Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ClientAny.exe

Overview

General Information

Sample name:ClientAny.exe
Analysis ID:1463773
MD5:51a43245ecf3a5f9871d4e2003a36032
SHA1:14f0576f0639189c6252467aba08eb8d8e557578
SHA256:f5958eae1d68011fc17a9fbb2f22c18221c36db1984de47a294e274eb4b62f32
Tags:exeVenomRAT
Infos:

Detection

AsyncRAT, VenomRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Schedule system process
Snort IDS alert for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected AsyncRAT
Yara detected VenomRAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspect Svchost Activity
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • ClientAny.exe (PID: 4472 cmdline: "C:\Users\user\Desktop\ClientAny.exe" MD5: 51A43245ECF3A5F9871D4E2003A36032)
    • cmd.exe (PID: 7352 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7360 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 7428 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' MD5: 76CD6626DD8834BD4A42E6A565104DC2)
    • cmd.exe (PID: 7368 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp73F0.tmp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
      • conhost.exe (PID: 7396 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • timeout.exe (PID: 7484 cmdline: timeout 3 MD5: 100065E21CFBBDE57CBA2838921F84D6)
      • svchost.exe (PID: 7700 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: 51A43245ECF3A5F9871D4E2003A36032)
  • svchost.exe (PID: 7668 cmdline: C:\Users\user\AppData\Roaming\svchost.exe MD5: 51A43245ECF3A5F9871D4E2003A36032)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
AsyncRATAsyncRAT is a Remote Access Tool (RAT) designed to remotely monitor and control other computers through a secure encrypted connection. It is an open source remote administration tool, however, it could also be used maliciously because it provides functionality such as keylogger, remote desktop control, and many other functions that may cause harm to the victims computer. In addition, AsyncRAT can be delivered via various methods such as spear-phishing, malvertising, exploit kit and other techniques.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

Malware Configuration

Threatname: VenomRAT

{"Server": "127.0.0.1,2.58.84.229", "Ports": "80", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "svchost.exe", "AES_key": "yg9f3lyhEAeT6HHTKPiUHzE9NyFcwmmu", "Mutex": "svchost.exe", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "YlwlxjhRPbXyqo0d1sYtG13wba4bYu8K3o+hVDw20oOMXpYQuodPGEU92D9r0cKpdokxYBQoiLXGoNjE0PlJOYsdLexptCqgmdNsZn332c9RQUtgvsB5ihLV4t73RAtVCyNnBjlcSlia4Dy1A2vMBYpdNbiKtVFo+aLMzLtBBOk=", "External_config_on_Pastebin": "null", "BDOS": "true", "Startup_Delay": "1", "Group": "svchost.exe", "AntiProcess": "false", "AntiVM": "false"}

Threatname: AsyncRAT

{"Server": "127.0.0.1,2.58.84.229", "Ports": "80", "Version": "Venom RAT + HVNC + Stealer + Grabber  v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "svchost.exe", "AES_key": "yg9f3lyhEAeT6HHTKPiUHzE9NyFcwmmu", "Mutex": "svchost.exe", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "YlwlxjhRPbXyqo0d1sYtG13wba4bYu8K3o+hVDw20oOMXpYQuodPGEU92D9r0cKpdokxYBQoiLXGoNjE0PlJOYsdLexptCqgmdNsZn332c9RQUtgvsB5ihLV4t73RAtVCyNnBjlcSlia4Dy1A2vMBYpdNbiKtVFo+aLMzLtBBOk=", "External_config_on_Pastebin": "null", "BDOS": "true", "Startup_Delay": "1", "Group": "svchost.exe", "AntiProcess": "false", "AntiVM": "false"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
ClientAny.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    ClientAny.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
    • 0xf8a4:$q1: Select * from Win32_CacheMemory
    • 0xf8e4:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
    • 0xf932:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
    • 0xf980:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\svchost.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
      C:\Users\user\AppData\Roaming\svchost.exeINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
      • 0xf8a4:$q1: Select * from Win32_CacheMemory
      • 0xf8e4:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
      • 0xf932:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
      • 0xf980:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000000.1239383107.0000000000DA2000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        00000000.00000002.1283717322.0000000013135000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
          Process Memory Space: ClientAny.exe PID: 4472JoeSecurity_VenomRATYara detected VenomRATJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.0.ClientAny.exe.da0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.0.ClientAny.exe.da0000.0.unpackINDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDeviceDetects executables attemping to enumerate video devices using WMIditekSHen
              • 0xf8a4:$q1: Select * from Win32_CacheMemory
              • 0xf8e4:$d1: {860BB310-5D01-11d0-BD3B-00A0C911CE86}
              • 0xf932:$d2: {62BE5D10-60EB-11d0-BD3B-00A0C911CE86}
              • 0xf980:$d3: {55272A00-42CB-11CE-8135-00AA004BB851}

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Files With System Process Name In Unsuspected Locations
              Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\ClientAny.exe, ProcessId: 4472, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
              Sigma detected: Invoke-Obfuscation CLIP+ Launcher
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ClientAny.exe", ParentImage: C:\Users\user\Desktop\ClientAny.exe, ParentProcessId: 4472, ParentProcessName: ClientAny.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 7352, ProcessName: cmd.exe
              Sigma detected: Invoke-Obfuscation VAR+ Launcher
              Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ClientAny.exe", ParentImage: C:\Users\user\Desktop\ClientAny.exe, ParentProcessId: 4472, ParentProcessName: ClientAny.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 7352, ProcessName: cmd.exe
              Sigma detected: Suspect Svchost Activity
              Source: Process startedAuthor: David Burkett, @signalblur: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7668, ProcessName: svchost.exe
              Sigma detected: System File Execution Location Anomaly
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7668, ProcessName: svchost.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , CommandLine|base64offset|contains: mj,, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7352, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' , ProcessId: 7428, ProcessName: schtasks.exe
              Sigma detected: Uncommon Svchost Parent Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp73F0.tmp.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7368, ParentProcessName: cmd.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 7700, ProcessName: svchost.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine: C:\Users\user\AppData\Roaming\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 932, ProcessCommandLine: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 7668, ProcessName: svchost.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Schedule system process
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ClientAny.exe", ParentImage: C:\Users\user\Desktop\ClientAny.exe, ParentProcessId: 4472, ParentProcessName: ClientAny.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit, ProcessId: 7352, ProcessName: cmd.exe

              Snort Signatures

              Timestamp:06/27/24-19:40:09.697042
              SID:2052265
              Source Port:80
              Destination Port:49701
              Protocol:TCP
              Classtype:A Network Trojan was detected

