Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
af5Cop6pCN.exe

Overview

General Information

Sample Name:af5Cop6pCN.exe
Analysis ID:708255
MD5:32a56b4e67436bdd3d39809a9be949b8
SHA1:dac60ca2763d18ce9451b28f4d0a1d9fbdc3f4fc
SHA256:5f6475a6d18503fbc2eb916e32ed1d6b4769f58d364ef2f94c2fd1a52c9aa1df
Tags:AsyncRATexeRAT
Infos:

Detection

AsyncRAT, DcRat
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Sigma detected: Schedule system process
Antivirus / Scanner detection for submitted sample
System process connects to network (likely due to code injection or exploit)
Yara detected DcRat
Yara detected AsyncRAT
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
.NET source code references suspicious native API functions
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Connects to a pastebin service (likely for C&C)
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Internet Provider seen in connection with other malware
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Dropped file seen in connection with other malware
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • af5Cop6pCN.exe (PID: 4856 cmdline: "C:\Users\user\Desktop\af5Cop6pCN.exe" MD5: 32A56B4E67436BDD3D39809A9BE949B8)
    • cmd.exe (PID: 1236 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1416 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 1592 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' MD5: 838D346D1D28F00783B7A6C6BD03A0DA)
    • cmd.exe (PID: 1256 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat"" MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
      • conhost.exe (PID: 1948 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 3228 cmdline: timeout 3 MD5: EB9A65078396FB5D4E3813BB9198CB18)
      • svchost.exe (PID: 1016 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 32A56B4E67436BDD3D39809A9BE949B8)
  • svchost.exe (PID: 1120 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 32A56B4E67436BDD3D39809A9BE949B8)
  • cleanup
{"Server": "<!Cv", "Ports": "1", "Telegram C2": "https://api.telegram.org/bot{\"GI/sendMessage?chat_id=8ByH|?~", "Version": "'j%av_@4t#STz0 Gk@=FUPshK6IBYUZdY}n Is8k(3qgO@UJR?LLHr5HXCRE+ N}z^MR#RxeMW", "AES_key": "WPC4*(7Gweu7\\z>W{A|`", "Mutex": "TN-BG", "Certificate": "NjlPUmtsM1RoZjF0bWVMaUNuUm5Jd2JxS05FSXo2aFo=", "ServerSignature": "svchost.exe", "Group": "%AppData%"}
SourceRuleDescriptionAuthorStrings
af5Cop6pCN.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
    af5Cop6pCN.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
    • 0x15e86:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
    • 0x15dcb:$s2: L2Mgc2NodGFza3MgL2
    • 0x15d46:$s3: QW1zaVNjYW5CdWZmZXI
    • 0x15d94:$s4: VmlydHVhbFByb3RlY3Q
    af5Cop6pCN.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0x160fe:$q1: Select * from Win32_CacheMemory
    • 0x161da:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0x1613e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0x1618c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
    af5Cop6pCN.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
    • 0x16576:$s1: DcRatBy
    SourceRuleDescriptionAuthorStrings
    dump.pcapWindows_Trojan_DCRat_1aeea1acunknownunknown
    • 0x1973d:$b2: DcRat By qwqdanchun1
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
      • 0x15e86:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
      • 0x15dcb:$s2: L2Mgc2NodGFza3MgL2
      • 0x15d46:$s3: QW1zaVNjYW5CdWZmZXI
      • 0x15d94:$s4: VmlydHVhbFByb3RlY3Q
      C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0x160fe:$q1: Select * from Win32_CacheMemory
      • 0x161da:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0x1613e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0x1618c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
      C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
      • 0x16576:$s1: DcRatBy
      SourceRuleDescriptionAuthorStrings
      00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0xc6c8:$b2: DcRat By qwqdanchun1
      00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
      • 0x1da1c:$b2: DcRat By qwqdanchun1
      00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
        00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_DCRat_1aeea1acunknownunknown
        • 0x468c:$b2: DcRat By qwqdanchun1
        00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_DcRat_2Yara detected DcRatJoe Security
          Click to see the 14 entries
          SourceRuleDescriptionAuthorStrings
          0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
            • 0x15e86:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
            • 0x15dcb:$s2: L2Mgc2NodGFza3MgL2
            • 0x15d46:$s3: QW1zaVNjYW5CdWZmZXI
            • 0x15d94:$s4: VmlydHVhbFByb3RlY3Q
            0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
            • 0x160fe:$q1: Select * from Win32_CacheMemory
            • 0x161da:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
            • 0x1613e:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
            • 0x1618c:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}
            0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpackINDICATOR_SUSPICIOUS_EXE_DcRatByDetects executables containing the string DcRatByditekSHen
            • 0x16576:$s1: DcRatBy
            0.2.af5Cop6pCN.exe.12fb80c8.1.unpackINDICATOR_SUSPICIOUS_EXE_B64_ArtifactsDetects executables embedding bas64-encoded APIs, command lines, registry keys, etc.ditekSHen
            • 0x14086:$s1: U09GVFdBUkVcTWljcm9zb2Z0XFdpbmRvd3NcQ3VycmVudFZlcnNpb25cUnVuXA
            • 0x13fcb:$s2: L2Mgc2NodGFza3MgL2
            • 0x13f46:$s3: QW1zaVNjYW5CdWZmZXI
            • 0x13f94:$s4: VmlydHVhbFByb3RlY3Q
            Click to see the 5 entries

            Persistence and Installation Behavior

            barindex
            Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\af5Cop6pCN.exe" , ParentImage: C:\Users\user\Desktop\af5Cop6pCN.exe, ParentProcessId: 4856, ParentProcessName: af5Cop6pCN.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 1236, ProcessName: cmd.exe
            Timestamp:3.72.110.63192.168.2.49087497082848152 09/23/22-08:16:16.887686
            SID:2848152
            Source Port:9087
            Destination Port:49708
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:3.72.110.63192.168.2.49087497082034847 09/23/22-08:16:16.887686
            SID:2034847
            Source Port:9087
            Destination Port:49708
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: af5Cop6pCN.exeReversingLabs: Detection: 92%
            Source: af5Cop6pCN.exeMetadefender: Detection: 45%Perma Link
            Source: af5Cop6pCN.exeAvira: detected
            Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: HEUR/AGEN.1235730
            Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 92%
            Source: C:\Users\user\AppData\Roaming\svchost.exeMetadefender: Detection: 45%Perma Link
            Source: af5Cop6pCN.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
            Source: 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: AsyncRAT {"Server": "<!Cv", "Ports": "1", "Telegram C2": "https://api.telegram.org/bot{\"GI/sendMessage?chat_id=8ByH|?~", "Version": "'j%av_@4t#STz0 Gk@=FUPshK6IBYUZdY}n Is8k(3qgO@UJR?LLHr5HXCRE+ N}z^MR#RxeMW", "AES_key": "WPC4*(7Gweu7\\z>W{A|`", "Mutex": "TN-BG", "Certificate": "NjlPUmtsM1RoZjF0bWVMaUNuUm5Jd2JxS05FSXo2aFo=", "ServerSignature": "svchost.exe", "Group": "%AppData%"}
            Source: af5Cop6pCN.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 104.20.67.143:443 -> 192.168.2.4:49707 version: TLS 1.0
            Source: af5Cop6pCN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Networking

