..`.rsrc...V...........................@..@.reloc...............L..............@..B................8.......H.......|............... ................................................0...............8....8.....X.T+.8.....XJE........2...@.......r.......%...4...........7...9...Q..._...8....8[.....X8Y.....XJ.XT.~....-.&.+.8G.....X.T.+.++.8=....8.....,[89.....XJ~....81.../6..8d.....~....:X...&.8Q... ....(.....~....:<...&.85....,.(....-..8%...+..~....:....&.8.......8.....(!...-F.~....-.&.+....XJE........$.......+.(*....~....-.&.+.(-....~....,.&.+..*...&.~....,.&.+...XJE........+........X.

                            \Device\Null

                            Download File
                            Process:C:\Windows\System32\timeout.exe
                            File Type:ASCII text, with CRLF line terminators, with overstriking
                            Category:dropped
                            Size (bytes):60
                            Entropy (8bit):4.41440934524794
                            Encrypted:false
                            SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                            MD5:3DD7DD37C304E70A7316FE43B69F421F
                            SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                            SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                            SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                            Malicious:false
                            Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                            Entropy (8bit):5.43867724754543
                            TrID:
                            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            • Win32 Executable (generic) a (10002005/4) 49.78%
                            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                            • Generic Win/DOS Executable (2004/3) 0.01%
                            • DOS Executable Generic (2002/1) 0.01%
                            File name:af5Cop6pCN.exe
                            File size:282112
                            MD5:32a56b4e67436bdd3d39809a9be949b8
                            SHA1:dac60ca2763d18ce9451b28f4d0a1d9fbdc3f4fc
                            SHA256:5f6475a6d18503fbc2eb916e32ed1d6b4769f58d364ef2f94c2fd1a52c9aa1df
                            SHA512:70b8dc7b1509cfa3975c97baa4a2b49746fac2438307ab97ae67bdd0e98d2d26e05f2e83c0349234b4deb9314715aea01084fd11e7f77b2d4bba856aa7726e47
                            SSDEEP:3072:KxWdQMVESKpObIWR9NmLp9yei5KG4ZGYV8cVpFY:KxWGYKg94rJZt
                            TLSH:CF54A60113D1EBBBEDD2297F8F73C207165F6B8163B5AD962C40554EBA12E5720D3A0E
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.b............................R.... ........@.. ....................................@................................

                            File Icon

                            Icon Hash:70d4828c88c2e471

                            Static PE Info

                            General

                            Entrypoint:0x41b052
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Time Stamp:0x62CF63D4 [Thu Jul 14 00:31:16 2022 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:4
                            OS Version Minor:0
                            File Version Major:4
                            File Version Minor:0
                            Subsystem Version Major:4
                            Subsystem Version Minor:0
                            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                            Entrypoint Preview

                            Instruction
                            jmp dword ptr [00402000h]
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al
                            add byte ptr [eax], al

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x1b0080x4a.text
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000x2b656.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000xc.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x20000x190580x19200False0.5033523787313433data5.832513098107651IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rsrc0x1c0000x2b6560x2b800False0.1814947018678161data4.751075003232281IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x480000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountry
                            RT_ICON0x1c0ac0x2d6bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                            RT_ICON0x1ee3b0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                            RT_ICON0x2f6870x94a8data
                            RT_ICON0x38b530x5488data
                            RT_ICON0x3dfff0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16318463, next used block 4294909696
                            RT_ICON0x4224b0x25a8data
                            RT_ICON0x448170x10a8data
                            RT_ICON0x458e30x988data
                            RT_ICON0x4628f0x468GLS_BINARY_LSB_FIRST
                            RT_GROUP_ICON0x467330x84data
                            RT_VERSION0x467f30x3a4data
                            RT_MANIFEST0x46bd30xa83XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                            Imports

                            DLLImport
                            mscoree.dll_CorExeMain

                            Network Behavior

                            Snort IDS Alerts

                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                            3.72.110.63192.168.2.49087497082848152 09/23/22-08:16:16.887686TCP2848152ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)9087497083.72.110.63192.168.2.4
                            3.72.110.63192.168.2.49087497082034847 09/23/22-08:16:16.887686TCP2034847ET TROJAN Observed Malicious SSL Cert (AsyncRAT)9087497083.72.110.63192.168.2.4

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 23, 2022 08:16:15.904928923 CEST49707443192.168.2.4104.20.67.143
                            Sep 23, 2022 08:16:15.904983044 CEST44349707104.20.67.143192.168.2.4
                            Sep 23, 2022 08:16:15.905143023 CEST49707443192.168.2.4104.20.67.143
                            Sep 23, 2022 08:16:15.978910923 CEST49707443192.168.2.4104.20.67.143
                            Sep 23, 2022 08:16:15.978955030 CEST44349707104.20.67.143192.168.2.4
                            Sep 23, 2022 08:16:16.038691044 CEST44349707104.20.67.143192.168.2.4
                            Sep 23, 2022 08:16:16.038902998 CEST49707443192.168.2.4104.20.67.143
                            Sep 23, 2022 08:16:16.058886051 CEST49707443192.168.2.4104.20.67.143
                            Sep 23, 2022 08:16:16.058912039 CEST44349707104.20.67.143192.168.2.4
                            Sep 23, 2022 08:16:16.059443951 CEST44349707104.20.67.143192.168.2.4
                            Sep 23, 2022 08:16:16.114991903 CEST49707443192.168.2.4104.20.67.143
                            Sep 23, 2022 08:16:16.517368078 CEST49707443192.168.2.4104.20.67.143
                            Sep 23, 2022 08:16:16.550949097 CEST44349707104.20.67.143192.168.2.4
                            Sep 23, 2022 08:16:16.551053047 CEST44349707104.20.67.143192.168.2.4
                            Sep 23, 2022 08:16:16.551131010 CEST49707443192.168.2.4104.20.67.143
                            Sep 23, 2022 08:16:16.560657024 CEST49707443192.168.2.4104.20.67.143
                            Sep 23, 2022 08:16:16.768956900 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:16.788619041 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:16.788811922 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:16.866048098 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:16.887686014 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:16.903249025 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:16.924741983 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:17.083888054 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:27.872695923 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:27.942609072 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:27.942790031 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:28.005429983 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:41.026510000 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:41.099261045 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:41.099368095 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:41.119456053 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:41.288949966 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:41.308408022 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:41.464027882 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:45.543930054 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:45.789335966 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:45.809439898 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:45.976874113 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:46.498739004 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:46.570760965 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:46.570938110 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:46.646563053 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:53.994374037 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:54.068476915 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:54.069508076 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:54.089812994 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:54.205245018 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:54.224791050 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:54.229171991 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:54.302839994 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:16:54.303117990 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:16:54.365385056 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:07.088820934 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:07.162601948 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:07.162787914 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:07.182740927 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:07.228696108 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:07.248019934 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:07.251569033 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:07.319298029 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:07.319509983 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:07.381428003 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:15.542717934 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:15.588712931 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:15.610255957 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:15.651313066 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:20.152755976 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:20.212085962 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:20.212295055 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:20.240494013 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:20.293848991 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:20.313848019 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:20.321336031 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:20.384012938 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:20.384171963 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:20.449337006 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:33.247617006 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:33.321877003 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:33.322803020 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:33.342842102 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:33.402740002 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:33.422184944 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:33.424719095 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:33.495209932 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:33.495389938 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:33.556210995 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:45.548614025 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:45.614175081 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:45.635935068 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:45.814027071 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:46.309535027 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:46.369138956 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:46.388631105 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:46.408622980 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:46.621927977 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:46.641309023 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:46.705971003 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:46.775481939 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:46.777625084 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:46.838196039 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:59.351788998 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:59.416476011 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:59.416538000 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:59.436575890 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:59.523016930 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:59.542501926 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:59.543075085 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:59.604021072 CEST9087497083.72.110.63192.168.2.4
                            Sep 23, 2022 08:17:59.604127884 CEST497089087192.168.2.43.72.110.63
                            Sep 23, 2022 08:17:59.666486979 CEST9087497083.72.110.63192.168.2.4

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Sep 23, 2022 08:16:15.844961882 CEST5223953192.168.2.48.8.8.8
                            Sep 23, 2022 08:16:15.864907026 CEST53522398.8.8.8192.168.2.4
                            Sep 23, 2022 08:16:16.656079054 CEST5680753192.168.2.48.8.8.8
                            Sep 23, 2022 08:16:16.766113997 CEST53568078.8.8.8192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Sep 23, 2022 08:16:15.844961882 CEST192.168.2.48.8.8.80xbe57Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                            Sep 23, 2022 08:16:16.656079054 CEST192.168.2.48.8.8.80x5ae4Standard query (0)termsiya.duckdns.orgA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Sep 23, 2022 08:16:15.864907026 CEST8.8.8.8192.168.2.40xbe57No error (0)pastebin.com104.20.67.143A (IP address)IN (0x0001)false
                            Sep 23, 2022 08:16:15.864907026 CEST8.8.8.8192.168.2.40xbe57No error (0)pastebin.com172.67.34.170A (IP address)IN (0x0001)false
                            Sep 23, 2022 08:16:15.864907026 CEST8.8.8.8192.168.2.40xbe57No error (0)pastebin.com104.20.68.143A (IP address)IN (0x0001)false
                            Sep 23, 2022 08:16:16.766113997 CEST8.8.8.8192.168.2.40x5ae4No error (0)termsiya.duckdns.org3.72.110.63A (IP address)IN (0x0001)false
                            Sep 23, 2022 08:16:17.181047916 CEST8.8.8.8192.168.2.40xfb9bNo error (0)windowsupdatebg.s.llnwi.net95.140.230.192A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • pastebin.com