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: ClientAny.exeAvira: detected
              Antivirus detection for dropped file
              Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: HEUR/AGEN.1307453
              Found malware configuration
              Source: ClientAny.exeMalware Configuration Extractor: VenomRAT {"Server": "127.0.0.1,2.58.84.229", "Ports": "80", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "svchost.exe", "AES_key": "yg9f3lyhEAeT6HHTKPiUHzE9NyFcwmmu", "Mutex": "svchost.exe", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "YlwlxjhRPbXyqo0d1sYtG13wba4bYu8K3o+hVDw20oOMXpYQuodPGEU92D9r0cKpdokxYBQoiLXGoNjE0PlJOYsdLexptCqgmdNsZn332c9RQUtgvsB5ihLV4t73RAtVCyNnBjlcSlia4Dy1A2vMBYpdNbiKtVFo+aLMzLtBBOk=", "External_config_on_Pastebin": "null", "BDOS": "true", "Startup_Delay": "1", "Group": "svchost.exe", "AntiProcess": "false", "AntiVM": "false"}
              Source: ClientAny.exeMalware Configuration Extractor: AsyncRAT {"Server": "127.0.0.1,2.58.84.229", "Ports": "80", "Version": "Venom RAT + HVNC + Stealer + Grabber v6.0.3", "Autorun": "true", "Install_Folder": "%AppData%", "Install_File": "svchost.exe", "AES_key": "yg9f3lyhEAeT6HHTKPiUHzE9NyFcwmmu", "Mutex": "svchost.exe", "Certificate": "MIICOTCCAaKgAwIBAgIVAPyfwFFMs6hxoSr1U5gHJmBruaj1MA0GCSqGSIb3DQEBDQUAMGoxGDAWBgNVBAMMD1Zlbm9tUkFUIFNlcnZlcjETMBEGA1UECwwKcXdxZGFuY2h1bjEfMB0GA1UECgwWVmVub21SQVQgQnkgcXdxZGFuY2h1bjELMAkGA1UEBwwCU0gxCzAJBgNVBAYTAkNOMB4XDTIyMDgxNDA5NDEwOVoXDTMzMDUyMzA5NDEwOVowEzERMA8GA1UEAwwIVmVub21SQVQwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJMk9aXYluIabmb8kV7b5XTizjGIK0IH5qWN260bNCSIKNt2zQOLq6jGfh+VvAA/ddzW3TGyxBUMbya8CatcEPCCiU4SEc8xjyE/n8+O0uya4p8g4ooTRIrNFHrRVySKchyTv32rce963WWvmj+qDvwUHHkEY+Dsjf46C40vWLDxAgMBAAGjMjAwMB0GA1UdDgQWBBQsonRhlv8vx7fdxs/nJE8fsLDixjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBDQUAA4GBAAVFFK4iQZ7aqDrUwV6nj3VoXFOcHVo+g9p9ikiXT8DjC2iQioCrN3cN4+w7YOkjPDL+fP3A7v+EI9z1lwEHgAqFPY7tF7sT9JEFtq/+XPM9bgDZnh4o1EWLq7Zdm66whSYsGIPR8wJdtjw6U396lrRHe6ODtIGB/JXyYYIdaVrz", "ServerSignature": "YlwlxjhRPbXyqo0d1sYtG13wba4bYu8K3o+hVDw20oOMXpYQuodPGEU92D9r0cKpdokxYBQoiLXGoNjE0PlJOYsdLexptCqgmdNsZn332c9RQUtgvsB5ihLV4t73RAtVCyNnBjlcSlia4Dy1A2vMBYpdNbiKtVFo+aLMzLtBBOk=", "External_config_on_Pastebin": "null", "BDOS": "true", "Startup_Delay": "1", "Group": "svchost.exe", "AntiProcess": "false", "AntiVM": "false"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 81%
              Multi AV Scanner detection for submitted file
              Source: ClientAny.exeReversingLabs: Detection: 81%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.7% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: ClientAny.exeJoe Sandbox ML: detected
              Source: ClientAny.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Networking

              barindex
              Snort IDS alert for network traffic
              Source: TrafficSnort IDS: 2052265 ET TROJAN Observed Malicious SSL Cert (VenomRAT) 2.58.84.229:80 -> 192.168.2.7:49701
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 2.58.84.229 80Jump to behavior
              Source: Joe Sandbox ViewASN Name: HUGESERVER-NETWORKSUS HUGESERVER-NETWORKSUS
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: unknownTCP traffic detected without corresponding DNS query: 2.58.84.229
              Source: svchost.exe, 00000011.00000002.3714141011.00000000012AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
              Source: svchost.exe, 00000011.00000002.3714141011.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.17.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
              Source: svchost.exe, 00000011.00000002.3714141011.00000000012AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?cd20a0bcf4b3a
              Source: ClientAny.exe, 00000000.00000002.1277906302.000000000351C000.00000004.00000800.00020000.00000000.sdmp, ClientAny.exe, 00000000.00000002.1277906302.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3715653540.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3715653540.00000000036ED000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: ClientAny.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.ClientAny.exe.da0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1239383107.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1283717322.0000000013135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
              Yara detected VenomRAT
              Source: Yara matchFile source: Process Memory Space: ClientAny.exe PID: 4472, type: MEMORYSTR
              Contains functionality to log keystrokes (.Net Source)
              Source: ClientAny.exe, Keylogger.cs.Net Code: KeyboardLayout
              Source: svchost.exe.0.dr, Keylogger.cs.Net Code: KeyboardLayout