            barindex
            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 3.72.110.63 9087
            Source: C:\Users\user\AppData\Roaming\svchost.exeDomain query: pastebin.com
            Source: C:\Users\user\AppData\Roaming\svchost.exeDomain query: termsiya.duckdns.org
            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 104.20.67.143 443
            Source: TrafficSnort IDS: 2034847 ET TROJAN Observed Malicious SSL Cert (AsyncRAT) 3.72.110.63:9087 -> 192.168.2.4:49708
            Source: TrafficSnort IDS: 2848152 ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant) 3.72.110.63:9087 -> 192.168.2.4:49708
            Source: Yara matchFile source: af5Cop6pCN.exe, type: SAMPLE
            Source: Yara matchFile source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
            Source: Malware configuration extractorURLs: <!Cv
            Source: unknownDNS query: name: pastebin.com
            Source: unknownDNS query: name: termsiya.duckdns.org
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
            Source: global trafficHTTP traffic detected: GET /raw/pffCggZp HTTP/1.1Host: pastebin.comConnection: Keep-Alive
            Source: Joe Sandbox ViewIP Address: 104.20.67.143 104.20.67.143
            Source: Joe Sandbox ViewIP Address: 104.20.67.143 104.20.67.143
            Source: unknownHTTPS traffic detected: 104.20.67.143:443 -> 192.168.2.4:49707 version: TLS 1.0
            Source: global trafficTCP traffic: 192.168.2.4:49708 -> 3.72.110.63:9087
            Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
            Source: svchost.exe, 00000008.00000002.584593553.000000001BB13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: svchost.exe, 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
            Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
            Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?541049bf1a9dc
            Source: svchost.exe, 00000008.00000002.578858102.00000000033D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pastebin.com
            Source: af5Cop6pCN.exe, 00000000.00000002.324797185.0000000003246000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.578365156.0000000003376000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: svchost.exe, 00000008.00000002.578807116.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com
            Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com/raw/pffCggZp
            Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://pastebin.com8
            Source: unknownDNS traffic detected: queries for: pastebin.com
            Source: global trafficHTTP traffic detected: GET /raw/pffCggZp HTTP/1.1Host: pastebin.comConnection: Keep-Alive