                            HTTPS Proxied Packets

                            Session IDSource IPSource PortDestination IPDestination PortProcess
                            0192.168.2.449707104.20.67.143443C:\Users\user\AppData\Roaming\svchost.exe
                            TimestampkBytes transferredDirectionData
                            2022-09-23 06:16:16 UTC0OUTGET /raw/pffCggZp HTTP/1.1
                            Host: pastebin.com
                            Connection: Keep-Alive
                            2022-09-23 06:16:16 UTC0INHTTP/1.1 200 OK
                            Date: Fri, 23 Sep 2022 06:16:16 GMT
                            Content-Type: text/plain; charset=utf-8
                            Transfer-Encoding: chunked
                            Connection: close
                            x-frame-options: DENY
                            x-content-type-options: nosniff
                            x-xss-protection: 1;mode=block
                            cache-control: public, max-age=1801
                            CF-Cache-Status: HIT
                            Age: 68
                            Last-Modified: Fri, 23 Sep 2022 06:15:08 GMT
                            Server: cloudflare
                            CF-RAY: 74f1268f4c7abba1-FRA
                            2022-09-23 06:16:16 UTC0INData Raw: 31 39 0d 0a 74 65 72 6d 73 69 79 61 2e 64 75 63 6b 64 6e 73 2e 6f 72 67 3a 39 30 38 37 0d 0a
                            Data Ascii: 19termsiya.duckdns.org:9087
                            2022-09-23 06:16:16 UTC0INData Raw: 30 0d 0a 0d 0a
                            Data Ascii: 0


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:08:15:46
                            Start date:23/09/2022
                            Path:C:\Users\user\Desktop\af5Cop6pCN.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\Desktop\af5Cop6pCN.exe"
                            Imagebase:0xb40000
                            File size:282112 bytes
                            MD5 hash:32A56B4E67436BDD3D39809A9BE949B8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.322788717.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.323004882.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low

                            General

                            Target ID:1
                            Start time:08:15:53
                            Start date:23/09/2022
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
                            Imagebase:0x7ff632260000
                            File size:273920 bytes
                            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:2
                            Start time:08:15:54
                            Start date:23/09/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c72c0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:3
                            Start time:08:15:54
                            Start date:23/09/2022
                            Path:C:\Windows\System32\cmd.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
                            Imagebase:0x7ff632260000
                            File size:273920 bytes
                            MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:4
                            Start time:08:15:54
                            Start date:23/09/2022
                            Path:C:\Windows\System32\schtasks.exe
                            Wow64 process (32bit):false
                            Commandline:schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                            Imagebase:0x7ff7c8230000
                            File size:226816 bytes
                            MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:5
                            Start time:08:15:55
                            Start date:23/09/2022
                            Path:C:\Windows\System32\conhost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Imagebase:0x7ff7c72c0000
                            File size:625664 bytes
                            MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:high

                            General

                            Target ID:6
                            Start time:08:15:55
                            Start date:23/09/2022
                            Path:C:\Windows\System32\timeout.exe
                            Wow64 process (32bit):false
                            Commandline:timeout 3
                            Imagebase:0x7ff63f000000
                            File size:30720 bytes
                            MD5 hash:EB9A65078396FB5D4E3813BB9198CB18
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:moderate

                            General

                            Target ID:7
                            Start time:08:15:57
                            Start date:23/09/2022
                            Path:C:\Users\user\AppData\Roaming\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                            Imagebase:0xbc0000
                            File size:282112 bytes
                            MD5 hash:32A56B4E67436BDD3D39809A9BE949B8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000007.00000002.394138023.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                            • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                            • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                            • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                            Antivirus matches:
                            • Detection: 100%, Avira
                            • Detection: 100%, Joe Sandbox ML

                            General

                            Target ID:8
                            Start time:08:15:59
                            Start date:23/09/2022
                            Path:C:\Users\user\AppData\Roaming\svchost.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                            Imagebase:0xe00000
                            File size:282112 bytes
                            MD5 hash:32A56B4E67436BDD3D39809A9BE949B8
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:.Net C# or VB.NET
                            Yara matches:
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                            • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