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: 01 00 00 00 Jump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: 00 00 00 00 Jump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: ClientAny.exe, type: SAMPLEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
              Source: 0.0.ClientAny.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
              Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects executables attemping to enumerate video devices using WMI Author: ditekSHen
              Source: C:\Users\user\Desktop\ClientAny.exeCode function: 0_2_00007FFAACCC3D5E NtProtectVirtualMemory,0_2_00007FFAACCC3D5E
              Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 16_2_00007FFAACCB3DBE NtProtectVirtualMemory,16_2_00007FFAACCB3DBE
              Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FFAACCB3DBE NtProtectVirtualMemory,17_2_00007FFAACCB3DBE
              Source: C:\Users\user\Desktop\ClientAny.exeCode function: 0_2_00007FFAACCC3D5E0_2_00007FFAACCC3D5E
              Source: C:\Users\user\Desktop\ClientAny.exeCode function: 0_2_00007FFAACCC0E700_2_00007FFAACCC0E70
              Source: C:\Users\user\Desktop\ClientAny.exeCode function: 0_2_00007FFAACCC0E5D0_2_00007FFAACCC0E5D
              Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 16_2_00007FFAACCB0EA016_2_00007FFAACCB0EA0
              Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 16_2_00007FFAACCB3DBE16_2_00007FFAACCB3DBE
              Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FFAACCB0EA017_2_00007FFAACCB0EA0
              Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FFAACCBA5CB17_2_00007FFAACCBA5CB
              Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FFAACCB3DBE17_2_00007FFAACCB3DBE
              Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FFAACCBB77B17_2_00007FFAACCBB77B
              Source: ClientAny.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
              Source: 0.0.ClientAny.exe.da0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
              Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice author = ditekSHen, description = Detects executables attemping to enumerate video devices using WMI
              Source: ClientAny.exe, Settings.csBase64 encoded string: 'uYwNeW8wXo0068fax2NmgJ2KWaT+OEZkupZxzyabgyx1h7IJXLDnjOF0kM6f5ykoG/kOwf1P41tz5BOJkqNQ6w==', 'QQbqz1ki/DYovZU+kYoj1aA97KEC4Ow3J2/Ubiz/bZlrp/kOIoy9iV4tvaB9c1+juuaRuv7OcF6EDj7s8igEuFZuv1LfT3OAEizmUNwYiGs=', 'qu8wvowzeE52vrSGu6tIBUVMnsjljQ9rTZynsenF6zhIlTOSA811NKdcAKNF3u1bzupfL8HzD4recATOMB7CIsvE2jEa+hJoUxarw+YvwXBvRHF5YHimQNPyCcay3BZS', 'rzRLvBmE8F/AAyEOp25WT/aZAQHcKdGFLPJ04dvncH8CpIhACNPVyBFE0AoGucjMw3/jiFrR0A3v0VWvyzBa0g==', 'g1++9857ASUHVKfF4lqKew23rD/ZswlDobMwp5CENUNJrsU55Uy64fMUpm39OQtsX7Rhma8dpBChNVcGTQSfuw==', 'Mg1eyZtG0UtqxBmkIAf0+9PWmHxwdheKV9hPn5h5PG67u2WpRtX8fq3GdQ9qQooIiA9hBj5xob0j80zRMbkhNzUaKqAJXDcpXES4Yl3KTRzbcnEcFBp9GJm5iaJ5KIjMngeLPOCJJ+dzDMykM2qykXq32Iez7F+UVaJUk3Ik9e4fr4+yjs5T1msVAtby/hj3tJrEnbizacUmv2k0mL8RDuWCbxh2hId/GALMbpQZnSgDmbl3C3anpzh+wK1VHi3cSzDeIq6bayzrf6FrHN2iYcwf2nV2Jozt6w33oLG4QgL80qfAOIrMtJT04sY0ByVrHQVIcV1pSt9ynoKBPTSaUYk/F/aFejuIy0Gy2twMQ08OyF6EUpoKe7C9go8PofyoTE0diI2nBOaxcGKMraHmwJJw7stVRra85p44qLEqGs91krDZ99zbZphZoOvedH1yc14GTWFjYHmVfPKSQQF0IPEm0j73lVlKVOQzesZ7q31nvHbVOyOFTSW5/r/dqkJ+e7KMog+FsZ3mS3/dnT3bMBbSUrnDwJeEvK8XPjWqqYkO4vdHyQZw+GoFecUbNrn4a9eKpN8XRifkfbxdWDjaS1l7JvOTadvXoB6GPg870xKQ8p/N6E7InIjeVz3MvYgSQ8u24GzXU9WKeWdPzG1hk2dVEKBmD7r2n9dwSj/GZDXI96T3f+E5i2mAoNUYm/LcA3Hj/V+5gCEmpqgnuMCUefHlhjd6uBfrMzQ57hEvFzFBc7LV4HpgptzTxHZJdJx8a1g8Mo0q/hnN6RjTrdMdlnS/rUZHc0qyfDgZcxy91mO1VIOfLHVJ5PsrkpFZDjYeLxhCpGI+pqadLUtzwYu+7hWcFsD4KBSZwHfIUuMxLcZXWUUODgaNK7dAOixJNbP5aOw64m7upwo51yH92iNSpACgnVSqKftDocNr7QZseVvLhrnN4OuguU0AMEjWfZeEEjLzGvJg1uZbptoYIlqLUIOCvY88H8itZhtQKmGtveZsn/vsVW0upHWHa2Ozf0p9F0pSnglCLr1/8ENgH+O2prVZYXtTGeuDISal0ol0iritVCIWlnBvbP0ClMqJEAG+', 'NzDFLHUblBOkuHk6s+n4xEUh97GKBT1NIy4L9JzgWgOWusOaBeHJhBwPpX09OneYESrr8gdlYxRmN20Z59INQg==', 'orfGCl1kjdrtxWL7gSWRtyooRLLVYaQKy0n3FiEJv3knkzoAT1/pH/AUNlQ/urqj1NmzGcx6HVGd+LA2Bx841g==', 'VlQ9bsTFoFtAP7RN4MidKiAetheBhN196k7nKTGA/Osga7p/V9ijgzh92jseBl2fHBEqhlM9chbbM8FTUTTLWg=='
              Source: svchost.exe.0.dr, Settings.csBase64 encoded string: 'uYwNeW8wXo0068fax2NmgJ2KWaT+OEZkupZxzyabgyx1h7IJXLDnjOF0kM6f5ykoG/kOwf1P41tz5BOJkqNQ6w==', 'QQbqz1ki/DYovZU+kYoj1aA97KEC4Ow3J2/Ubiz/bZlrp/kOIoy9iV4tvaB9c1+juuaRuv7OcF6EDj7s8igEuFZuv1LfT3OAEizmUNwYiGs=', 'qu8wvowzeE52vrSGu6tIBUVMnsjljQ9rTZynsenF6zhIlTOSA811NKdcAKNF3u1bzupfL8HzD4recATOMB7CIsvE2jEa+hJoUxarw+YvwXBvRHF5YHimQNPyCcay3BZS', 'rzRLvBmE8F/AAyEOp25WT/aZAQHcKdGFLPJ04dvncH8CpIhACNPVyBFE0AoGucjMw3/jiFrR0A3v0VWvyzBa0g==', 'g1++9857ASUHVKfF4lqKew23rD/ZswlDobMwp5CENUNJrsU55Uy64fMUpm39OQtsX7Rhma8dpBChNVcGTQSfuw==', 'Mg1eyZtG0UtqxBmkIAf0+9PWmHxwdheKV9hPn5h5PG67u2WpRtX8fq3GdQ9qQooIiA9hBj5xob0j80zRMbkhNzUaKqAJXDcpXES4Yl3KTRzbcnEcFBp9GJm5iaJ5KIjMngeLPOCJJ+dzDMykM2qykXq32Iez7F+UVaJUk3Ik9e4fr4+yjs5T1msVAtby/hj3tJrEnbizacUmv2k0mL8RDuWCbxh2hId/GALMbpQZnSgDmbl3C3anpzh+wK1VHi3cSzDeIq6bayzrf6FrHN2iYcwf2nV2Jozt6w33oLG4QgL80qfAOIrMtJT04sY0ByVrHQVIcV1pSt9ynoKBPTSaUYk/F/aFejuIy0Gy2twMQ08OyF6EUpoKe7C9go8PofyoTE0diI2nBOaxcGKMraHmwJJw7stVRra85p44qLEqGs91krDZ99zbZphZoOvedH1yc14GTWFjYHmVfPKSQQF0IPEm0j73lVlKVOQzesZ7q31nvHbVOyOFTSW5/r/dqkJ+e7KMog+FsZ3mS3/dnT3bMBbSUrnDwJeEvK8XPjWqqYkO4vdHyQZw+GoFecUbNrn4a9eKpN8XRifkfbxdWDjaS1l7JvOTadvXoB6GPg870xKQ8p/N6E7InIjeVz3MvYgSQ8u24GzXU9WKeWdPzG1hk2dVEKBmD7r2n9dwSj/GZDXI96T3f+E5i2mAoNUYm/LcA3Hj/V+5gCEmpqgnuMCUefHlhjd6uBfrMzQ57hEvFzFBc7LV4HpgptzTxHZJdJx8a1g8Mo0q/hnN6RjTrdMdlnS/rUZHc0qyfDgZcxy91mO1VIOfLHVJ5PsrkpFZDjYeLxhCpGI+pqadLUtzwYu+7hWcFsD4KBSZwHfIUuMxLcZXWUUODgaNK7dAOixJNbP5aOw64m7upwo51yH92iNSpACgnVSqKftDocNr7QZseVvLhrnN4OuguU0AMEjWfZeEEjLzGvJg1uZbptoYIlqLUIOCvY88H8itZhtQKmGtveZsn/vsVW0upHWHa2Ozf0p9F0pSnglCLr1/8ENgH+O2prVZYXtTGeuDISal0ol0iritVCIWlnBvbP0ClMqJEAG+', 'NzDFLHUblBOkuHk6s+n4xEUh97GKBT1NIy4L9JzgWgOWusOaBeHJhBwPpX09OneYESrr8gdlYxRmN20Z59INQg==', 'orfGCl1kjdrtxWL7gSWRtyooRLLVYaQKy0n3FiEJv3knkzoAT1/pH/AUNlQ/urqj1NmzGcx6HVGd+LA2Bx841g==', 'VlQ9bsTFoFtAP7RN4MidKiAetheBhN196k7nKTGA/Osga7p/V9ijgzh92jseBl2fHBEqhlM9chbbM8FTUTTLWg=='
              Source: svchost.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: svchost.exe.0.dr, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: ClientAny.exe, Methods.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: ClientAny.exe, Methods.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/8@0/1
              Source: C:\Users\user\Desktop\ClientAny.exeFile created: C:\Users\user\AppData\Roaming\MyDataJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: NULL
              Source: C:\Users\user\AppData\Roaming\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\svchost.exe
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
              Source: C:\Users\user\Desktop\ClientAny.exeFile created: C:\Users\user\AppData\Local\Temp\tmp73F0.tmpJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp73F0.tmp.bat""
              Source: ClientAny.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: ClientAny.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
              Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
              Source: C:\Users\user\Desktop\ClientAny.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: ClientAny.exeReversingLabs: Detection: 81%
              Source: C:\Users\user\Desktop\ClientAny.exeFile read: C:\Users\user\Desktop\ClientAny.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\ClientAny.exe "C:\Users\user\Desktop\ClientAny.exe"
              Source: C:\Users\user\Desktop\ClientAny.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\ClientAny.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp73F0.tmp.bat""
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe C:\Users\user\AppData\Roaming\svchost.exe
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
              Source: C:\Users\user\Desktop\ClientAny.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exitJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp73F0.tmp.bat""Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
              Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cryptnet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: webio.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: cabinet.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: devenum.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: devobj.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: msdmo.dllJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5E5F29CE-E0A8-49D3-AF32-7A7BDC173478}\InProcServer32Jump to behavior
              Source: ClientAny.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: ClientAny.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: ClientAny.exe, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
              Source: svchost.exe.0.dr, ClientSocket.cs.Net Code: Invoke System.AppDomain.Load(byte[])
              Source: C:\Users\user\Desktop\ClientAny.exeCode function: 0_2_00007FFAACCC00BD pushad ; iretd 0_2_00007FFAACCC00C1
              Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 16_2_00007FFAACCB00BD pushad ; iretd 16_2_00007FFAACCB00C1
              Source: C:\Users\user\AppData\Roaming\svchost.exeCode function: 17_2_00007FFAACCB00BD pushad ; iretd 17_2_00007FFAACCB00C1