            Key, Mouse, Clipboard, Microphone and Screen Capturing

            barindex
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR

            System Summary

            barindex
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000000.00000002.322788717.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000000.00000002.323004882.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: 00000007.00000002.394138023.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: svchost.exe PID: 1120, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac Author: unknown
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc. Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects executables containing the string DcRatBy Author: ditekSHen
            Source: af5Cop6pCN.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: af5Cop6pCN.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: dump.pcap, type: PCAPMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 0.2.af5Cop6pCN.exe.12fb80c8.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: 0.0.af5Cop6pCN.exe.b40000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000000.00000002.322788717.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000000.00000002.323004882.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: 00000007.00000002.394138023.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: svchost.exe PID: 1120, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTRMatched rule: Windows_Trojan_DCRat_1aeea1ac os = windows, severity = x86, creation_date = 2022-01-15, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.DCRat, fingerprint = fc67d76dc916b7736de783aa245483381a8fe071c533f3761e550af80a873fe9, id = 1aeea1ac-69b9-4cc6-91af-18b7a79f35ce, last_modified = 2022-04-12
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts author = ditekSHen, description = Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc.
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
            Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy author = ditekSHen, description = Detects executables containing the string DcRatBy
            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FF81640E8A2
            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FF81640F33D
            Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 8_2_00007FF81640DAF6
            Source: af5Cop6pCN.exe, 00000000.00000002.322593978.0000000000F5A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs af5Cop6pCN.exe
            Source: af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
            Source: af5Cop6pCN.exe, 00000000.00000000.303241374.0000000000B5C000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
            Source: af5Cop6pCN.exeBinary or memory string: OriginalFilenamechrome_exe< vs af5Cop6pCN.exe
            Source: af5Cop6pCN.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: svchost.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\svchost.exe 5F6475A6D18503FBC2EB916E32ED1D6B4769F58D364EF2F94C2FD1A52C9AA1DF
            Source: af5Cop6pCN.exeReversingLabs: Detection: 92%
            Source: af5Cop6pCN.exeMetadefender: Detection: 45%
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile read: C:\Users\user\Desktop\af5Cop6pCN.exeJump to behavior
            Source: af5Cop6pCN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\af5Cop6pCN.exe "C:\Users\user\Desktop\af5Cop6pCN.exe"
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to behavior
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile created: C:\Users\user\AppData\Local\Temp\tmp5ECD.tmpJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@15/7@2/2
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: af5Cop6pCN.exe, u0002/u0004.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: af5Cop6pCN.exe, u0002/u0004.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: svchost.exe.0.dr, u0002/u0004.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
            Source: svchost.exe.0.dr, u0002/u0004.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
            Source: af5Cop6pCN.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
            Source: af5Cop6pCN.exe, u0004/u0001.csBase64 encoded string: 'jj1skaM2si1s7DQ2Ilc55WfTq9nhjYiwCreYrrAuuycpim5EMQvKizfaSHEG0B0ZxN438UhAH9DRBKJBZujURA==', '/JyVt1f/UKPdCPNDkTQZtyooN9UczrZHd6NldYLNuDeqXOCyFnrGrIbgnB3EDsg+kVfmexnYQd36fNvxt+pgyQ==', 'X0QYwAy8C54L4a6+T26nkP3B4QaHAzp9V1gm99/6Yi0wy9xhloL/07OTTcCm0oMxHAms5gWzCIV4FnVufLsShg==', 'xSui0O8U+DDW7db1zkRMSo+bY5176WoP0GYly5EdBd1o/zI1ksULpmhdO2lw1sMJxeSMhN6rV+8Z9ALSxyevwQ==', 'VmNyIzXmZ38XPwuZDuUCavc6B+pNC0wNg7DoHDOXTNKmjlzoOky9U7pq4vlslFGmgNFe79gq9qMupmBXlNA8RA==', 'o2bYOIFp6AZpWvxNIPcihIGfo9Ho55pISkQhGgXBZji3s012IQFLDYyEWJI2K1LHQcImJs2aoo7SwHnSJPNhVWmy7QDWcBjNtwJph4MGqwYCh/yeYbHhXo15g8iTdLzzt2TDmXqVtRG30+lCAUZlw1feEQgOuNOPBQexHmVu9jbtc1d95Zq2G+dM8WhkkEHgbp+Yk8HcI1uLdUnb2kmlT5T4ZeWNduSRCQRX/loCzc9SAg+0DLSuibjH0oLOh+oVnuCPy5/zo/AjPYoNsr6dpurwTBo8ujAVxHN3+HqcDTNwemUY5IcXe770/Mshye9ZGVZa+EDxq1ciq6dC/kw3w32lWdvBVZyB9/vj8whUjDlwg6QzaLvzg+y0Wz8HXijKTsuQVfT4olrfcHBala8oV9Uuo73jkENOaWC0MzGrZ2KQYti4c+bqr8RPNdvRKoThM30Yh+BGwxj1S/vvYYP3I0L9ef7md6+lm9GWLHXiWG3Y+DDvPTs0j+KxEWztRjnnukytDheUL1ukm9z1ylGU2V6wprM+p+XfDAkO8yoqio/noZw0iODf5xLumTJM7WZSwSeL8RYV+zehZi2nhOPWPFOgRlvXQQZxK7CWvp/u7ThLCeX5LfxYnPtNk87u7Ex5oxlPHDKnzIRHuSNxk/mvbh7cRYST/Ng92C1/tcK6U3o5Y1uXdj5pfTMBelz6KjeX6uez9yzNJZoRr8gR8RT4JM4AwlzOQtLEHF086gslMrpv6DqauwyEMUfYKzEGmukTzOYKLmTCuXyvA56yxZCRUuIlnaKVHi2tSa+pfyZNQulGmo79luX2w2AS0e5He89Q6m6uioAbE4W00S0U7rhb+xhhvtW3de6EAYoRpIPjOCcem32zTqA+iCzFxD8KwGz3otXtIsxD9jcT+L6seAlR5ER7OTftdjSq+TnFZcVxEe7Xr43yKzg7BMXu96NGrL/zDicbsXMisnIQ05/yRl/rnrN0U3ug3A/tVwl8yTGioM5o5p8Lu2ejzt+gbrF036M0C8fX7RQ8kq3wgf1f6TAKiV6s3xadnFkU6HwGNppKtX3s46iKx+Kfz1QwU0w5+iwQ', 'rWnm5zsP7PFLoFACDwnqzRiV1xnrKEWv/xFAdBaic0rIijxcHr23EBdVBiSQlF9td5AEbvAsbRY1OdNDSQW+8w=='
            Source: svchost.exe.0.dr, u0004/u0001.csBase64 encoded string: 'jj1skaM2si1s7DQ2Ilc55WfTq9nhjYiwCreYrrAuuycpim5EMQvKizfaSHEG0B0ZxN438UhAH9DRBKJBZujURA==', '/JyVt1f/UKPdCPNDkTQZtyooN9UczrZHd6NldYLNuDeqXOCyFnrGrIbgnB3EDsg+kVfmexnYQd36fNvxt+pgyQ==', 'X0QYwAy8C54L4a6+T26nkP3B4QaHAzp9V1gm99/6Yi0wy9xhloL/07OTTcCm0oMxHAms5gWzCIV4FnVufLsShg==', 'xSui0O8U+DDW7db1zkRMSo+bY5176WoP0GYly5EdBd1o/zI1ksULpmhdO2lw1sMJxeSMhN6rV+8Z9ALSxyevwQ==', 'VmNyIzXmZ38XPwuZDuUCavc6B+pNC0wNg7DoHDOXTNKmjlzoOky9U7pq4vlslFGmgNFe79gq9qMupmBXlNA8RA==', 'o2bYOIFp6AZpWvxNIPcihIGfo9Ho55pISkQhGgXBZji3s012IQFLDYyEWJI2K1LHQcImJs2aoo7SwHnSJPNhVWmy7QDWcBjNtwJph4MGqwYCh/yeYbHhXo15g8iTdLzzt2TDmXqVtRG30+lCAUZlw1feEQgOuNOPBQexHmVu9jbtc1d95Zq2G+dM8WhkkEHgbp+Yk8HcI1uLdUnb2kmlT5T4ZeWNduSRCQRX/loCzc9SAg+0DLSuibjH0oLOh+oVnuCPy5/zo/AjPYoNsr6dpurwTBo8ujAVxHN3+HqcDTNwemUY5IcXe770/Mshye9ZGVZa+EDxq1ciq6dC/kw3w32lWdvBVZyB9/vj8whUjDlwg6QzaLvzg+y0Wz8HXijKTsuQVfT4olrfcHBala8oV9Uuo73jkENOaWC0MzGrZ2KQYti4c+bqr8RPNdvRKoThM30Yh+BGwxj1S/vvYYP3I0L9ef7md6+lm9GWLHXiWG3Y+DDvPTs0j+KxEWztRjnnukytDheUL1ukm9z1ylGU2V6wprM+p+XfDAkO8yoqio/noZw0iODf5xLumTJM7WZSwSeL8RYV+zehZi2nhOPWPFOgRlvXQQZxK7CWvp/u7ThLCeX5LfxYnPtNk87u7Ex5oxlPHDKnzIRHuSNxk/mvbh7cRYST/Ng92C1/tcK6U3o5Y1uXdj5pfTMBelz6KjeX6uez9yzNJZoRr8gR8RT4JM4AwlzOQtLEHF086gslMrpv6DqauwyEMUfYKzEGmukTzOYKLmTCuXyvA56yxZCRUuIlnaKVHi2tSa+pfyZNQulGmo79luX2w2AS0e5He89Q6m6uioAbE4W00S0U7rhb+xhhvtW3de6EAYoRpIPjOCcem32zTqA+iCzFxD8KwGz3otXtIsxD9jcT+L6seAlR5ER7OTftdjSq+TnFZcVxEe7Xr43yKzg7BMXu96NGrL/zDicbsXMisnIQ05/yRl/rnrN0U3ug3A/tVwl8yTGioM5o5p8Lu2ejzt+gbrF036M0C8fX7RQ8kq3wgf1f6TAKiV6s3xadnFkU6HwGNppKtX3s46iKx+Kfz1QwU0w5+iwQ', 'rWnm5zsP7PFLoFACDwnqzRiV1xnrKEWv/xFAdBaic0rIijxcHr23EBdVBiSQlF9td5AEbvAsbRY1OdNDSQW+8w=='
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1416:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1948:120:WilError_01
            Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\DcRatMutex_stankakusust
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
            Source: af5Cop6pCN.exe, u0007/u0004.csCryptographic APIs: 'CreateDecryptor'
            Source: svchost.exe.0.dr, u0007/u0004.csCryptographic APIs: 'CreateDecryptor'
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: af5Cop6pCN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: af5Cop6pCN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