                            Disassembly

                            Reset < >

                              Executed Functions

                              Function 00007FF816423EA8 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID: jt7t
                              • API String ID: 0-3779599846
                              • Opcode ID: 68018f74ca842486dbeb50192dbea3aa3e1b42beb01f96a3a6f3f3240534e81b
                              • Instruction ID: 7263f2b5a050407667191c6a493d398e80629b3756232c930f7ca641065e21b1
                              • Opcode Fuzzy Hash: 68018f74ca842486dbeb50192dbea3aa3e1b42beb01f96a3a6f3f3240534e81b
                              • Instruction Fuzzy Hash: AFF0AF21A1CC468BE661AA18E8507B873A1EF997A1F34037DD48DC72D2CE28AD548645
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425795 Relevance: .1, Instructions: 121COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5d60cb46998b56523364664b2bdde1f6fc76a2be939511b9d723c4a4a98678c4
                              • Instruction ID: b355f87f22545b1eaf29a5a9b32b4002f5db2afe8ffa0e10456f609fa351c89a
                              • Opcode Fuzzy Hash: 5d60cb46998b56523364664b2bdde1f6fc76a2be939511b9d723c4a4a98678c4
                              • Instruction Fuzzy Hash: 6E411D21B3CD0A8FE798E7189495B78B2D2EF58790F604279D04FC7692DD68AC505781
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF81642575C Relevance: .1, Instructions: 114COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fb0da6b44186aeeca5d0277d411533f4656d56b322b5baa00e8d18062d752193
                              • Instruction ID: 4176467b1eb3daae31c5d6ad1981a5a1f58d9e89324ee8fe4239b9bf5b96e69e
                              • Opcode Fuzzy Hash: fb0da6b44186aeeca5d0277d411533f4656d56b322b5baa00e8d18062d752193
                              • Instruction Fuzzy Hash: A3413020A2CC5ACFE798EB18E494BB872D1EF483A1F744279D44FC72D1DD28AC609791
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425139 Relevance: .1, Instructions: 105COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 11b48ac3743458452cf77376e1ea23d599c0baa11871c3d9259faf6b2466d6a2
                              • Instruction ID: 47920e1a6ccf532f8eda4f8c870e24071d87d9b78e947c4298be073e7951b04b
                              • Opcode Fuzzy Hash: 11b48ac3743458452cf77376e1ea23d599c0baa11871c3d9259faf6b2466d6a2
                              • Instruction Fuzzy Hash: EE31CC31E1D9468FE79D9F18A4542B477D1EF453B0B64027EC45FC7282DD28AC919781
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF81642520F Relevance: .1, Instructions: 98COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e5d057a8e80515902ec76d6369c30b9fe59e540fd8c78594f292b87a4da99bee
                              • Instruction ID: cd64233a95279d79d14c66179df44077be7dad86ff1d175d22508c8af16cf5d2
                              • Opcode Fuzzy Hash: e5d057a8e80515902ec76d6369c30b9fe59e540fd8c78594f292b87a4da99bee
                              • Instruction Fuzzy Hash: F8314161A2CD5A8FE798E75864442F872D2EB483A1F744279D48FD32C2CD286C619BE1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816423C21 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a3cd655ef9db5f5138da333b4cb84c87cd02374a3e5579f2b586fffc0189e971
                              • Instruction ID: 63b6a597533d21be84ee60962177f33f314ccbab984cbdf952df8d2a308e0eac
                              • Opcode Fuzzy Hash: a3cd655ef9db5f5138da333b4cb84c87cd02374a3e5579f2b586fffc0189e971
                              • Instruction Fuzzy Hash: 29111212F2CD6F5EE7AA922E245427847E1EB99BF0B74067ED08FC22C6EC4C68611751
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF81642677F Relevance: .1, Instructions: 78COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f5bd1dd152940d02740735796bdddcbd6aeb520ae582c029ea50f5c7bfc80f72
                              • Instruction ID: 830c9edf878881232b1d272e066e27500c1b9487863580bb08cccee60dcffc3e
                              • Opcode Fuzzy Hash: f5bd1dd152940d02740735796bdddcbd6aeb520ae582c029ea50f5c7bfc80f72
                              • Instruction Fuzzy Hash: 70218E32D0E9778BF7656A14B4507B96290AF523B0F35027EC8CEC21C2CE5DBC64A392
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816423C40 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 945608a0bf0c1daf23ad08d43dc4b8ccdb0fdce820236243ab32d88eb96d2d0e
                              • Instruction ID: 2c9b37bc85768953d5284f78036343a542aa11802125de4fb1d8b4e8262ae861
                              • Opcode Fuzzy Hash: 945608a0bf0c1daf23ad08d43dc4b8ccdb0fdce820236243ab32d88eb96d2d0e
                              • Instruction Fuzzy Hash: F7010412B2CC2F5EA6AA922E341437D42E2EBCCBF1B74067DD08FD32C5EC1868611250
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816424C59 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bb114b3df099d196d3f04d3f3413c15f2c182a0d3a457e550eaae078ef26cb41
                              • Instruction ID: 9d5a004e2da18694430bd810683fc158310bba2a915c40e2168df1a3bdb40475
                              • Opcode Fuzzy Hash: bb114b3df099d196d3f04d3f3413c15f2c182a0d3a457e550eaae078ef26cb41
                              • Instruction Fuzzy Hash: 87115B21E1DD468BE318AB2CB04537873E2EF84790F60427ED88EC73D3EC285895024B
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816423A28 Relevance: .1, Instructions: 66COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a53477c92cee2299ab58fac5559765dc504f234dfe0c2902c47e96f961f70b6d
                              • Instruction ID: 6abcb21ce5c44f7f01a313c4a354d7fc52789ff9a685d473bfde938997795046
                              • Opcode Fuzzy Hash: a53477c92cee2299ab58fac5559765dc504f234dfe0c2902c47e96f961f70b6d
                              • Instruction Fuzzy Hash: 7D11A321B2CA098BF705A61CA49537873D1EB88764F20037EE48ED32D2CD2CA8918286
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816423E3E Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 47e9b4fe75ff21557d532e2bb2f47f807788b04a10efe32b84514c1575a377e9
                              • Instruction ID: 2842f0ed88ee802fcdbf95c92431f1de0f6aba3584b630cf2470074e26cc2882
                              • Opcode Fuzzy Hash: 47e9b4fe75ff21557d532e2bb2f47f807788b04a10efe32b84514c1575a377e9
                              • Instruction Fuzzy Hash: A1111F306189098FDB59DB18D495A7873B1EB587A4F25427CE44EC72D2CE28EC55CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425CCE Relevance: .1, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: abad90178e839357805abbad90bde5cba8ffe3b37c1fe0d900349960371f3c93
                              • Instruction ID: 7e1e89233bda92d9d758319f92490056e834e517a2bb7b4bd6e86aa2fc77597b
                              • Opcode Fuzzy Hash: abad90178e839357805abbad90bde5cba8ffe3b37c1fe0d900349960371f3c93
                              • Instruction Fuzzy Hash: 7B113031A18D1A8FE798EB18D4847B9B3D1EF487A0F214279D44EC7296DE28A85197C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425919 Relevance: .1, Instructions: 56COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 97907a19edc471f5f79897e0869478959ab02e35b489a8be13ea85338f8d0aef
                              • Instruction ID: ee9e8ed19e3d7ed2e5c438ae3fc95f965236cb65ad6192f658a2b48f5b4dec3e
                              • Opcode Fuzzy Hash: 97907a19edc471f5f79897e0869478959ab02e35b489a8be13ea85338f8d0aef
                              • Instruction Fuzzy Hash: 1F110D71A1D916CFEB6C9B18A04477C3292AF553B0F34027DD44FC72D1DE29A8619681
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164234AD Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5537071f47842877f6a2f27df07695dd36e2c736ddfc49a1d6a0d0cda39f7687
                              • Instruction ID: 5812488f8c199d752587fcc78837d93579d85cf625659170a32075397ad96c40
                              • Opcode Fuzzy Hash: 5537071f47842877f6a2f27df07695dd36e2c736ddfc49a1d6a0d0cda39f7687
                              • Instruction Fuzzy Hash: DC01D832F1CC0A4FE39ADB2CA048BB4A7D1FB587A4F6446B9C00DC3296DD25A856C340
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816420430 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 45df0d1c7c3c80bd7f0533d5583e5724ff0cc4de07dd64c4913f85d1ba741992
                              • Instruction ID: 2860910d03d93829ea2cc19845042bbf0388814196c7fec838b04a028cd1aca8
                              • Opcode Fuzzy Hash: 45df0d1c7c3c80bd7f0533d5583e5724ff0cc4de07dd64c4913f85d1ba741992
                              • Instruction Fuzzy Hash: 1F01801290E3D55ED72366387CA21F57F709E53A64B1902FBD0CC8E4A3D808189DC352
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816423DD7 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 40b31838c8cb10d00b28523896a9c489476b331ecb637a4a97c6d4d9eef0e7d5
                              • Instruction ID: 5d180bd6182e51b1289e8583cb4ec295da1a52e77b1c022d438457ab4e0d10f3
                              • Opcode Fuzzy Hash: 40b31838c8cb10d00b28523896a9c489476b331ecb637a4a97c6d4d9eef0e7d5
                              • Instruction Fuzzy Hash: B801B531B0C94A4BE725EE18D4847A933A1FB99370F25523DD89EC3282CE78AC628640
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816424BBC Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fdb3b7ef4ec24cf9094790a14cd3f977c25060b70af4923b8ddf550b696c1a6b
                              • Instruction ID: 6734f0a4124f6fb8101414665020f3264f86a0154290cbbaae0593a260a5448b