              Persistence and Installation Behavior

              barindex
              Drops PE files with benign system names
              Source: C:\Users\user\Desktop\ClientAny.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
              Source: C:\Users\user\Desktop\ClientAny.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file

              Boot Survival

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: ClientAny.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.ClientAny.exe.da0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1239383107.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1283717322.0000000013135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
              Yara detected VenomRAT
              Source: Yara matchFile source: Process Memory Space: ClientAny.exe PID: 4472, type: MEMORYSTR
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
              Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: ClientAny.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.ClientAny.exe.da0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1239383107.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1283717322.0000000013135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
              Yara detected VenomRAT
              Source: Yara matchFile source: Process Memory Space: ClientAny.exe PID: 4472, type: MEMORYSTR
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_VideoController
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
              Source: ClientAny.exe, svchost.exe.0.drBinary or memory string: TASKMGR.EXE#PROCESSHACKER.EXE
              Source: C:\Users\user\Desktop\ClientAny.exeMemory allocated: 13F0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeMemory allocated: 1B0C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 3100000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1B100000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1730000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeMemory allocated: 1B2A0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 6132Jump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeWindow / User API: threadDelayed 3702Jump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exe TID: 2412Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7688Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7844Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7864Thread sleep time: -8301034833169293s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
              Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\ClientAny.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: svchost.exe, 00000011.00000002.3721841793.000000001BE00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@~
              Source: svchost.exe, 00000011.00000002.3723487469.000000001D80A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3723582553.000000001D813000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\ClientAny.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              System process connects to network (likely due to code injection or exploit)
              Source: C:\Users\user\AppData\Roaming\svchost.exeNetwork Connect: 2.58.84.229 80Jump to behavior
              .NET source code references suspicious native API functions
              Source: ClientAny.exe, Keylogger.csReference to suspicious API methods: MapVirtualKey(vkCode, 0u)
              Source: ClientAny.exe, DInvokeCore.csReference to suspicious API methods: DynamicAPIInvoke("ntdll.dll", "NtProtectVirtualMemory", typeof(Delegates.NtProtectVirtualMemory), ref Parameters)
              Source: ClientAny.exe, AntiProcess.csReference to suspicious API methods: OpenProcess(1u, bInheritHandle: false, processId)
              Source: C:\Users\user\Desktop\ClientAny.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exitJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp73F0.tmp.bat""Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
              Source: C:\Windows\System32\cmd.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
              Source: svchost.exe, 00000011.00000002.3715653540.000000000332E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3715653540.000000000335E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3715653540.0000000003312000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
              Source: svchost.exe, 00000011.00000002.3715653540.000000000332E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3715653540.000000000335E000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3715653540.0000000003312000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager@
              Source: C:\Users\user\Desktop\ClientAny.exeQueries volume information: C:\Users\user\Desktop\ClientAny.exe VolumeInformationJump to behavior
              Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\ClientAny.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Lowering of HIPS / PFW / Operating System Security Settings