            Data Obfuscation

            barindex
            Source: af5Cop6pCN.exe, u0007/u0001.cs.Net Code: \x04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
            Source: svchost.exe.0.dr, u0007/u0001.cs.Net Code: \x04 System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

            Persistence and Installation Behavior

            barindex
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file

            Boot Survival

            barindex
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: google.png
            Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
            Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
            Source: C:\Users\user\Desktop\af5Cop6pCN.exe TID: 5264Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 2904Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3276Thread sleep time: -922337203685477s >= -30000s
            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 3276Thread sleep count: 104 > 30
            Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 1032Thread sleep count: 9788 > 30
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 9788
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
            Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformation
            Source: svchost.exe, 00000008.00000003.369120788.000000001BC19000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585203181.000000001BC15000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585145466.000000001BC00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: svchost.exe, 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess token adjusted: Debug
            Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeMemory allocated: page read and write | page guard

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 3.72.110.63 9087
            Source: C:\Users\user\AppData\Roaming\svchost.exeDomain query: pastebin.com
            Source: C:\Users\user\AppData\Roaming\svchost.exeDomain query: termsiya.duckdns.org
            Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 104.20.67.143 443
            Source: af5Cop6pCN.exe, u0002/u0002.csReference to suspicious API methods: ('\\x01', 'OpenProcess@kernel32.dll')
            Source: af5Cop6pCN.exe, u0005/u0001.csReference to suspicious API methods: ('\\x01', 'GetProcAddress@kernel32'), ('\\x01', 'LoadLibraryA@kernel32')
            Source: svchost.exe.0.dr, u0002/u0002.csReference to suspicious API methods: ('\\x01', 'OpenProcess@kernel32.dll')
            Source: svchost.exe.0.dr, u0005/u0001.csReference to suspicious API methods: ('\\x01', 'GetProcAddress@kernel32'), ('\\x01', 'LoadLibraryA@kernel32')
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
            Source: svchost.exe, 00000008.00000002.577270093.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577294907.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577152515.00000000032A9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager(
            Source: svchost.exe, 00000008.00000002.577270093.00000000032B1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.577294907.00000000032B4000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.584908795.000000001BB86000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
            Source: svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager0y
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeQueries volume information: C:\Users\user\Desktop\af5Cop6pCN.exe VolumeInformation
            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
            Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation
            Source: C:\Users\user\Desktop\af5Cop6pCN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Lowering of HIPS / PFW / Operating System Security Settings

            barindex
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
            Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
            Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.drBinary or memory string: MSASCui.exe
            Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.drBinary or memory string: procexp.exe
            Source: svchost.exe, 00000008.00000003.448206192.000000001BBCF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.585203181.000000001BC15000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
            Source: af5Cop6pCN.exe, 00000000.00000000.303215862.0000000000B42000.00000002.00000001.01000000.00000003.sdmp, af5Cop6pCN.exe, 00000000.00000002.328088299.0000000012FB8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.drBinary or memory string: MsMpEng.exe

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: af5Cop6pCN.exe PID: 4856, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 1016, type: MEMORYSTR
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts1
            Windows Management Instrumentation
            2
            Scheduled Task/Job
            112
            Process Injection
            1
            Disable or Modify Tools
            OS Credential Dumping1
            File and Directory Discovery
            Remote Services11
            Archive Collected Data
            Exfiltration Over Other Network Medium1
            Web Service
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Scripting
            Boot or Logon Initialization Scripts2
            Scheduled Task/Job
            1
            Deobfuscate/Decode Files or Information
            LSASS Memory13
            System Information Discovery
            Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
            Ingress Tool Transfer
            Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain Accounts1
            Native API
            Logon Script (Windows)Logon Script (Windows)1
            Scripting
            Security Account Manager1
            Query Registry
            SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
            Encrypted Channel
            Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local Accounts2
            Scheduled Task/Job
            Logon Script (Mac)Logon Script (Mac)11
            Obfuscated Files or Information
            NTDS121
            Security Software Discovery
            Distributed Component Object ModelInput CaptureScheduled Transfer1
            Non-Standard Port
            SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
            Software Packing
            LSA Secrets2
            Process Discovery
            SSHKeyloggingData Transfer Size Limits2
            Non-Application Layer Protocol
            Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common21
            Masquerading
            Cached Domain Credentials21
            Virtualization/Sandbox Evasion
            VNCGUI Input CaptureExfiltration Over C2 Channel23
            Application Layer Protocol
            Jamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items21
            Virtualization/Sandbox Evasion
            DCSync1
            Application Window Discovery
            Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job112
            Process Injection
            Proc Filesystem1
            Remote System Discovery
            Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 708255 Sample: af5Cop6pCN.exe Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 40 Snort IDS alert for network traffic 2->40 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 12 other signatures 2->46 7 af5Cop6pCN.exe 7 2->7         started        11 svchost.exe 3 2->11         started        process3 file4 30 C:\Users\user\AppData\Roaming\svchost.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\...\af5Cop6pCN.exe.log, ASCII 7->32 dropped 50 Drops PE files with benign system names 7->50 13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        52 Antivirus detection for dropped file 11->52 54 System process connects to network (likely due to code injection or exploit) 11->54 56 Multi AV Scanner detection for dropped file 11->56 58 Machine Learning detection for dropped file 11->58 signatures5 process6 signatures7 18 svchost.exe 1 2 13->18         started        22 conhost.exe 13->22         started        24 timeout.exe 1 13->24         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 15->60 26 conhost.exe 15->26         started        28 schtasks.exe 1 15->28         started        process8 dnsIp9 34 termsiya.duckdns.org 3.72.110.63, 49708, 9087 AMAZON-02US United States 18->34 36 pastebin.com 104.20.67.143, 443, 49707 CLOUDFLARENETUS United States 18->36 38 windowsupdatebg.s.llnwi.net 18->38 48 System process connects to network (likely due to code injection or exploit) 18->48 signatures10