                              • Opcode Fuzzy Hash: fdb3b7ef4ec24cf9094790a14cd3f977c25060b70af4923b8ddf550b696c1a6b
                              • Instruction Fuzzy Hash: 9A01DB32A1DA074AF71C9A1CB4122F977D1EF857B1F21023DD4CF83582DE15BC514692
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816423F8B Relevance: .0, Instructions: 50COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 56db855747b1e6405bbfa3db340b48e311edfed68d9ed246c6c6f4b4d3a5a015
                              • Instruction ID: be72ac60e8c1de62fb9d821373748ea9135e249e5a024f4146f02d42658de077
                              • Opcode Fuzzy Hash: 56db855747b1e6405bbfa3db340b48e311edfed68d9ed246c6c6f4b4d3a5a015
                              • Instruction Fuzzy Hash: 07016231B089098FE759EA1CE4487A833E1EB99370F29027DD44ED72A2DA64DC928640
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF81642556C Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d6280a2eddc0748888c70d0cc58ff7a6064b25c3733d4f3bbddfc1b242918145
                              • Instruction ID: ed8aa3234cbc747711f8697c4eeb67b8604e92145bcd4d6ab14878c1538210d8
                              • Opcode Fuzzy Hash: d6280a2eddc0748888c70d0cc58ff7a6064b25c3733d4f3bbddfc1b242918145
                              • Instruction Fuzzy Hash: 20018431B1CC0A8AE65C9B18A8546783393EBD47B0F24463EC04FC36C9ED68A99543C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816420438 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5b183ef76f2f0098d52b970c33e803b994bab2cad455fb21301a0ee6069d4b92
                              • Instruction ID: 6abf55432b53499456be7ee75df2e09766b9bb8f8f5cde23a271534ed08e7c61
                              • Opcode Fuzzy Hash: 5b183ef76f2f0098d52b970c33e803b994bab2cad455fb21301a0ee6069d4b92
                              • Instruction Fuzzy Hash: 8701711280E7C55EE72366346C621F57F709F17664B1E01FBD0CC8E0A3E808189DC352
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425A5F Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: deb3b31e2641232401783e755a288cb947eef6bf9ac61e6add2ce89707399f56
                              • Instruction ID: 4a262b9eb57c0e1289c27e9035e0bae92c1f7a36b96dc876aa6d7604d0cfeeda
                              • Opcode Fuzzy Hash: deb3b31e2641232401783e755a288cb947eef6bf9ac61e6add2ce89707399f56
                              • Instruction Fuzzy Hash: 2E01B121E1C80A8FE768A718E4857B933D1EF547A0F204279D44FC32D6CE68AC5047C1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF81642352E Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: eec5347e74ebf7038727fa4301bf84cf8c0881b3c8896af06371587954f6d534
                              • Instruction ID: aad640496936bcc2f53f9782d14a7e8c1aaffa656d9094a04f541eaf40d9ea21
                              • Opcode Fuzzy Hash: eec5347e74ebf7038727fa4301bf84cf8c0881b3c8896af06371587954f6d534
                              • Instruction Fuzzy Hash: 10017121E2890A8ED759EB3890557B6F3D1EF54350F5486BAC01EC76A2DE39E8858380
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816424DBC Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a65bcfabce0fa1f7161acfd9e3f5c07b2f12f1ceda88bcdc0d04af51c5f9f1c6
                              • Instruction ID: 105b8ceee544f28c68b522c87f913a7f7c66443b93bc848e85410da9b01b5ba5
                              • Opcode Fuzzy Hash: a65bcfabce0fa1f7161acfd9e3f5c07b2f12f1ceda88bcdc0d04af51c5f9f1c6
                              • Instruction Fuzzy Hash: 8EF0A921F2DC464AE358A21CB4453B972D2E7987A5F74437DD84EC32D7EC2858664187
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816423F87 Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c64574b1035d181fa7f752e7498deab66fe299c51adfa551701638ce4b0d6cb1
                              • Instruction ID: 40c64f2f3664955a397d4a7a37aecf90aea904aa7f37ccabdb6faab4f25c7fb3
                              • Opcode Fuzzy Hash: c64574b1035d181fa7f752e7498deab66fe299c51adfa551701638ce4b0d6cb1
                              • Instruction Fuzzy Hash: 6E013631B189098FE759DB1CE4487B933E1EB99360F26027DD44EC7292DA78DC918644
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425DB3 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 84d38b5b0ad8d737ca30639d98a91057657f4c1bc00a4b536cbade6d18faaf2a
                              • Instruction ID: fec8c2b78fd27a472c86b6fa05f50ecd1a5401efdd6edadcf609b3b183a1f3c9
                              • Opcode Fuzzy Hash: 84d38b5b0ad8d737ca30639d98a91057657f4c1bc00a4b536cbade6d18faaf2a
                              • Instruction Fuzzy Hash: 62F030306189098FE784EF24E898AA533E1FB64361B208639D44AC72A1CE25E850CB40
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164258B6 Relevance: .0, Instructions: 36COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 01d7447d636b52b6c072f46c631ff8baa7d99480f840b37f6f2f3f476c67f559
                              • Instruction ID: 9be5ddf8736cd078d50212f6238e669d9491b61e8ddf7a58eb1c6ab3271b126f
                              • Opcode Fuzzy Hash: 01d7447d636b52b6c072f46c631ff8baa7d99480f840b37f6f2f3f476c67f559
                              • Instruction Fuzzy Hash: 52F03012F28D1A0AEB98E33C94513BA52C2AF88790F54867D904EC36D6CC68689253C1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425DAF Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5d6d8f28f79924a8edd9e850802c7e839f6df50a52b213553dcbdcb87abf61b9
                              • Instruction ID: e079c82a3fd8254b4a53c295c5ea7e68d772c89704c461b60c5292e5233af6bf
                              • Opcode Fuzzy Hash: 5d6d8f28f79924a8edd9e850802c7e839f6df50a52b213553dcbdcb87abf61b9
                              • Instruction Fuzzy Hash: A6F0303062890A8FE784EF24E898AA533E1FB64360F208239D44FC72A1CE25F810CB44
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816423A1A Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8e6b1ba2c62ff68ef5848efcb7a4ee2e22815e08b88d9377511a84b85e5b7029
                              • Instruction ID: 67ae877b7cc214041015125abe966a42d278466e8f899d939f1a841cb66be00d
                              • Opcode Fuzzy Hash: 8e6b1ba2c62ff68ef5848efcb7a4ee2e22815e08b88d9377511a84b85e5b7029
                              • Instruction Fuzzy Hash: ADF05E31A1CA0ACBFB158A08A4843B873A1EB597B0F20433ED14EC62D5CD29A4A48680
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816422C47 Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5fd129a3c6b2fdd40402d22e99367e36eb9650d33b18c007e5d6facada00c161
                              • Instruction ID: 5152930c2a1c183d9dffba32c16ee17299d84ee977160ead78be2e6b13458c98
                              • Opcode Fuzzy Hash: 5fd129a3c6b2fdd40402d22e99367e36eb9650d33b18c007e5d6facada00c161
                              • Instruction Fuzzy Hash: B7F0A732C0CD128BF7105E00E8407BA33549F163E0F6683B6C88DDB1D1DA1CA8548691
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164266ED Relevance: .0, Instructions: 27COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4b7a6168ab6237f0a61fb5400ffd6338e8c212d76515871386bd6417ea8f99e3
                              • Instruction ID: be51ae5ae5b9bfbc8808311c6e61810f80097a8b18132cc6c681ac6ae3d7f969
                              • Opcode Fuzzy Hash: 4b7a6168ab6237f0a61fb5400ffd6338e8c212d76515871386bd6417ea8f99e3
                              • Instruction Fuzzy Hash: DFE02B3080E5968FD716632868244743F50EF12370B6802FFC0CDCB0E3C81DA825C312
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164233C8 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a61d18834d962fddb6b3a5382e1c33b6d8359fcd184ac6e134382a680adec280
                              • Instruction ID: 6be6f1e5ecc047ad4e644b06db0c73c7ec5d2a14acac29c410ece15bcf542cbb
                              • Opcode Fuzzy Hash: a61d18834d962fddb6b3a5382e1c33b6d8359fcd184ac6e134382a680adec280
                              • Instruction Fuzzy Hash: 41F0A031E0980A8BE741D614E084BA57371EB81360F654B79C00E9B2C5CE38ACD587C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425BF6 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ffb6b5d0cbcef055b5c6c678d960ee71d17c2d04fa074bec55c1623e7978ee3e
                              • Instruction ID: d85fecdcf152fa446c2dc86602d0d101844b1c4c1a3d22a4b78d973cf3f53ea7
                              • Opcode Fuzzy Hash: ffb6b5d0cbcef055b5c6c678d960ee71d17c2d04fa074bec55c1623e7978ee3e
                              • Instruction Fuzzy Hash: 0AE06D31E1890A8EEB54AF14A4406F87751DF413A2F20527AE88E86181CE156C6097D2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425B60 Relevance: .0, Instructions: 25COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 41b47f1ea7a74893ef73a216679f9b91324fa51f3eb52b8ab06a30ec490b226e
                              • Instruction ID: a8a9424ca1154e586f2527c2b9dedb011271361f5b144347922d8ebdb128e5ac
                              • Opcode Fuzzy Hash: 41b47f1ea7a74893ef73a216679f9b91324fa51f3eb52b8ab06a30ec490b226e
                              • Instruction Fuzzy Hash: ECF06D31A0890A9FF764EB08D4C47A872E1EB443B1F60527AC44FC32E1DEA86D918BD0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816423408 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 266041d0afd44b53d71df8f6d1d4725cac0c4ea1248a65d97eacea91012290f4
                              • Instruction ID: cf64b07a91f4fdcbc3bd72b4bfef7bd7e3ea24a14299a2413b2056b0e5674991