              barindex
              Yara detected AsyncRAT
              Source: Yara matchFile source: ClientAny.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.ClientAny.exe.da0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000000.1239383107.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1283717322.0000000013135000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
              Yara detected VenomRAT
              Source: Yara matchFile source: Process Memory Space: ClientAny.exe PID: 4472, type: MEMORYSTR
              Source: ClientAny.exe, 00000000.00000000.1239383107.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, ClientAny.exe, 00000000.00000002.1283717322.0000000013135000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.drBinary or memory string: MSASCui.exe
              Source: ClientAny.exe, 00000000.00000000.1239383107.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, ClientAny.exe, 00000000.00000002.1283717322.0000000013135000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.drBinary or memory string: procexp.exe
              Source: ClientAny.exe, 00000000.00000000.1239383107.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, ClientAny.exe, 00000000.00000002.1283717322.0000000013135000.00000004.00000800.00020000.00000000.sdmp, svchost.exe.0.drBinary or memory string: MsMpEng.exe
              Source: C:\Users\user\AppData\Roaming\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information1
              Scripting              		Valid Accounts131
              Windows Management Instrumentation              		3
              Scheduled Task/Job              		112
              Process Injection              		11
              Masquerading              		1
              Input Capture              		1
              Query Registry              		Remote Services1
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts3
              Scheduled Task/Job              		1
              Scripting              		3
              Scheduled Task/Job              		1
              Disable or Modify Tools              		LSASS Memory341
              Security Software Discovery              		Remote Desktop Protocol1
              Archive Collected Data              		Junk DataExfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain Accounts1
              Native API              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		151
              Virtualization/Sandbox Evasion              		Security Account Manager2
              Process Discovery              		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook112
              Process Injection              		NTDS151
              Virtualization/Sandbox Evasion              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script211
              Obfuscated Files or Information              		LSA Secrets1
              Application Window Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              Software Packing              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSync24
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 signatures2 2 Behavior Graph ID: 1463773 Sample: ClientAny.exe Startdate: 27/06/2024 Architecture: WINDOWS Score: 100 36 Snort IDS alert for network traffic 2->36 38 Found malware configuration 2->38 40 Malicious sample detected (through community Yara rule) 2->40 42 16 other signatures 2->42 7 ClientAny.exe 9 2->7         started        11 svchost.exe 3 2->11         started        process3 file4 30 C:\Users\user\AppData\Roaming\svchost.exe, PE32 7->30 dropped 32 C:\Users\user\AppData\...\ClientAny.exe.log, CSV 7->32 dropped 48 Protects its processes via BreakOnTermination flag 7->48 50 Drops PE files with benign system names 7->50 13 cmd.exe 1 7->13         started        15 cmd.exe 1 7->15         started        52 Antivirus detection for dropped file 11->52 54 Multi AV Scanner detection for dropped file 11->54 56 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 11->56 58 Machine Learning detection for dropped file 11->58 signatures5 process6 signatures7 18 svchost.exe 1 2 13->18         started        22 conhost.exe 13->22         started        24 timeout.exe 1 13->24         started        60 Uses schtasks.exe or at.exe to add and modify task schedules 15->60 26 conhost.exe 15->26         started        28 schtasks.exe 1 15->28         started        process8 dnsIp9 34 2.58.84.229, 49701, 80 HUGESERVER-NETWORKSUS Lithuania 18->34 44 System process connects to network (likely due to code injection or exploit) 18->44 46 Protects its processes via BreakOnTermination flag 18->46 signatures10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              ClientAny.exe81%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
              ClientAny.exe100%AviraHEUR/AGEN.1307453
              ClientAny.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\svchost.exe100%AviraHEUR/AGEN.1307453
              C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\svchost.exe81%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              windowsupdatebg.s.llnwi.net
              		87.248.205.0
              		truefalse
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameClientAny.exe, 00000000.00000002.1277906302.000000000351C000.00000004.00000800.00020000.00000000.sdmp, ClientAny.exe, 00000000.00000002.1277906302.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3715653540.00000000032A1000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000011.00000002.3715653540.00000000036ED000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                2.58.84.229
                		unknownLithuania
                		25780HUGESERVER-NETWORKSUStrue

                General Information

                Joe Sandbox version:40.0.0 Tourmaline
                Analysis ID:1463773
                Start date and time:2024-06-27 19:39:05 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 7m 28s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:25
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:ClientAny.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@15/8@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 99%
                • Number of executed functions: 10
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Override analysis time to 240000 for current running targets taking high CPU consumption

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, MoUsoCoreWorker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                • Excluded IPs from analysis (whitelisted): 87.248.205.0
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ctldl.windowsupdate.com, time.windows.com, wu-b-net.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: ClientAny.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                13:40:11API Interceptor12004721x Sleep call for process: svchost.exe modified
                19:40:04Task SchedulerRun new task: svchost path: "C:\Users\user\AppData\Roaming\svchost.exe"

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                windowsupdatebg.s.llnwi.netInstallnSign3.3.6.zipGet hashmaliciousUnknownBrowse
                • 87.248.204.0
                http://blogairmasonwp.wpuserpowered.comGet hashmaliciousUnknownBrowse
                • 87.248.205.0
                https://pieuvowjuiywddjd.pages.dev#myemailis@nunja.bizGet hashmaliciousHTMLPhisherBrowse
                • 178.79.208.1
                CONFIRM BANK DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                • 87.248.202.1
                Our Order Inquiry N1120092018.exeGet hashmaliciousAsyncRAT, VenomRATBrowse
                • 87.248.205.0
                https://liteblue-usps-gov.com/Get hashmaliciousUnknownBrowse
                • 178.79.242.128
                http://www.services-nickel.yayra-food.com/Get hashmaliciousUnknownBrowse
                • 87.248.204.0
                http://pub-5d5794a1344e4ef09c0d498cb30f8875.r2.dev/index.htmlGet hashmaliciousUnknownBrowse
                • 87.248.205.0
                https://worker2.kenneth-ho-yk.workers.dev/Get hashmaliciousUnknownBrowse
                • 95.140.236.0
                https://a.poigmj555.spaceGet hashmaliciousUnknownBrowse
                • 178.79.238.0

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                HUGESERVER-NETWORKSUShttps://denizfirsatgsmtektikbuo.xyz/Get hashmaliciousHTMLPhisherBrowse
                • 2.58.85.5
                x86.elfGet hashmaliciousMirai, MoobotBrowse
                • 107.161.53.91
                lKXAJFq3ih.exeGet hashmaliciousAsyncRATBrowse
                • 2.58.85.145
                peign94sXb.elfGet hashmaliciousUnknownBrowse
                • 171.22.79.111
                jSlv5GLHad.exeGet hashmaliciousLummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, StealcBrowse
                • 185.133.35.50
                hajime-like-20231028-0250.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 62.192.173.7
                HDyd3HGFG9.elfGet hashmaliciousMiraiBrowse
                • 62.192.173.7
                qBY3LYayGE.elfGet hashmaliciousMiraiBrowse
                • 62.192.173.7
                KZAfYAtFzk.elfGet hashmaliciousMiraiBrowse
                • 62.192.173.7
                ks1gsuIm6L.elfGet hashmaliciousMiraiBrowse
                • 62.192.173.7

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                Category:dropped
                Size (bytes):71954
                Entropy (8bit):7.996617769952133
                Encrypted:true
                SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                Malicious:false
                Reputation:moderate, very likely benign file
                Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:data
                Category:dropped
                Size (bytes):290
                Entropy (8bit):2.9637323044861796
                Encrypted:false
                SSDEEP:6:kKYo9Usw9L+N+SkQlPlEGYRMY9z+4KlDA3RUe/:gzD9LNkPlE99SNxAhUe/
                MD5:E26CABAA17E3C38C6A721F78DB690108
                SHA1:ABF27FA5CDC678BF91A76E835B118BD999C8B482
                SHA-256:6D287158BAD2DDE991AB5C6E162C79B6F3D6DBA97DE03007E6162A0C7EC89E0D
                SHA-512:8077CD5AD7C63AE9A9D9E744D753D90BABAB9E4C2863D7BF83C72B943AD853C835CD852F3BD6B7FBF6BFA32A2C8DBE9B2C05A8A9B2DFB9A25900F12C4A4FE4CE
                Malicious:false
                Reputation:low
                Preview:p...... ...............(....................................................... ........G..@.......................h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ClientAny.exe.log