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            af5Cop6pCN.exe92%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
            af5Cop6pCN.exe46%MetadefenderBrowse
            af5Cop6pCN.exe100%AviraHEUR/AGEN.1235730
            af5Cop6pCN.exe100%Joe Sandbox ML
            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Roaming\svchost.exe100%AviraHEUR/AGEN.1235730
            C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
            SourceDetectionScannerLabelLinkDownload
            0.0.af5Cop6pCN.exe.b40000.0.unpack100%AviraHEUR/AGEN.1235730Download File
            No Antivirus matches
            SourceDetectionScannerLabelLink
            <!Cv0%Avira URL Cloudsafe
            https://pastebin.com80%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            pastebin.com
            104.20.67.143
            truefalse
              high
              termsiya.duckdns.org
              3.72.110.63
              truetrue
                unknown
                windowsupdatebg.s.llnwi.net
                95.140.230.192
                truefalse
                  unknown
                  NameMaliciousAntivirus DetectionReputation
                  https://pastebin.com/raw/pffCggZpfalse
                    high
                    <!Cvtrue
                    • Avira URL Cloud: safe
                    low
                    NameSourceMaliciousAntivirus DetectionReputation
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameaf5Cop6pCN.exe, 00000000.00000002.324797185.0000000003246000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.578365156.0000000003376000.00000004.00000800.00020000.00000000.sdmpfalse
                      high
                      http://pastebin.comsvchost.exe, 00000008.00000002.578858102.00000000033D1000.00000004.00000800.00020000.00000000.sdmpfalse
                        high
                        https://pastebin.comsvchost.exe, 00000008.00000002.578807116.00000000033C6000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmpfalse
                          high
                          https://pastebin.com8svchost.exe, 00000008.00000002.579176339.0000000003428000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          unknown
                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs
                          IPDomainCountryFlagASNASN NameMalicious
                          3.72.110.63
                          termsiya.duckdns.orgUnited States
                          16509AMAZON-02UStrue
                          104.20.67.143
                          pastebin.comUnited States
                          13335CLOUDFLARENETUSfalse
                          Joe Sandbox Version:36.0.0 Rainbow Opal
                          Analysis ID:708255
                          Start date and time:2022-09-23 08:14:53 +02:00
                          Joe Sandbox Product:CloudBasic
                          Overall analysis duration:0h 8m 47s
                          Hypervisor based Inspection enabled:false
                          Report type:light
                          Sample file name:af5Cop6pCN.exe
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                          Number of analysed new started processes analysed:22
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • HDC enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@15/7@2/2
                          EGA Information:
                          • Successful, ratio: 33.3%
                          HDC Information:Failed
                          HCA Information:
                          • Successful, ratio: 93%
                          • Number of executed functions: 0
                          • Number of non-executed functions: 0
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                          • TCP Packets have been reduced to 100
                          • Excluded IPs from analysis (whitelisted): 95.140.230.192
                          • Excluded domains from analysis (whitelisted): login.live.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, arc.msn.com, wu-bg-shim.trafficmanager.net
                          • Execution Graph export aborted for target af5Cop6pCN.exe, PID 4856 because it is empty
                          • Execution Graph export aborted for target svchost.exe, PID 1120 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: af5Cop6pCN.exe
                          TimeTypeDescription
                          08:15:56Task SchedulerRun new task: svchost path: "C:\Users\user\AppData\Roaming\svchost.exe"
                          No context
                          No context
                          No context
                          No context
                          No context
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:Microsoft Cabinet archive data, 61745 bytes, 1 file
                          Category:dropped
                          Size (bytes):61745
                          Entropy (8bit):7.9946980850644
                          Encrypted:true
                          SSDEEP:768:chu+lK9x0bQ39uYFd7JuxDYQpxtxbVUt1bgZZisGRGL1V0u17ifoio8w/FFdG1Cb:klKIEvJJQjlZw9kEuQ1mFdGcLjx/eWL
                          MD5:6C6A24456559F305308CB1FB6C5486B3
                          SHA1:3273AC27D78572F16C3316732B9756EBC22CB6ED
                          SHA-256:EFC3C579BD619CEAB040C4B8C1B821B2D82C64FDDD9E80A00EC0D7F6577ED973
                          SHA-512:587D4A9175A6AA82CD8BB1C11CA6508F95CD218F76AC322DDBD1BC7146A0E25F8937EE426A6FB0FB0BB045CEDB24D8C8A9EDFE9F654112F293D8701220F726B4
                          Malicious:false
                          Preview:MSCF....1.......,...................I........z.........T.M .authroot.stl.7....4..CK..<Tk...c.5..!g..R#DdwE..Y.e..AH......$E.KB..D..%*J....T7....}......9....o..$.&<..qE.^.8+..&...O....`...+..C......`h!...@.(K..1Q.L.p.g.i...B..u..H..g$...f.**"..5x.%.E.-.#..,.....E#Q.m.W.....*.$T...Bp{.2.|.f....S...L0...Z.=..C.....u\......Y..s.ls.M.K...Y_..9F*iF.F......;3.H....ql.Q..K..~.%3+z..S..."....b.H..M.lk..Y..q.Ln.y"._......K...d..`.o...!....|..pm..!....|.#-.....{...s.cW0.....;.....Ba....r0.w..L.#.v.&_!.?hcp.SI....GH.6.j...P..(8g..... Lt.`......h<.i.0............v......{.!........4E...q.*im.#.J.j[...M..R..w.;.3 ...U`eK2'...\n.. d.F.dV.#......J.....'..U.4...p.b.E.."y%|x..5\...Oo.......B.'.D..L<.'.......o...pbM.......eh,.b...m.:XJ...wa........dM.j.........+./......."4...t..5..r9.l.. "h.{.n.....E...9.uk.....eM..)['.F.#.6m...wY.L...T9..E.L...j.q.....!_u....-a..r,.H.B <..t..8S.....'.2.........w.3.....~...m|-.IA......F9G.......1...\..\)6.H.<...
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:data
                          Category:modified
                          Size (bytes):290
                          Entropy (8bit):2.9849106129347183
                          Encrypted:false
                          SSDEEP:6:kKKUw6joSN+SkQlPlEGYRMY9z+4KlDA3RUe/:iPkPlE99SNxAhUe/
                          MD5:0A24000D2533F1DB86BCDD6B1D3A67C5
                          SHA1:E1CB7831AD96C125559F2C2EA100F1B06A35D631
                          SHA-256:1E0841BFC0239DDBBD3EDCAB1B695741525F1A61D2E620857C2E753FCBC19E42
                          SHA-512:B5A11055321A905CF4ED90885954DA66D982660CD08F4D9A90AF618FB2D075FF2D54A4C6980D2AA2F0FFC5E68E20DD01A6FB6A6183CF2A21306E71A16F4DCA42
                          Malicious:false
                          Preview:p...... ........A.......(....................................................... ........$_C....................1...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...
                          Process:C:\Users\user\Desktop\af5Cop6pCN.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):425
                          Entropy (8bit):5.351599573976469
                          Encrypted:false
                          SSDEEP:12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhav:ML9E4KrgKDE4KGKN08AKhk
                          MD5:BEBB66F4CB83D5C34857FE75DE3A8610
                          SHA1:66FB475AADAE0D4542125C8E272D9D6BBFA555BB
                          SHA-256:C1A8084313E66497C9F53D0F65E85AC2D4A840AF7FEBCCCFB3924F54BCF1BADC
                          SHA-512:45181B8B60B7F0FD0D841F50592B9E83F7BADF1FFED040DFCAF5779BF5F653633D78B28E5AFA92A53E9DA965113E4A8E7A16456AE3A8FDF786B7DF6B3FEE5CE8
                          Malicious:true
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..
                          Process:C:\Users\user\AppData\Roaming\svchost.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):425
                          Entropy (8bit):5.351599573976469
                          Encrypted:false
                          SSDEEP:12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhav:ML9E4KrgKDE4KGKN08AKhk
                          MD5:BEBB66F4CB83D5C34857FE75DE3A8610
                          SHA1:66FB475AADAE0D4542125C8E272D9D6BBFA555BB