                              • Opcode Fuzzy Hash: 266041d0afd44b53d71df8f6d1d4725cac0c4ea1248a65d97eacea91012290f4
                              • Instruction Fuzzy Hash: 4CD01712F18C3A4AE196A51C746537D5392EB94BA2FA103BAC04ED3A86DD1A6D0A03C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816424BFE Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4afe34aa614a6510403130a03871279ce5be44a35a033f3af05ffed35ce5c485
                              • Instruction ID: cc1618f4ca63632cbc617871480f1c1620f7f46d2babb3463afaaa155bd2d920
                              • Opcode Fuzzy Hash: 4afe34aa614a6510403130a03871279ce5be44a35a033f3af05ffed35ce5c485
                              • Instruction Fuzzy Hash: 26D05B62F3EE06C9B318557DB84313873E5FF44BE0B25427AD05EC2196DC5578511186
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425C1D Relevance: .0, Instructions: 20COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2481bde829649dfdf22d89137aebf7b226a51f4437237a8bfaa0031aba3b70f3
                              • Instruction ID: b0a2d74def7e95b02cc723883f53abd46a8e70abc1695ff5612dbe58682c9d88
                              • Opcode Fuzzy Hash: 2481bde829649dfdf22d89137aebf7b226a51f4437237a8bfaa0031aba3b70f3
                              • Instruction Fuzzy Hash: A4E0B631A3AA0F9EE7B8A738501537D55D1AF49795F70057C908FD2281ED2964915282
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816422C6F Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d648c23291274aa057bebb505e297e3d6065071955367dc13ecaed344e5279f8
                              • Instruction ID: 094a166a022c6839c1d14aa381b1048c3d4dab218001a12a2482922842a2807a
                              • Opcode Fuzzy Hash: d648c23291274aa057bebb505e297e3d6065071955367dc13ecaed344e5279f8
                              • Instruction Fuzzy Hash: 2AE08633D0C9168BE7619A40D8407A532549755370F11427AC48DD72E4CE6C999482C1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816426713 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2be747aabe74b6274596077e951196b71c17d8479c70f8ea74a8ad4f85f0c0f4
                              • Instruction ID: 28577683dc37f3923ddbf631d0310ca3dfacfa473a5a8a532930af968e5d0962
                              • Opcode Fuzzy Hash: 2be747aabe74b6274596077e951196b71c17d8479c70f8ea74a8ad4f85f0c0f4
                              • Instruction Fuzzy Hash: EFE0422091CC2ACBE534B694B45093C2290AF843A4F7003BED08E86191DD2DB8706A62
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164230F8 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13c9b5f86d8a8927846b107f662ab1074dd8f007038b7be76e49481d338bb116
                              • Instruction ID: 8ac21c13d1c0d9fb6a22924f88f71cd5a3e631b5ce38a7fa1435f44e6122dec9
                              • Opcode Fuzzy Hash: 13c9b5f86d8a8927846b107f662ab1074dd8f007038b7be76e49481d338bb116
                              • Instruction Fuzzy Hash: D2D0621091FD06CAE5A49614F4C49782170EF453A0F7523B9D08EC6194D91E68B0A642
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425B9A Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f7c05975d9cc3bf38ecbdcde73af5cbac25448de279ba222ebc9cd146cba2923
                              • Instruction ID: e17a2aa51f7738a9b2790ef1416a884b233bd4346183a83a9c00bc5b1b1853ac
                              • Opcode Fuzzy Hash: f7c05975d9cc3bf38ecbdcde73af5cbac25448de279ba222ebc9cd146cba2923
                              • Instruction Fuzzy Hash: CCE01231D089168AF729B704E888BE973919B01371F6557BAC48FD72E1CE6CAD6487C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164230A8 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ce77b513b9e33764c0e63cdac634f7ebe4b814141cb5523e6a8ea1447fcf670
                              • Instruction ID: d87798557b5160ccddeb8fcc1c5d378cf5d53dcfe93204afce0117dca25c6391
                              • Opcode Fuzzy Hash: 5ce77b513b9e33764c0e63cdac634f7ebe4b814141cb5523e6a8ea1447fcf670
                              • Instruction Fuzzy Hash: 07D0622281CD76DAE976971664444782F70AF04BA4F7103B9D1CEC61D0D91DA4B07601
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164254B6 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: df2aaffc23448d73093c51657114902bcc30733167d969dfac0f059e5393ef39
                              • Instruction ID: e6b2a79bbef78b98b1c1779aa1f096e443cd037e052f286989d87780427c1cb5
                              • Opcode Fuzzy Hash: df2aaffc23448d73093c51657114902bcc30733167d969dfac0f059e5393ef39
                              • Instruction Fuzzy Hash: B2D02460C0E953C2E5BC1212292173CA0405F003F3FB00B7EE4CF891C5885EA1B630E2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816426672 Relevance: .0, Instructions: 15COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: accc0b5c950a5f65cc6ca8274334ec320ffd97ed3c402d77ccaedad1031e1d4d
                              • Instruction ID: 382121733f7bcbe3594c149443ea7a6f686f7f3e1375b03f7c3faf7700c77a9a
                              • Opcode Fuzzy Hash: accc0b5c950a5f65cc6ca8274334ec320ffd97ed3c402d77ccaedad1031e1d4d
                              • Instruction Fuzzy Hash: 38D0C72080CC36DFE5649615B5C49383290DF043E1FB013F9D0CEC61E1C91EA9A57611
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425E0B Relevance: .0, Instructions: 14COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a50ba9b7c252badaf3d67bc8589f7fd94e941584bcbbc34d3574b588016e8e68
                              • Instruction ID: ecd8f8ae6f95b9e89e2be803f0d741ead57c2ee3b753bc163c6c97ff14e4fc1b
                              • Opcode Fuzzy Hash: a50ba9b7c252badaf3d67bc8589f7fd94e941584bcbbc34d3574b588016e8e68
                              • Instruction Fuzzy Hash: 91D0A722D2D99DDFE751DB1480453AC6A92DF08390F5502F6E85DD3193CD185C8443C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425AEF Relevance: .0, Instructions: 12COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: f2061238415d9b96c4050b82b643a568bc85ea25b2b249440634e7d9ac91651c
                              • Instruction ID: 4ca9aca254b109ac5155683a579ddfb5bf6c918c9209c3081ac1663f8d9e0ccc
                              • Opcode Fuzzy Hash: f2061238415d9b96c4050b82b643a568bc85ea25b2b249440634e7d9ac91651c
                              • Instruction Fuzzy Hash: 59D0C9B0408A4D8EE758CF44D0986783BB1EF44350F20812EE80E86690CB3598549690
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816423373 Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 363fe444b5c44f30a60eef31d15a80a476d4b270c413f6b0045e6e196b659a0f
                              • Instruction ID: e3598d04acf13ec217784b5c5bab32c7f3be7d072c4a2cc67e92b4189f45702e
                              • Opcode Fuzzy Hash: 363fe444b5c44f30a60eef31d15a80a476d4b270c413f6b0045e6e196b659a0f
                              • Instruction Fuzzy Hash: 32B09B514085564BD355C90594906B577505714261F14877994CD57682C41C95546BB1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164204B0 Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62ebdf483be9ab876bb89240b3a26d4beed924b89be83d0511937707a879a7d9
                              • Instruction ID: 23906c7e1ce9a17c32009910db2239973099537370934565f12a2048a0a0c880
                              • Opcode Fuzzy Hash: 62ebdf483be9ab876bb89240b3a26d4beed924b89be83d0511937707a879a7d9
                              • Instruction Fuzzy Hash: EEA00204C97C0E01A85835BA3D874A474D15BCA664FD51264E98C80586E88E15FD43D7
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425BBB Relevance: .0, Instructions: 5COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1a498020929b8e3dfbb9b967928fa39f667f6465fb9986f592f88cee899376f3
                              • Instruction ID: cb016e742138126e4bb95e31c18839375758c993b0e68951a0011df98e368902
                              • Opcode Fuzzy Hash: 1a498020929b8e3dfbb9b967928fa39f667f6465fb9986f592f88cee899376f3
                              • Instruction Fuzzy Hash: 37B01223D0881A8AE6149610D8447F812B00F443A5F151134940F671E1CC082C5062C1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816422DE6 Relevance: .0, Instructions: 5COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19f8a2e7346aa81816919c8d829bc9f88106f0e585a7beb9a374410d728d00bb
                              • Instruction ID: 33756024367420dfb3ca6c9eddd5d9d812d09db232e55124e69bf3b55ece88a9
                              • Opcode Fuzzy Hash: 19f8a2e7346aa81816919c8d829bc9f88106f0e585a7beb9a374410d728d00bb
                              • Instruction Fuzzy Hash: 1BB092B0828E468AE2009E04D8002AA22A0AF04350F604224E44C862A1CA3864208621
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816425CBD Relevance: .0, Instructions: 4COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.330272815.00007FF816420000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816420000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_7ff816420000_af5Cop6pCN.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e43b520bb071448ce3369ea7f58c0af017c948eae1b53387eb9a56c4ce0239ba
                              • Instruction ID: 55a2a804051db2367499475a5a58ee1a6606cf31343ac5bb75cf7a25908d1858
                              • Opcode Fuzzy Hash: e43b520bb071448ce3369ea7f58c0af017c948eae1b53387eb9a56c4ce0239ba
                              • Instruction Fuzzy Hash: B3A00292D1C69685F62C2A20929A77D40104F00BA1E25767E96CF571D28D3FAC9225C9
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Executed Functions