                Download File
                Process:C:\Users\user\Desktop\ClientAny.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):1281
                Entropy (8bit):5.370111951859942
                Encrypted:false
                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                MD5:12C61586CD59AA6F2A21DF30501F71BD
                SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                Malicious:true
                Reputation:moderate, very likely benign file
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:CSV text
                Category:dropped
                Size (bytes):1281
                Entropy (8bit):5.370111951859942
                Encrypted:false
                SSDEEP:24:ML9E4KQ71qE4GIs0E4KCKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNb:MxHKQ71qHGIs0HKCYHKGSI6oPtHTHhA2
                MD5:12C61586CD59AA6F2A21DF30501F71BD
                SHA1:E6B279DC134544867C868E3FF3C267A06CE340C7
                SHA-256:EC20A856DBBCF320F7F24C823D6E9D2FD10E9335F5DE2F56AB9A7DF1ED358543
                SHA-512:B0731F59C74C9D25A4C82E166B3DC300BBCF89F6969918EC748B867C641ED0D8E0DE81AAC68209EF140219861B4939F1B07D0885ACA112D494D23AAF9A9C03FE
                Malicious:false
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Drawing\567ff6b0de7f9dcd8111001e94ab7cf6\System.Drawing.ni.dll",0..3,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Windows.Forms\2a7fffeef3976b2a6f273db66b1f0107\System.Windows.Forms.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\S

                C:\Users\user\AppData\Local\Temp\tmp73F0.tmp.bat

                Download File
                Process:C:\Users\user\Desktop\ClientAny.exe
                File Type:DOS batch file, ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):159
                Entropy (8bit):5.097083958152738
                Encrypted:false
                SSDEEP:3:mKDDCMNqTtvL5o0nacwREaKC5ZACSmqRD0nacwRE2J5xAInTRI4WjhGZPy:hWKqTtT6cNwiaZ5Omq1cNwi23fTZWjhN
                MD5:49582B066916743A7BD8A3C5C7D9EB15
                SHA1:E49A39C93917CF702593475D8B1A3F23D412490B
                SHA-256:EEA4DC16D3CA701BBBB3E211401128D1BFFDBA95B8686F71DACDB761E19E172C
                SHA-512:CC83027406DD39CBAE97C3E68D3CC8018A6828E7B01A7EB8E0E5D3A2E2DE9DD815755B4D7783D66575A45E46247394893C7C231BE26BD9DA65842AA278DDED71
                Malicious:false
                Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\svchost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmp73F0.tmp.bat" /f /q..

                C:\Users\user\AppData\Roaming\MyData\DataLogs.conf

                Download File
                Process:C:\Users\user\Desktop\ClientAny.exe
                File Type:ASCII text
                Category:dropped
                Size (bytes):8
                Entropy (8bit):2.75
                Encrypted:false
                SSDEEP:3:Rt:v
                MD5:CF759E4C5F14FE3EEC41B87ED756CEA8
                SHA1:C27C796BB3C2FAC929359563676F4BA1FFADA1F5
                SHA-256:C9F9F193409217F73CC976AD078C6F8BF65D3AABCF5FAD3E5A47536D47AA6761
                SHA-512:C7F832AEE13A5EB36D145F35D4464374A9E12FA2017F3C2257442D67483B35A55ECCAE7F7729243350125B37033E075EFBC2303839FD86B81B9B4DCA3626953B
                Malicious:false
                Preview:.5.False

                C:\Users\user\AppData\Roaming\svchost.exe

                Download File
                Process:C:\Users\user\Desktop\ClientAny.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):92160
                Entropy (8bit):6.374262639682198
                Encrypted:false
                SSDEEP:1536:uUaUcxoyR1CriPMVzrqVBYgImH1bz/psRo2Qzcxop3KBv3RiDKLVclN:uUDcxoyXkiPMVzrqVHH1bzRahQxUYKBY
                MD5:51A43245ECF3A5F9871D4E2003A36032
                SHA1:14F0576F0639189C6252467ABA08EB8D8E557578
                SHA-256:F5958EAE1D68011FC17A9FBB2F22C18221C36DB1984DE47A294E274EB4B62F32
                SHA-512:68EBFFA51C9ACA71CB4DE71D287A434DE15DD3F04FFDE513631DA3BB6F348614BF9E13B99612E90FF07B1D70F05E5732D76457195E8432B4420D08913614B0FE
                Malicious:true
                Yara Hits:
                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: ReversingLabs, Detection: 81%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.....................P......n4... ...@....@.. ....................................@..................................4..S....@..XM........................................................................... ............... ..H............text...t.... ...................... ..`.rsrc...XM...@...N..................@..@.reloc...............f..............@..B................P4......H.......Py.........0....................................................W......H3.......W......3........./.\.....{....*"..}....*..{....*"..}....*..{....*"..}....*.~....(....9.....~....(....(....*.(....*n~....(....~.....(....(....*.r...p.(.....(.....@....(.....A...(....*f.~#...}......}.....($...*..($...*.~....%:....&~....../...sM...%.....sN...(O...~....(.........*.~....o....9 ...~.....(....(G...9....~.....(....*.s................s)........~J...............*.s.........*r~....o

                \Device\Null

                Download File
                Process:C:\Windows\System32\timeout.exe
                File Type:ASCII text, with CRLF line terminators, with overstriking
                Category:dropped
                Size (bytes):60
                Entropy (8bit):4.41440934524794
                Encrypted:false
                SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                MD5:3DD7DD37C304E70A7316FE43B69F421F
                SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                Malicious:false
                Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):6.374262639682198
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:ClientAny.exe
                File size:92'160 bytes
                MD5:51a43245ecf3a5f9871d4e2003a36032
                SHA1:14f0576f0639189c6252467aba08eb8d8e557578
                SHA256:f5958eae1d68011fc17a9fbb2f22c18221c36db1984de47a294e274eb4b62f32
                SHA512:68ebffa51c9aca71cb4de71d287a434de15dd3f04ffde513631da3bb6f348614bf9e13b99612e90ff07b1d70f05e5732d76457195e8432b4420d08913614b0fe
                SSDEEP:1536:uUaUcxoyR1CriPMVzrqVBYgImH1bz/psRo2Qzcxop3KBv3RiDKLVclN:uUDcxoyXkiPMVzrqVHH1bzRahQxUYKBY
                TLSH:5C938C0137D88D6AF26E47B9ADF156074EB4D5476012CE5E7CC800CD6A67BC68A037EE
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.....................P......n4... ...@....@.. ....................................@................................