                          SHA-256:C1A8084313E66497C9F53D0F65E85AC2D4A840AF7FEBCCCFB3924F54BCF1BADC
                          SHA-512:45181B8B60B7F0FD0D841F50592B9E83F7BADF1FFED040DFCAF5779BF5F653633D78B28E5AFA92A53E9DA965113E4A8E7A16456AE3A8FDF786B7DF6B3FEE5CE8
                          Malicious:false
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..
                          Process:C:\Users\user\Desktop\af5Cop6pCN.exe
                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):151
                          Entropy (8bit):5.01924739101347
                          Encrypted:false
                          SSDEEP:3:mKDDCMNqTtvL5ot+kiEaKC5ZACSmqRDt+kiE2J5xAInTRI6fIV5ZPy:hWKqTtT6wknaZ5Omq1wkn23fTbok
                          MD5:0275960B1A2EDAF670AECD394006F2F0
                          SHA1:0514DE3160222AD806EF30F1249BF8F3131E78D2
                          SHA-256:26DF3ED9CE964E53E16A1CC530C5171A90CF36BD79F916A3C9E036C75C03A596
                          SHA-512:D710C4276828455E9E54207F448674A64CC455F546F70FF0F5C204DB0FDED2AD5D63DE4E5C812040D037DFD35A04681B3437909EAFD6F0742D811D01A9657B17
                          Malicious:false
                          Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp5ECD.tmp.bat" /f /q..
                          Process:C:\Users\user\Desktop\af5Cop6pCN.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):282112
                          Entropy (8bit):5.43867724754543
                          Encrypted:false
                          SSDEEP:3072:KxWdQMVESKpObIWR9NmLp9yei5KG4ZGYV8cVpFY:KxWGYKg94rJZt
                          MD5:32A56B4E67436BDD3D39809A9BE949B8
                          SHA1:DAC60CA2763D18CE9451B28F4D0A1D9FBDC3F4FC
                          SHA-256:5F6475A6D18503FBC2EB916E32ED1D6B4769F58D364EF2F94C2FD1A52C9AA1DF
                          SHA-512:70B8DC7B1509CFA3975C97BAA4A2B49746FAC2438307AB97AE67BDD0E98D2D26E05F2E83C0349234B4DEB9314715AEA01084FD11E7F77B2D4BBA856AA7726E47
                          Malicious:true
                          Yara Hits:
                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                          • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                          • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                          • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                          Antivirus:
                          • Antivirus: Avira, Detection: 100%
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.b............................R.... ........@.. ....................................@.....................................J.......V............................................................................ ............... ..H............text...X.... ...................... ..`.rsrc...V...........................@..@.reloc...............L..............@..B................8.......H.......|............... ................................................0...............8....8.....X.T+.8.....XJE........2...@.......r.......%...4...........7...9...Q..._...8....8[.....X8Y.....XJ.XT.~....-.&.+.8G.....X.T.+.++.8=....8.....,[89.....XJ~....81.../6..8d.....~....:X...&.8Q... ....(.....~....:<...&.85....,.(....-..8%...+..~....:....&.8.......8.....(!...-F.~....-.&.+....XJE........$.......+.(*....~....-.&.+.(-....~....,.&.+..*...&.~....,.&.+...XJE........+........X.
                          Process:C:\Windows\System32\timeout.exe
                          File Type:ASCII text, with CRLF line terminators, with overstriking
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.41440934524794
                          Encrypted:false
                          SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                          MD5:3DD7DD37C304E70A7316FE43B69F421F
                          SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                          SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                          SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                          Malicious:false
                          Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..
                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):5.43867724754543
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:af5Cop6pCN.exe
                          File size:282112
                          MD5:32a56b4e67436bdd3d39809a9be949b8
                          SHA1:dac60ca2763d18ce9451b28f4d0a1d9fbdc3f4fc
                          SHA256:5f6475a6d18503fbc2eb916e32ed1d6b4769f58d364ef2f94c2fd1a52c9aa1df
                          SHA512:70b8dc7b1509cfa3975c97baa4a2b49746fac2438307ab97ae67bdd0e98d2d26e05f2e83c0349234b4deb9314715aea01084fd11e7f77b2d4bba856aa7726e47
                          SSDEEP:3072:KxWdQMVESKpObIWR9NmLp9yei5KG4ZGYV8cVpFY:KxWGYKg94rJZt
                          TLSH:CF54A60113D1EBBBEDD2297F8F73C207165F6B8163B5AD962C40554EBA12E5720D3A0E
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c.b............................R.... ........@.. ....................................@................................
                          Icon Hash:70d4828c88c2e471
                          Entrypoint:0x41b052
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0x62CF63D4 [Thu Jul 14 00:31:16 2022 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1b0080x4a.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1c0000x2b656.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x480000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000x190580x19200False0.5033523787313433data5.832513098107651IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0x1c0000x2b6560x2b800False0.1814947018678161data4.751075003232281IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0x480000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                          NameRVASizeTypeLanguageCountry
                          RT_ICON0x1c0ac0x2d6bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                          RT_ICON0x1ee3b0x10828dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0
                          RT_ICON0x2f6870x94a8data
                          RT_ICON0x38b530x5488data
                          RT_ICON0x3dfff0x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 16318463, next used block 4294909696
                          RT_ICON0x4224b0x25a8data
                          RT_ICON0x448170x10a8data
                          RT_ICON0x458e30x988data
                          RT_ICON0x4628f0x468GLS_BINARY_LSB_FIRST
                          RT_GROUP_ICON0x467330x84data
                          RT_VERSION0x467f30x3a4data
                          RT_MANIFEST0x46bd30xa83XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators
                          DLLImport
                          mscoree.dll_CorExeMain
                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                          3.72.110.63192.168.2.49087497082848152 09/23/22-08:16:16.887686TCP2848152ETPRO TROJAN Observed Malicious SSL Cert (AsyncRAT Variant)9087497083.72.110.63192.168.2.4
                          3.72.110.63192.168.2.49087497082034847 09/23/22-08:16:16.887686TCP2034847ET TROJAN Observed Malicious SSL Cert (AsyncRAT)9087497083.72.110.63192.168.2.4
                          TimestampSource PortDest PortSource IPDest IP
                          Sep 23, 2022 08:16:15.904928923 CEST49707443192.168.2.4104.20.67.143
                          Sep 23, 2022 08:16:15.904983044 CEST44349707104.20.67.143192.168.2.4
                          Sep 23, 2022 08:16:15.905143023 CEST49707443192.168.2.4104.20.67.143
                          Sep 23, 2022 08:16:15.978910923 CEST49707443192.168.2.4104.20.67.143
                          Sep 23, 2022 08:16:15.978955030 CEST44349707104.20.67.143192.168.2.4
                          Sep 23, 2022 08:16:16.038691044 CEST44349707104.20.67.143192.168.2.4
                          Sep 23, 2022 08:16:16.038902998 CEST49707443192.168.2.4104.20.67.143
                          Sep 23, 2022 08:16:16.058886051 CEST49707443192.168.2.4104.20.67.143
                          Sep 23, 2022 08:16:16.058912039 CEST44349707104.20.67.143192.168.2.4
                          Sep 23, 2022 08:16:16.059443951 CEST44349707104.20.67.143192.168.2.4
                          Sep 23, 2022 08:16:16.114991903 CEST49707443192.168.2.4104.20.67.143
                          Sep 23, 2022 08:16:16.517368078 CEST49707443192.168.2.4104.20.67.143
                          Sep 23, 2022 08:16:16.550949097 CEST44349707104.20.67.143192.168.2.4
                          Sep 23, 2022 08:16:16.551053047 CEST44349707104.20.67.143192.168.2.4
                          Sep 23, 2022 08:16:16.551131010 CEST49707443192.168.2.4104.20.67.143
                          Sep 23, 2022 08:16:16.560657024 CEST49707443192.168.2.4104.20.67.143