                              Function 00007FF816405139 Relevance: .1, Instructions: 103COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3d15649a7c3897d6ec7cf25b155fb95f573f3755402645df1376d78f46a00f40
                              • Instruction ID: a0119b2985bfb13063a9923b4a8e96ebcf9caada9100349d7468726a3135c4d5
                              • Opcode Fuzzy Hash: 3d15649a7c3897d6ec7cf25b155fb95f573f3755402645df1376d78f46a00f40
                              • Instruction Fuzzy Hash: 44312931F0DA568FF799DF2885542F97BD1EF453A0B1802BAC44ECF282CD289C518781
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF81640520F Relevance: .1, Instructions: 96COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1fc3595a020f4118f1ce2fb4c7ab4c83e614aed1d8f85fcb841a7822e56f0a46
                              • Instruction ID: 049aee6b7339b39e8096e935fed5564f6cc1300362d6ade0c838a964adf749ea
                              • Opcode Fuzzy Hash: 1fc3595a020f4118f1ce2fb4c7ab4c83e614aed1d8f85fcb841a7822e56f0a46
                              • Instruction Fuzzy Hash: 16218520B2CD6E8FE798E65C51552FC62C1EF993A1F640279D48ED3286CD28AC519BC1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816403C21 Relevance: .1, Instructions: 83COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 223d921b559c2b4c3c85f10f0b6848d144cc2e66ae58ecfecb5f67e20a7bdf5d
                              • Instruction ID: d8fbefa82d5884240e353ee43e5bcf4ffee1ee369e6bce25ecfa224d4d4843ff
                              • Opcode Fuzzy Hash: 223d921b559c2b4c3c85f10f0b6848d144cc2e66ae58ecfecb5f67e20a7bdf5d
                              • Instruction Fuzzy Hash: 75112E12F2DD7F5EE7AA922C14542FA4DC2EB993F0BA8067AD48FC32C5EC0C68611351
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816404B6E Relevance: .1, Instructions: 73COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e13d4dc4212cf5862ebe6db74b552017fce536c4fa3a34fb2c3efe5e9cd885a4
                              • Instruction ID: 61333425d4b8f574c6a2910081cca6032b84874e512077af8136af7931b4b48e
                              • Opcode Fuzzy Hash: e13d4dc4212cf5862ebe6db74b552017fce536c4fa3a34fb2c3efe5e9cd885a4
                              • Instruction Fuzzy Hash: B2110B3151DB998FE749DB2898122F97BD1FF45390F14027FD58AC7182E616D81687C2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816403A1D Relevance: .1, Instructions: 68COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 27cc27a7dd77cb00cf2d003ed7348d9dfdcdf19a38d2b72a7bdad15c6c6c9f26
                              • Instruction ID: 10a785e7990f20f70e1ae9fb30dd35204f26dbf633a76ebd4289034788be01fb
                              • Opcode Fuzzy Hash: 27cc27a7dd77cb00cf2d003ed7348d9dfdcdf19a38d2b72a7bdad15c6c6c9f26
                              • Instruction Fuzzy Hash: ED11B621F2CA5A8BF705A72C94953B977C1EB98764F10027EE48EC32D2DD2CA8914286
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816403C40 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 83b652ef5043d15c9d0734c1f9314f20b33ad8bb516e0fbb2fa806ebede6d2ad
                              • Instruction ID: 3fe61c682e8c98c467d5abdfa049b05ef01f127569831da7f9abd5df91665733
                              • Opcode Fuzzy Hash: 83b652ef5043d15c9d0734c1f9314f20b33ad8bb516e0fbb2fa806ebede6d2ad
                              • Instruction Fuzzy Hash: 1F010012B2CC3F5EA6AA922C14183FE48C2EBCC3F5BA4067AD48FC32C5EC1C68611240
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816404C59 Relevance: .1, Instructions: 67COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13357c28e794d64ec80ecf5cdaa38fb62e1d86181ebed9c5594fabb4e3c7fbad
                              • Instruction ID: c2311c0be767f9f1dfc3e095c1d756f08499cc80aa746019039f88397612b933
                              • Opcode Fuzzy Hash: 13357c28e794d64ec80ecf5cdaa38fb62e1d86181ebed9c5594fabb4e3c7fbad
                              • Instruction Fuzzy Hash: CB112721F1DD46CBE318AB2860453B973C2EF84394F51427ED89EC73D3EC2858A6428B
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816403E3E Relevance: .1, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ec4508eb7dec91ea8ba4e30b1be64725ee2d5dc7e9f1602bce7070a74cd9de94
                              • Instruction ID: bed613bc32f50642c802e3ca7f0e4c3833335a75378882c9fd713d20ab9093f8
                              • Opcode Fuzzy Hash: ec4508eb7dec91ea8ba4e30b1be64725ee2d5dc7e9f1602bce7070a74cd9de94
                              • Instruction Fuzzy Hash: 4411213061890A8FDB59EF18C495EB977A1EB587A4F154378E44FC72D2CE28EC61CB80
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816402C47 Relevance: .1, Instructions: 57COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 366eea6bb23d6be8249615e4ec215fc3a02323f41ed01aae323ecaa252cc5344
                              • Instruction ID: 4aa52652c3843adf5788e9efa42b49b1d3b92d02ef162bc3710cefcca6e46a50
                              • Opcode Fuzzy Hash: 366eea6bb23d6be8249615e4ec215fc3a02323f41ed01aae323ecaa252cc5344
                              • Instruction Fuzzy Hash: 75116032D0C9268BFB619A00DC417FB32A19B513B0F168372D48D9B2D1DE6CA9A58781
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816403F7F Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e1876aaddbc418dd69b32983fbbaa1d82e845a288ae1cef4c97009158c281a75
                              • Instruction ID: 87fe1d46f7b88ac8a14d2f8f66a7a155ec2ce6adc658b1f0cf3ff061d5700a2a
                              • Opcode Fuzzy Hash: e1876aaddbc418dd69b32983fbbaa1d82e845a288ae1cef4c97009158c281a75
                              • Instruction Fuzzy Hash: 91018C31B0891A8FE759DB1CD498BE937E6EB99360F15027DE44EC3292DE68EC618640
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164034AD Relevance: .1, Instructions: 55COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 470f477c0f583ce5ec14fa62097cf6ba6aba49d76a15f4fb6fadf5dd5a9ec99a
                              • Instruction ID: cddb6ae2eb8199ddedbd3f766259bdf25091e19d04a23d335b9f5bd12e0f9e3d
                              • Opcode Fuzzy Hash: 470f477c0f583ce5ec14fa62097cf6ba6aba49d76a15f4fb6fadf5dd5a9ec99a
                              • Instruction Fuzzy Hash: 7101B522F28C1B5FE39ADB2C9048BF56BC1FB98764F144275C00EC7296DE65A8568350
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816400430 Relevance: .1, Instructions: 54COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: cc6251f417200631c64b9016a206921f6e41e836ac99d492a707d72883e37aa5
                              • Instruction ID: b23a86b5d685212e8e45157802923b682ef1709bbbfe4e9f6528cee8d6c6cede
                              • Opcode Fuzzy Hash: cc6251f417200631c64b9016a206921f6e41e836ac99d492a707d72883e37aa5
                              • Instruction Fuzzy Hash: 6E01525690E7E56ED72366246CA21F97F309F57664B0D02F7D4C88E4A3D808199CC366
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816403DD7 Relevance: .1, Instructions: 51COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 33610af90f9fb2d36ebe343dd4f26cc5ca461ba7d43af645562b435c9a2cfd56
                              • Instruction ID: c93967bb12b2bbab65176ff7d0033718668f90a94f5c9e91e63fdf7f6f21fc26
                              • Opcode Fuzzy Hash: 33610af90f9fb2d36ebe343dd4f26cc5ca461ba7d43af645562b435c9a2cfd56
                              • Instruction Fuzzy Hash: EA01B135B0C90B4FE725EA18D4857EA3392FF98370F155339D89EC3282CE78AC624680
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF81640556C Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 9da250278d0139c76e8c5cae1b635a844ebc49e10e9d991bbf70da22f16fb5c8
                              • Instruction ID: c42f781e2807245a49bd3268aeb18e26b8161127007f97782ccc4685c32eb88e
                              • Opcode Fuzzy Hash: 9da250278d0139c76e8c5cae1b635a844ebc49e10e9d991bbf70da22f16fb5c8
                              • Instruction Fuzzy Hash: 48018F35F1CC1A8AE65C9A189A546B83393EBD87B1F14463AC04EC36C9EDA8A95583C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816400438 Relevance: .0, Instructions: 49COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 7dd127ce67d1623f8df3d1075dec4736da6d2acce50a8bc6dedf22670054ae41