                File Icon

                Icon Hash:d7fbf9b2b3ccccbb

                Static PE Info

                General

                Entrypoint:0x41346e
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x63E41DD4 [Wed Feb 8 22:10:28 2023 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x134180x53.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x4d58.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x114740x11600cc6b5e41bd78a639c7b95f82274c7e3fFalse0.4828153102517986data5.828490293829448IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0x140000x4d580x4e00a261cd71600c6f61125660bb36b2a097False0.8700420673076923data7.720796135914121IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0x1a0000xc0x200b5456319a3019d6d3680593bec713244False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_ICON0x141300x3ebbPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9697988666791207
                RT_GROUP_ICON0x17fec0x14data0.95
                RT_VERSION0x180000x2d4data0.4447513812154696
                RT_MANIFEST0x182d40xa83XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.40245261984392416

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Snort IDS Alerts

                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                06/27/24-19:40:09.697042TCP2052265ET TROJAN Observed Malicious SSL Cert (VenomRAT)80497012.58.84.229192.168.2.7

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Jun 27, 2024 19:40:09.072289944 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:09.077166080 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:09.077244043 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:09.120377064 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:09.125694036 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:09.697041988 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:09.721103907 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:09.727552891 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:09.902292013 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:09.957293034 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:13.996295929 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:14.002075911 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:14.002145052 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:14.008913994 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:25.927148104 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:25.932101965 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:25.932162046 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:25.937196016 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:26.228858948 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:26.269841909 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:26.353058100 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:26.368257999 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:26.373652935 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:26.373714924 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:26.378566027 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:37.864211082 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:37.869190931 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:37.869268894 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:37.874103069 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:38.176691055 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:38.223073006 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:38.308398008 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:38.309834003 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:38.314845085 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:38.314904928 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:38.319818020 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:49.801965952 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:49.806910992 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:49.807063103 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:49.811816931 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:50.119080067 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:50.160429001 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:50.438900948 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:50.440859079 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:50.445624113 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:40:50.445702076 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:40:50.450516939 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:01.739022017 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:01.743913889 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:01.744005919 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:01.748914957 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:02.038544893 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:02.082307100 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:02.165488005 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:02.166903019 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:02.171696901 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:02.171823025 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:02.176718950 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:13.676634073 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:13.681503057 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:13.681628942 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:13.686537981 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:13.993484974 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:14.035516024 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:14.122694969 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:14.124557972 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:14.129427910 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:14.129522085 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:14.135148048 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.020283937 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:20.025425911 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.025501013 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:20.030343056 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.301743031 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:20.306612968 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.306679964 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:20.311572075 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.330075026 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.379163027 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:20.463603973 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.466599941 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:20.518146992 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.518362999 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:20.523257971 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.551739931 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.597943068 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:20.688093901 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.690005064 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:20.738032103 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:20.738152027 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:20.743135929 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:30.285795927 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:30.290847063 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:30.290916920 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:30.295924902 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:30.616945982 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:30.676107883 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:30.746637106 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:30.866549015 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:30.871493101 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:30.871591091 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:30.876420021 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:32.583395958 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:32.589684963 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:32.589745045 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:32.596354961 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:32.881752014 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:33.009840965 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:33.009964943 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:33.011333942 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:33.016155005 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:33.016308069 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:33.021497011 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:42.363879919 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:42.369025946 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:42.369081974 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:42.373909950 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:42.673867941 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:42.733278990 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:42.807032108 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:42.808799982 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:42.813713074 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:42.813760996 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:42.818569899 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:54.304300070 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:54.309251070 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:54.315284014 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:54.320218086 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:54.606178999 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:54.660459042 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:54.738584995 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:54.740191936 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:54.745035887 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:41:54.745079994 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:41:54.749833107 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:06.239006042 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:06.244349003 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:06.247384071 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:06.252903938 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:06.782778978 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:06.784562111 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:06.784607887 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:06.786329031 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:06.791390896 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:06.791429996 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:06.796215057 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:14.100238085 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:14.343270063 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:14.344347954 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:14.349610090 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:14.648423910 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:14.752223969 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:14.791887999 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:14.793803930 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:14.798814058 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:14.798892021 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:14.803741932 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:19.317100048 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:19.322671890 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:19.322730064 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:19.327563047 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:19.614018917 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:19.850269079 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:19.850399017 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:19.851246119 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:19.856925964 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:19.857054949 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:19.857403040 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:19.862162113 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:20.148442984 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:20.192235947 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:20.275840998 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:20.277573109 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:20.282390118 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:20.284317970 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:20.289103031 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.192147017 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:23.197004080 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.197092056 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:23.201837063 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.301583052 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:23.306490898 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.306538105 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:23.311309099 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.379733086 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:23.384526014 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.384578943 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:23.389467955 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.501147032 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.584250927 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:23.631207943 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.636251926 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:23.641105890 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.644661903 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:23.650015116 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.719916105 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.724265099 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:23.729042053 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:23.732300997 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:23.737129927 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:26.160844088 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:26.166130066 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:26.166208029 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:26.171078920 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:26.459980011 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:26.582328081 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:26.590658903 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:26.592437029 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:26.597296000 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:26.597342968 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:26.602175951 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:36.676873922 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:36.681704998 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:36.681762934 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:36.687375069 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:36.975445032 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:37.109453917 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:37.109518051 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:37.111156940 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:37.115902901 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:37.115994930 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:37.120737076 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:42.708117008 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:42.712961912 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:42.713021040 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:42.717782021 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:43.006988049 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:43.055488110 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:43.240747929 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:43.242299080 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:43.247107983 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:43.247159004 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:43.251928091 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:49.317230940 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:49.322088957 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:49.322201014 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:49.326950073 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:49.629072905 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:49.762167931 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:49.762304068 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:49.763878107 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:49.769025087 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:42:49.769104004 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:42:49.773926020 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:01.255471945 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:01.260842085 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:01.261107922 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:01.266618013 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:01.571001053 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:01.691741943 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:01.702558041 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:01.704687119 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:01.709575891 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:01.709712982 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:01.714560986 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:09.801892042 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:09.806876898 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:09.806947947 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:09.811850071 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:10.161989927 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:10.264019966 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:10.264146090 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:10.265580893 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:10.271049023 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:10.271157026 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:10.276293993 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:18.583127022 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:18.588215113 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:18.588331938 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:18.595149040 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:18.892355919 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:18.988612890 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:19.027231932 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:19.028947115 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:19.033821106 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:19.033919096 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:19.038851023 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:21.380130053 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:21.385026932 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:21.385150909 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:21.390007973 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:21.688106060 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:21.742450953 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:21.824666023 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:21.826998949 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:21.831774950 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:21.831824064 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:21.836843014 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:33.317364931 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:33.323460102 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:33.323549986 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:33.328562975 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:33.632332087 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:33.676130056 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:33.762408972 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:33.764027119 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:33.768980980 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:33.769124031 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:33.773952961 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:33.910856009 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:33.915750980 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:33.915848970 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:33.920599937 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:34.198457003 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:34.238617897 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:34.334462881 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:34.336451054 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:34.341269970 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:34.341398954 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:34.346344948 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:37.567468882 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:37.572585106 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:37.572935104 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:37.577785969 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:37.997543097 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:37.999115944 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:37.999181986 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:38.021615982 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:38.026360035 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:38.026417971 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:38.031316042 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:39.614331007 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:39.619286060 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:39.619345903 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:39.624202013 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:39.928385973 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:39.973014116 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:40.226648092 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:40.228117943 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:40.233283997 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:40.233383894 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:40.238220930 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:45.944103956 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:45.949156046 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:45.949409962 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:45.954325914 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:46.259030104 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:46.388031960 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:46.388252020 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:46.392087936 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:46.396858931 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:46.400167942 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:46.404961109 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:56.164201975 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:56.169228077 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:56.169400930 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:56.174367905 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:56.464131117 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:56.598273993 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:56.601047993 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:56.601047993 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:56.605869055 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:43:56.612088919 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:43:56.616945028 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:44:07.900110006 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:44:07.905653000 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:44:07.905896902 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:44:07.911006927 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:44:08.210047960 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:44:08.254470110 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:44:08.346132994 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:44:08.347059011 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:44:08.351780891 CEST80497012.58.84.229192.168.2.7
                Jun 27, 2024 19:44:08.351850986 CEST4970180192.168.2.72.58.84.229
                Jun 27, 2024 19:44:08.356590033 CEST80497012.58.84.229192.168.2.7