                          Sep 23, 2022 08:16:16.768956900 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:16.788619041 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:16.788811922 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:16.866048098 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:16.887686014 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:16.903249025 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:16.924741983 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:17.083888054 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:27.872695923 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:27.942609072 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:27.942790031 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:28.005429983 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:41.026510000 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:41.099261045 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:41.099368095 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:41.119456053 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:41.288949966 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:41.308408022 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:41.464027882 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:45.543930054 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:45.789335966 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:45.809439898 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:45.976874113 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:46.498739004 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:46.570760965 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:46.570938110 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:46.646563053 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:53.994374037 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:54.068476915 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:54.069508076 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:54.089812994 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:54.205245018 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:54.224791050 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:54.229171991 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:54.302839994 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:16:54.303117990 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:16:54.365385056 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:07.088820934 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:07.162601948 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:07.162787914 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:07.182740927 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:07.228696108 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:07.248019934 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:07.251569033 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:07.319298029 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:07.319509983 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:07.381428003 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:15.542717934 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:15.588712931 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:15.610255957 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:15.651313066 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:20.152755976 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:20.212085962 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:20.212295055 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:20.240494013 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:20.293848991 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:20.313848019 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:20.321336031 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:20.384012938 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:20.384171963 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:20.449337006 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:33.247617006 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:33.321877003 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:33.322803020 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:33.342842102 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:33.402740002 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:33.422184944 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:33.424719095 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:33.495209932 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:33.495389938 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:33.556210995 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:45.548614025 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:45.614175081 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:45.635935068 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:45.814027071 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:46.309535027 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:46.369138956 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:46.388631105 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:46.408622980 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:46.621927977 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:46.641309023 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:46.705971003 CEST497089087192.168.2.43.72.110.63
                          Sep 23, 2022 08:17:46.775481939 CEST9087497083.72.110.63192.168.2.4
                          Sep 23, 2022 08:17:46.777625084 CEST497089087192.168.2.43.72.110.63
                          TimestampSource PortDest PortSource IPDest IP
                          Sep 23, 2022 08:16:15.844961882 CEST5223953192.168.2.48.8.8.8
                          Sep 23, 2022 08:16:15.864907026 CEST53522398.8.8.8192.168.2.4
                          Sep 23, 2022 08:16:16.656079054 CEST5680753192.168.2.48.8.8.8
                          Sep 23, 2022 08:16:16.766113997 CEST53568078.8.8.8192.168.2.4
                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                          Sep 23, 2022 08:16:15.844961882 CEST192.168.2.48.8.8.80xbe57Standard query (0)pastebin.comA (IP address)IN (0x0001)false
                          Sep 23, 2022 08:16:16.656079054 CEST192.168.2.48.8.8.80x5ae4Standard query (0)termsiya.duckdns.orgA (IP address)IN (0x0001)false
                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                          Sep 23, 2022 08:16:15.864907026 CEST8.8.8.8192.168.2.40xbe57No error (0)pastebin.com104.20.67.143A (IP address)IN (0x0001)false
                          Sep 23, 2022 08:16:15.864907026 CEST8.8.8.8192.168.2.40xbe57No error (0)pastebin.com172.67.34.170A (IP address)IN (0x0001)false
                          Sep 23, 2022 08:16:15.864907026 CEST8.8.8.8192.168.2.40xbe57No error (0)pastebin.com104.20.68.143A (IP address)IN (0x0001)false
                          Sep 23, 2022 08:16:16.766113997 CEST8.8.8.8192.168.2.40x5ae4No error (0)termsiya.duckdns.org3.72.110.63A (IP address)IN (0x0001)false
                          Sep 23, 2022 08:16:17.181047916 CEST8.8.8.8192.168.2.40xfb9bNo error (0)windowsupdatebg.s.llnwi.net95.140.230.192A (IP address)IN (0x0001)false
                          • pastebin.com
                          Session IDSource IPSource PortDestination IPDestination PortProcess
                          0192.168.2.449707104.20.67.143443C:\Users\user\AppData\Roaming\svchost.exe
                          TimestampkBytes transferredDirectionData
                          2022-09-23 06:16:16 UTC0OUTGET /raw/pffCggZp HTTP/1.1
                          Host: pastebin.com
                          Connection: Keep-Alive
                          2022-09-23 06:16:16 UTC0INHTTP/1.1 200 OK
                          Date: Fri, 23 Sep 2022 06:16:16 GMT
                          Content-Type: text/plain; charset=utf-8
                          Transfer-Encoding: chunked
                          Connection: close
                          x-frame-options: DENY
                          x-content-type-options: nosniff
                          x-xss-protection: 1;mode=block
                          cache-control: public, max-age=1801
                          CF-Cache-Status: HIT
                          Age: 68
                          Last-Modified: Fri, 23 Sep 2022 06:15:08 GMT
                          Server: cloudflare
                          CF-RAY: 74f1268f4c7abba1-FRA
                          2022-09-23 06:16:16 UTC0INData Raw: 31 39 0d 0a 74 65 72 6d 73 69 79 61 2e 64 75 63 6b 64 6e 73 2e 6f 72 67 3a 39 30 38 37 0d 0a
                          Data Ascii: 19termsiya.duckdns.org:9087
                          2022-09-23 06:16:16 UTC0INData Raw: 30 0d 0a 0d 0a
                          Data Ascii: 0