                              • Instruction ID: 93ab3d82bb116f09aca979ea7e6c62e8e9dec5b7915998b274a01c8c200c9cfc
                              • Opcode Fuzzy Hash: 7dd127ce67d1623f8df3d1075dec4736da6d2acce50a8bc6dedf22670054ae41
                              • Instruction Fuzzy Hash: D7018F1680D7D56ED72366342CA21F93F30AF17A64B0E02F3D4C88E0A3E908189CC366
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF81640352E Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c4fff1ec6dc11b3bc38d93bc7c32e00f895ea88a48cf0daee622f6c381479e00
                              • Instruction ID: 2904b47370391a9beb6c74d5e0c010bbb9815a1c145dab3035eba96348cc1727
                              • Opcode Fuzzy Hash: c4fff1ec6dc11b3bc38d93bc7c32e00f895ea88a48cf0daee622f6c381479e00
                              • Instruction Fuzzy Hash: 40017131E2891A8ED759DB388055BB6F6D2FF54350F5586B9C01EC76A2DF38E8858380
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816404DBC Relevance: .0, Instructions: 48COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 396b13f023c24dc52a69358211e7a444684b7ddd68f9cc3b70e6de4308945b24
                              • Instruction ID: d843e87a4d1cdf01fcc7312ca9819b02e07c50f426a25918ad09f70966004be3
                              • Opcode Fuzzy Hash: 396b13f023c24dc52a69358211e7a444684b7ddd68f9cc3b70e6de4308945b24
                              • Instruction Fuzzy Hash: A7F0CD21F2DC568BE358A21C70453F972C2EBD87A5F544339D84EC32D7EC285C664187
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816404BB8 Relevance: .0, Instructions: 34COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fbf6af7477a26b8e45c34b44e325f52ce0f5d751533945b83332106c36dd9c6b
                              • Instruction ID: 381b84417955da08619bcc2107f56c20d6789a1d4e399fed5598c3b1a154b81d
                              • Opcode Fuzzy Hash: fbf6af7477a26b8e45c34b44e325f52ce0f5d751533945b83332106c36dd9c6b
                              • Instruction Fuzzy Hash: C9F0E03191DB939FE30A867808622F877D1DF553D1B1502FEC489CB5C3DD08A8169252
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164033C8 Relevance: .0, Instructions: 26COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 306de8a2a4bfe4b5feab4f276b2589e2f2775c1107db933051976d838f3de047
                              • Instruction ID: c1ed1c0fffc35f802891db13c8b72e839a88de6c1af7ca0ffff937a03e0d6643
                              • Opcode Fuzzy Hash: 306de8a2a4bfe4b5feab4f276b2589e2f2775c1107db933051976d838f3de047
                              • Instruction Fuzzy Hash: CFF08C31E0982A9BE741D614E084BE67361AB81360F558B79C44E8B6D5CA38AC9587C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816404BFE Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 973e64ddc46765c446a7939deebe9c68afba5506c5e3a3df6f620f41631edbb3
                              • Instruction ID: 4477fcaa3a97d09c9ce312fa238ba4506a5321b844cdde55a7db87897fce1f60
                              • Opcode Fuzzy Hash: 973e64ddc46765c446a7939deebe9c68afba5506c5e3a3df6f620f41631edbb3
                              • Instruction Fuzzy Hash: 02D05B66F3DE06C9A318557D684317873D5FF847E0B154236D05EC2196DC18785511C6
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816403408 Relevance: .0, Instructions: 21COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c1efa2983445411c62c8e38bef1747f4cc9e552780f91017e3baa01800fd7c6e
                              • Instruction ID: 8a83ebfd8736521a6124982528a4be84bd688c39d7dea1c4ae503c79b36a9f3e
                              • Opcode Fuzzy Hash: c1efa2983445411c62c8e38bef1747f4cc9e552780f91017e3baa01800fd7c6e
                              • Instruction Fuzzy Hash: 21D01712F08C3B5AE196A61CA0653BE0682EBD4BA2F81033AC50FC7686DE186D0A03C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816402D82 Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8b2dada3878bc5a47f2e114af19a1f631e34b161fe6aa8c965a6d070283f5919
                              • Instruction ID: e28abf3cdcab0b98bc161659b0d01bf8f2a4489997a7c2252a5e4974c1a6253f
                              • Opcode Fuzzy Hash: 8b2dada3878bc5a47f2e114af19a1f631e34b161fe6aa8c965a6d070283f5919
                              • Instruction Fuzzy Hash: 56E0C232D08926CBE7249A04C8543F63302DF51B31F06C3B6C45A8B3D6DD7CACA186C0
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816402C6F Relevance: .0, Instructions: 18COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e5c7e8d302f636eeff07320d3dcd121f2ea13453113f84e07d9330b8fe2d7558
                              • Instruction ID: 28bbb5c844d2d72748d57741169b2e4278d4c8ef1f281a6e7474fb55b52e2052
                              • Opcode Fuzzy Hash: e5c7e8d302f636eeff07320d3dcd121f2ea13453113f84e07d9330b8fe2d7558
                              • Instruction Fuzzy Hash: 25E08C33E0C92A8BEB51AA40C8407E53268AB51370F024276C48EDB2E0CE6CA99442C1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164030F8 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 13c9b5f86d8a8927846b107f662ab1074dd8f007038b7be76e49481d338bb116
                              • Instruction ID: 0ed3b0ebabb7360027a8181cfa382b62f30174eb4d0226c81e3e11c1527d4f53
                              • Opcode Fuzzy Hash: 13c9b5f86d8a8927846b107f662ab1074dd8f007038b7be76e49481d338bb116
                              • Instruction Fuzzy Hash: BCD09B10D1FD26CAE5A4D6749444DF82150AF453B0F612B71D48EC61D0FD1D78B0A642
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164030A8 Relevance: .0, Instructions: 17COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5ce77b513b9e33764c0e63cdac634f7ebe4b814141cb5523e6a8ea1447fcf670
                              • Instruction ID: a72308258f799b9abddb2388ad5586945bf9ccd7268ac851a510e9a8b4209e22
                              • Opcode Fuzzy Hash: 5ce77b513b9e33764c0e63cdac634f7ebe4b814141cb5523e6a8ea1447fcf670
                              • Instruction Fuzzy Hash: B5D0672681CDB7DAE976971484445FA2E90AF493A4FA503B1D18ECA1D0D91DA8B07602
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164054B6 Relevance: .0, Instructions: 16COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 523e254160bb3d8fe462050eb17b6d6734432eec6edda48d103920c78526f8ca
                              • Instruction ID: b56e08e32b5961d9793f674e2c3f26eb706e200271586729f74e476917cea993
                              • Opcode Fuzzy Hash: 523e254160bb3d8fe462050eb17b6d6734432eec6edda48d103920c78526f8ca
                              • Instruction Fuzzy Hash: 0ED0016080E972E2F5B810120B416F820449F003B3BA40A76A48A89185885EA0B560A2
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816403373 Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 363fe444b5c44f30a60eef31d15a80a476d4b270c413f6b0045e6e196b659a0f
                              • Instruction ID: ee9fedc2078a686e66ed8288b6267323f21a127407c1be0b1cb16729f2eb6d8c
                              • Opcode Fuzzy Hash: 363fe444b5c44f30a60eef31d15a80a476d4b270c413f6b0045e6e196b659a0f
                              • Instruction Fuzzy Hash: FEB09B114085675BD355C90594906F576405714261F14877994C957682C41C95546BA1
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164004B0 Relevance: .0, Instructions: 7COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000007.00000002.403876821.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_7_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62ebdf483be9ab876bb89240b3a26d4beed924b89be83d0511937707a879a7d9
                              • Instruction ID: 43630df8bd602e7c9a92a0c8a9dccb7f0adb9732e1d19de50e5548b67d029bed
                              • Opcode Fuzzy Hash: 62ebdf483be9ab876bb89240b3a26d4beed924b89be83d0511937707a879a7d9
                              • Instruction Fuzzy Hash: DCA00204C9BC1E01985835BA2D874E474905BCB664FC55260E88880186EC8E15FD4393
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Execution Graph

                              Execution Coverage:10.4%
                              Dynamic/Decrypted Code Coverage:100%
                              Signature Coverage:0%
                              Total number of Nodes:6
                              Total number of Limit Nodes:0
                              execution_graph 8841 7ff8164074ed 8842 7ff8164074fb VirtualProtect 8841->8842 8844 7ff8164075db 8842->8844 8845 7ff816407199 8846 7ff8164071a3 LoadLibraryA 8845->8846 8848 7ff816407282 8846->8848

                              Executed Functions

                              Function 00007FF81640F33D Relevance: 1.7, Strings: 1, Instructions: 407COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 0 7ff81640f33d-7ff81640f341 1 7ff81640f3bd-7ff81640f3c4 call 7ff816406450 0->1 2 7ff81640f343 0->2 8 7ff81640f3c9-7ff81640f3e3 1->8 4 7ff81640f38a-7ff81640f398 2->4 5 7ff81640f345 2->5 6 7ff81640f409-7ff81640f40a 4->6 7 7ff81640f39a-7ff81640f39c 4->7 5->4 11 7ff81640f46b 6->11 12 7ff81640f40c-7ff81640f415 6->12 9 7ff81640f418-7ff81640f423 7->9 10 7ff81640f39e 7->10 15 7ff81640f3e4-7ff81640f405 8->15 17 7ff81640f424-7ff81640f439 9->17 18 7ff81640f465-7ff81640f468 9->18 14 7ff81640f3a0-7ff81640f3b3 10->14 10->15 20 7ff81640f4dc-7ff81640f4e5 11->20 21 7ff81640f46c-7ff81640f472 11->21 14->17 31 7ff81640f3b5-7ff81640f3ba 14->31 15->6 32 7ff81640f43b-7ff81640f4da 17->32 33 7ff81640f483-7ff81640f4a9 17->33 24 7ff81640f469-7ff81640f46a 18->24 36 7ff81640f4e6-7ff81640f4ef 20->36 28 7ff81640f4f3-7ff81640f511 21->28 29 7ff81640f474-7ff81640f522 21->29 24->11 24->36 62 7ff81640f582-7ff81640f591 28->62 63 7ff81640f513-7ff81640f516 28->63 39 7ff81640f593-7ff81640f596 29->39 40 7ff81640f524 29->40 31->32 41 7ff81640f3bc 31->41 32->20 46 7ff81640f525-7ff81640f529 33->46 57 7ff81640f4ab-7ff81640f4b1 33->57 36->28 45 7ff81640f597-7ff81640f5a4 39->45 40->46 41->1 48 7ff81640f5a6-7ff81640f77b 45->48 50 7ff81640f5aa-7ff81640f5af 46->50 51 7ff81640f52b-7ff81640f52e 46->51 54 7ff81640f5b0-7ff81640f5b8 50->54 51->33 58 7ff81640f5ba-7ff81640f5bb 54->58 59 7ff81640f634-7ff81640f638 54->59 64 7ff81640f532 57->64 65 7ff81640f4b3-7ff81640f4b9 57->65 66 7ff81640f5bd 58->66 61 7ff81640f639-7ff81640f656 59->61 67 7ff81640f658-7ff81640f65a 61->67 68 7ff81640f6c7-7ff81640f6d0 61->68 62->39 63->45 69 7ff81640f518-7ff81640f51b 63->69 70 7ff81640f533-7ff81640f534 64->70 65->70 66->61 71 7ff81640f5bf 66->71 72 7ff81640f65c 67->72 73 7ff81640f6d6-7ff81640f6e9 67->73 77 7ff81640f6d1-7ff81640f6d5 68->77 69->24 70->54 76 7ff81640f535 70->76 74 7ff81640f5c1-7ff81640f5ce 71->74 75 7ff81640f606-7ff81640f75b 71->75 79 7ff81640f65e-7ff81640f662 72->79 80 7ff81640f6a3-7ff81640f6b3 72->80 86 7ff81640f72f-7ff81640f737 73->86 81 7ff81640f619-7ff81640f632 74->81 82 7ff81640f5d0-7ff81640f5db 74->82 87 7ff81640f760-7ff81640f770 call 7ff81640f7bc 75->87 76->48 83 7ff81640f536-7ff81640f53c 76->83 77->73 88 7ff81640f6b0-7ff81640f6b3 79->88 89 7ff81640f664-7ff81640f687 79->89 95 7ff81640f6c2-7ff81640f6c5 call 7ff81640f780 80->95 96 7ff81640f6b5-7ff81640f6bd call 7ff81640f780 80->96 81->59 82->86 83->66 91 7ff81640f53e-7ff81640f546 call 7ff816406458 83->91 88->95 88->96 89->77 100 7ff81640f689-7ff81640f6a0 89->100 103 7ff81640f54b 91->103 95->68 96->87 100->80
                              Strings
                              Memory Dump Source
                              • Source File: 00000008.00000002.586655137.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID: 0__H
                              • API String ID: 0-4088120841
                              • Opcode ID: cbad44523b1e378db03f722cdc6bf111746ed6b75355245cd9f0895e4b2eaf44
                              • Instruction ID: dc9c552c45f3ddb2a2142328e0d6d08dd19a009020b7df5df127be53396d1f08
                              • Opcode Fuzzy Hash: cbad44523b1e378db03f722cdc6bf111746ed6b75355245cd9f0895e4b2eaf44
                              • Instruction Fuzzy Hash: 4EC1E435D1DD5A8FE7E8DA2C84561F877D0EF583A0F54027ACCCEC7692EE1868268681
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF81640DAF6 Relevance: .5, Instructions: 475COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 147 7ff81640daf6-7ff81640db03 148 7ff81640db0e-7ff81640dbd7 147->148 149 7ff81640db05-7ff81640db0d 147->149 153 7ff81640dbd9-7ff81640dbe2 148->153 154 7ff81640dc43 148->154 149->148 153->154 155 7ff81640dbe4-7ff81640dbf0 153->155 156 7ff81640dc45-7ff81640dc6a 154->156 157 7ff81640dc29-7ff81640dc41 155->157 158 7ff81640dbf2-7ff81640dc04 155->158 163 7ff81640dc6c-7ff81640dc75 156->163 164 7ff81640dcd6 156->164 157->156 159 7ff81640dc08-7ff81640dc1b 158->159 160 7ff81640dc06 158->160 159->159 162 7ff81640dc1d-7ff81640dc25 159->162 160->159 162->157 163->164 165 7ff81640dc77-7ff81640dc83 163->165 166 7ff81640dcd8-7ff81640dd80 164->166 167 7ff81640dcbc-7ff81640dcd4 165->167 168 7ff81640dc85-7ff81640dc97 165->168 177 7ff81640ddee 166->177 178 7ff81640dd82-7ff81640dd8c 166->178 167->166 169 7ff81640dc99 168->169 170 7ff81640dc9b-7ff81640dcae 168->170 169->170 170->170 172 7ff81640dcb0-7ff81640dcb8 170->172 172->167 180 7ff81640ddf0-7ff81640de19 177->180 178->177 179 7ff81640dd8e-7ff81640dd9b 178->179 181 7ff81640dd9d-7ff81640ddaf 179->181 182 7ff81640ddd4-7ff81640ddec 179->182 187 7ff81640de1b-7ff81640de26 180->187 188 7ff81640de83 180->188 183 7ff81640ddb1 181->183 184 7ff81640ddb3-7ff81640ddc6 181->184 182->180 183->184 184->184 186 7ff81640ddc8-7ff81640ddd0 184->186 186->182 187->188 190 7ff81640de28-7ff81640de36 187->190 189 7ff81640de85-7ff81640df16 188->189 198 7ff81640df1c-7ff81640df2b 189->198 191 7ff81640de38-7ff81640de4a 190->191 192 7ff81640de6f-7ff81640de81 190->192 194 7ff81640de4c 191->194 195 7ff81640de4e-7ff81640de61 191->195 192->189 194->195 195->195 196 7ff81640de63-7ff81640de6b 195->196 196->192 199 7ff81640df2d 198->199 200 7ff81640df33-7ff81640df98 call 7ff81640dfb4 198->200 199->200 207 7ff81640df9a 200->207 208 7ff81640df9f-7ff81640dfb3 200->208 207->208
                              Memory Dump Source
                              • Source File: 00000008.00000002.586655137.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 19e9fd7d85b0c329339a08a506f3d1d3ef208c15fc89ab53cf3a3ed11665b4c2
                              • Instruction ID: 8b2269bc667caad1159550a29388ef55b0501fba6cdc4d9a18d89eea2cc20d3d
                              • Opcode Fuzzy Hash: 19e9fd7d85b0c329339a08a506f3d1d3ef208c15fc89ab53cf3a3ed11665b4c2
                              • Instruction Fuzzy Hash: 0AF1B331918E8D8FEBA8DF28C8457E977E1FF54350F04426EE88DC7291CB7499948B82
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF81640E8A2 Relevance: .5, Instructions: 461COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 209 7ff81640e8a2-7ff81640e8af 210 7ff81640e8ba-7ff81640e987 209->210 211 7ff81640e8b1-7ff81640e8b9 209->211 215 7ff81640e989-7ff81640e992 210->215 216 7ff81640e9f3 210->216 211->210 215->216 217 7ff81640e994-7ff81640e9a0 215->217 218 7ff81640e9f5-7ff81640ea1a 216->218 219 7ff81640e9d9-7ff81640e9f1 217->219 220 7ff81640e9a2-7ff81640e9b4 217->220 224 7ff81640ea1c-7ff81640ea25 218->224 225 7ff81640ea86 218->225 219->218 222 7ff81640e9b8-7ff81640e9cb 220->222 223 7ff81640e9b6 220->223 222->222 226 7ff81640e9cd-7ff81640e9d5 222->226 223->222 224->225 227 7ff81640ea27-7ff81640ea33 224->227 228 7ff81640ea88-7ff81640eaad 225->228 226->219 229 7ff81640ea6c-7ff81640ea84 227->229 230 7ff81640ea35-7ff81640ea47 227->230 235 7ff81640eb1b 228->235 236 7ff81640eaaf-7ff81640eab9 228->236 229->228 231 7ff81640ea49 230->231 232 7ff81640ea4b-7ff81640ea5e 230->232 231->232 232->232 234 7ff81640ea60-7ff81640ea68 232->234 234->229 237 7ff81640eb1d-7ff81640eb4b 235->237 236->235 238 7ff81640eabb-7ff81640eac8 236->238 245 7ff81640ebbb 237->245 246 7ff81640eb4d-7ff81640eb58 237->246 239 7ff81640eaca-7ff81640eadc 238->239 240 7ff81640eb01-7ff81640eb19 238->240 242 7ff81640eade 239->242 243 7ff81640eae0-7ff81640eaf3 239->243 240->237 242->243 243->243 244 7ff81640eaf5-7ff81640eafd 243->244 244->240 248 7ff81640ebbd-7ff81640ec95 245->248 246->245 247 7ff81640eb5a-7ff81640eb68 246->247 249 7ff81640eb6a-7ff81640eb7c 247->249 250 7ff81640eba1-7ff81640ebb9 247->250 258 7ff81640ec9b-7ff81640ecaa 248->258 252 7ff81640eb7e 249->252 253 7ff81640eb80-7ff81640eb93 249->253 250->248 252->253 253->253 255 7ff81640eb95-7ff81640eb9d 253->255 255->250 259 7ff81640ecac 258->259 260 7ff81640ecb2-7ff81640ed14 call 7ff81640ed30 258->260 259->260 267 7ff81640ed1b-7ff81640ed2f 260->267 268 7ff81640ed16 260->268 268->267
                              Memory Dump Source
                              • Source File: 00000008.00000002.586655137.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 31c12f164e1df1ce36b37d2b6962953664af822004323412187178dab5448ee9
                              • Instruction ID: 1f6296e780d65c5b766096a211062bd05c39b1d06a822ae52d23ff7dcd3b3ab0
                              • Opcode Fuzzy Hash: 31c12f164e1df1ce36b37d2b6962953664af822004323412187178dab5448ee9
                              • Instruction Fuzzy Hash: C5E1D330908A8D8FEBA8DF28C8557E977E1FF54350F14426EE84DC7291CF78A8958B81
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF816407199 Relevance: 1.7, APIs: 1, Instructions: 151libraryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 107 7ff816407199-7ff816407280 LoadLibraryA 113 7ff816407282 107->113 114 7ff816407288-7ff8164072e1 call 7ff8164072e2 107->114 113->114
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.586655137.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID: LibraryLoad
                              • String ID:
                              • API String ID: 1029625771-0
                              • Opcode ID: f9ea3c7011e3583278d6ab058e015139d8d1f88b3ce8b4e0176190609273e631
                              • Instruction ID: eafe42b5ad23a61feb1f1dfde8ba4e7f4e58044c001e9d59795fc7daade5ea14
                              • Opcode Fuzzy Hash: f9ea3c7011e3583278d6ab058e015139d8d1f88b3ce8b4e0176190609273e631
                              • Instruction Fuzzy Hash: 51416C30918A1C8FDB98EF98D855BE9BBF1FF59310F00426AD04DD7252DB74A881CB41
                              Uniqueness

                              Uniqueness Score: -1.00%

                              Function 00007FF8164074ED Relevance: 1.6, APIs: 1, Instructions: 141memoryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 120 7ff8164074ed-7ff8164074f9 121 7ff816407504-7ff816407513 120->121 122 7ff8164074fb-7ff816407503 120->122 123 7ff816407515-7ff81640751d 121->123 124 7ff81640751e-7ff8164075d9 VirtualProtect 121->124 122->121 123->124 129 7ff8164075e1-7ff816407609 124->129 130 7ff8164075db 124->130 130->129
                              APIs
                              Memory Dump Source
                              • Source File: 00000008.00000002.586655137.00007FF816400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF816400000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_8_2_7ff816400000_svchost.jbxd
                              Similarity
                              • API ID: ProtectVirtual
                              • String ID:
                              • API String ID: 544645111-0
                              • Opcode ID: 134ee173468fc2d6d7b1f4535d0fdac36ebeae3e436824e792e190126e218537
                              • Instruction ID: 01ee2fd4d729c412ccda4485a8ede9cbeac2abfb53536117457fafdb5602421f
                              • Opcode Fuzzy Hash: 134ee173468fc2d6d7b1f4535d0fdac36ebeae3e436824e792e190126e218537
                              • Instruction Fuzzy Hash: 5241F63190CB884FDB19DB689C466F97FE0EF96721F0443AFD089D3692DA746806C792
                              Uniqueness

                              Uniqueness Score: -1.00%