                          Click to jump to process

                          Target ID:0
                          Start time:08:15:46
                          Start date:23/09/2022
                          Path:C:\Users\user\Desktop\af5Cop6pCN.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\Desktop\af5Cop6pCN.exe"
                          Imagebase:0xb40000
                          File size:282112 bytes
                          MD5 hash:32A56B4E67436BDD3D39809A9BE949B8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.322788717.0000000000FF9000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000000.00000002.323004882.0000000002F61000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          Reputation:low

                          Target ID:1
                          Start time:08:15:53
                          Start date:23/09/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
                          Imagebase:0x7ff632260000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:2
                          Start time:08:15:54
                          Start date:23/09/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7c72c0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:3
                          Start time:08:15:54
                          Start date:23/09/2022
                          Path:C:\Windows\System32\cmd.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp5ECD.tmp.bat""
                          Imagebase:0x7ff632260000
                          File size:273920 bytes
                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:4
                          Start time:08:15:54
                          Start date:23/09/2022
                          Path:C:\Windows\System32\schtasks.exe
                          Wow64 process (32bit):false
                          Commandline:schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                          Imagebase:0x7ff7c8230000
                          File size:226816 bytes
                          MD5 hash:838D346D1D28F00783B7A6C6BD03A0DA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:5
                          Start time:08:15:55
                          Start date:23/09/2022
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7c72c0000
                          File size:625664 bytes
                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high

                          Target ID:6
                          Start time:08:15:55
                          Start date:23/09/2022
                          Path:C:\Windows\System32\timeout.exe
                          Wow64 process (32bit):false
                          Commandline:timeout 3
                          Imagebase:0x7ff63f000000
                          File size:30720 bytes
                          MD5 hash:EB9A65078396FB5D4E3813BB9198CB18
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:moderate

                          Target ID:7
                          Start time:08:15:57
                          Start date:23/09/2022
                          Path:C:\Users\user\AppData\Roaming\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                          Imagebase:0xbc0000
                          File size:282112 bytes
                          MD5 hash:32A56B4E67436BDD3D39809A9BE949B8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000007.00000002.393533493.000000000108B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000007.00000002.394138023.0000000002FA1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                          • Rule: INDICATOR_SUSPICIOUS_EXE_B64_Artifacts, Description: Detects executables embedding bas64-encoded APIs, command lines, registry keys, etc., Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                          • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                          • Rule: INDICATOR_SUSPICIOUS_EXE_DcRatBy, Description: Detects executables containing the string DcRatBy, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                          Antivirus matches:
                          • Detection: 100%, Avira
                          • Detection: 100%, Joe Sandbox ML

                          Target ID:8
                          Start time:08:15:59
                          Start date:23/09/2022
                          Path:C:\Users\user\AppData\Roaming\svchost.exe
                          Wow64 process (32bit):false
                          Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                          Imagebase:0xe00000
                          File size:282112 bytes
                          MD5 hash:32A56B4E67436BDD3D39809A9BE949B8
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:.Net C# or VB.NET
                          Yara matches:
                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000003.368899181.00000000012CE000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.576457457.0000000003226000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: JoeSecurity_DcRat_2, Description: Yara detected DcRat, Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.579075120.0000000003418000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.575012374.00000000012C4000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.574615004.000000000129B000.00000004.00000020.00020000.00000000.sdmp, Author: unknown
                          • Rule: Windows_Trojan_DCRat_1aeea1ac, Description: unknown, Source: 00000008.00000002.575913817.00000000031D1000.00000004.00000800.00020000.00000000.sdmp, Author: unknown

                          No disassembly