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Jun 27, 2024 19:40:10.087140083 CEST1.1.1.1192.168.2.70x2e3No error (0)windowsupdatebg.s.llnwi.net87.248.205.0A (IP address)IN (0x0001)false

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.7497012.58.84.229807700C:\Users\user\AppData\Roaming\svchost.exe
                TimestampBytes transferredDirectionData
                Jun 27, 2024 19:40:09.120377064 CEST95OUTData Raw: 16 03 01 00 5a 01 00 00 56 03 01 66 7d a3 f8 be 62 af 1b 0b dc 47 80 78 bd 14 64 c2 ba 59 c9 b1 bb 24 5c 96 b9 45 e4 2b 61 3a 23 00 00 0e c0 0a c0 09 c0 14 c0 13 00 35 00 2f 00 0a 01 00 00 1f 00 0a 00 08 00 06 00 1d 00 17 00 18 00 0b 00 02 01 00
                Data Ascii: ZVf}bGxdY$\E+a:#5/#
                Jun 27, 2024 19:40:09.697041988 CEST912INData Raw: 16 03 01 03 8b 02 00 00 51 03 01 66 7d a3 f9 e8 45 58 69 71 e2 4b 37 39 6b f1 c2 45 e5 28 d0 97 f9 a1 01 80 35 1a fb db d2 29 8a 20 a0 02 00 00 c5 a1 57 98 48 f8 39 49 b2 50 4f 96 f7 e4 0e c0 21 8b 62 b4 10 c6 3b fa 2d 33 22 35 c0 14 00 00 09 00
                Data Ascii: Qf}EXiqK79kE(5) WH9IPO!b;-3"5C@=090QLq*S&`k0*H0j10UVenomRAT Server10Uqwqdanchun10UVenomRAT By qwqdanchun10U
                Jun 27, 2024 19:40:09.721103907 CEST166OUTData Raw: 16 03 01 00 66 10 00 00 62 61 04 da c3 7f cf a2 b9 bd 6c 02 03 36 2c e4 67 33 a7 71 30 39 6d 6a be fe bb 16 82 e0 90 ab 9d 9a 6e b7 73 12 61 e0 4d 41 aa 83 dd 25 ba 0b 4f d6 2a a8 5c 62 b4 71 0a 7f 88 2a cd 85 ce 11 71 56 b9 ce 66 e6 83 fa 56 8a
                Data Ascii: fbal6,g3q09mjnsaMA%O*\bq*qVfV*{Mn0g|jnVrt9OZq=RL^%mes*=C
                Jun 27, 2024 19:40:09.902292013 CEST59INData Raw: 14 03 01 00 01 01 16 03 01 00 30 1d 40 db 8e b1 ed 42 03 7d 3e 4f a8 58 3a a7 fb ba da d5 db 8c 61 c1 2c b4 62 5c ac 10 68 17 21 84 38 51 ce f8 d6 2f e0 3e a4 3b b1 44 c8 07 3f
                Data Ascii: 0@B}>OX:a,b\h!8Q/>;D?
                Jun 27, 2024 19:40:13.996295929 CEST74OUTData Raw: 17 03 01 00 20 60 85 e6 5c 53 5e 4d 05 b4 86 4b 9c a6 83 50 06 93 3f 31 fd 6c 15 38 aa f3 a9 11 e1 90 b7 68 d3 17 03 01 00 20 4e 34 55 80 1d 11 f8 08 03 ce ca 30 74 15 08 f1 19 f4 fd 78 ad b1 e0 65 b6 4f fe 14 c3 3d c1 fc
                Data Ascii: `\S^MKP?1l8h N4U0txeO=
                Jun 27, 2024 19:40:14.002145052 CEST698OUTData Raw: 17 03 01 00 20 ed aa ce 46 aa fc 09 11 86 1d fe d8 44 75 eb 15 1b 36 2e 9a 66 dd 1a 5b ae e2 97 73 e1 7c 9f 96 17 03 01 02 90 6b 05 2d 57 43 21 e1 ab cb 7b 1c 41 a8 1d ea 54 8e 81 d8 09 44 0f bf a4 6a 2d 02 1e d4 b2 55 34 ae dd b0 48 a8 1b 2a c4
                Data Ascii: FDu6.f[s|k-WC!{ATDj-U4H*&udNAaHx;HU!J--!TlI?dfo#2|6`X66&2>z>nB2E-gaj76MFk@EB{(ctI76Xz@4uh%Prp C
                Jun 27, 2024 19:40:25.927148104 CEST74OUTData Raw: 17 03 01 00 20 2c 34 59 4a 1a 57 b7 a6 f8 22 15 fe d9 be c9 01 24 f1 4a dc b8 3d ca b3 28 ae c1 e6 00 17 5d 3d 17 03 01 00 20 6f 55 ae 38 f1 27 56 b6 63 15 fb 44 c1 a6 f2 05 0e 27 a3 35 5b 14 ca 16 a0 5c 52 6e 29 de a1 1c
                Data Ascii: ,4YJW"$J=(]= oU8'VcD'5[\Rn)
                Jun 27, 2024 19:40:25.932162046 CEST138OUTData Raw: 17 03 01 00 20 cd f8 3d f9 9e cb ab c4 f6 e2 b5 09 4a 8d ec f0 f1 d1 f5 87 ab 10 15 54 41 12 71 2b 7b 1d e3 18 17 03 01 00 60 f8 05 42 60 7a 19 f3 c4 ed 5a 4f 5d 96 46 e3 0f dc 4c b1 d2 a3 31 ba 13 5e 31 06 19 db 1d b8 5f b5 22 cc ca db 14 ce a6
                Data Ascii: =JTAq+{`B`zZO]FL1^1_"\Ak`IvrIOs8t{!^2dOc
                Jun 27, 2024 19:40:26.228858948 CEST74INData Raw: 17 03 01 00 20 1f f1 f1 b5 1c e5 d6 78 13 87 d5 34 dc 59 13 32 4b 64 02 40 1d 2b aa a8 7a 97 f2 e5 75 05 f7 74 17 03 01 00 20 a3 8d eb 5e 60 12 36 bc fc ab 9d ba 34 db 44 76 7a f4 4b bc 87 94 b4 b4 f1 1d 1d 1c 0e 81 47 9d
                Data Ascii: x4Y2Kd@+zut ^`64DvzKG
                Jun 27, 2024 19:40:26.353058100 CEST106INData Raw: 17 03 01 00 20 2c e2 ff fd fd 55 08 6d 6c bf ec 0d f8 2e c9 64 25 0c 23 a1 f9 2a 28 e3 9c 5e cf 56 56 53 e9 55 17 03 01 00 40 7c 02 23 00 10 c1 12 c9 0b 15 33 49 a8 e7 1b 7e 07 1b b1 f5 cd 08 e9 4f bc 42 71 28 43 35 be 7f 73 b9 da 4e 0a 54 45 5c
                Data Ascii: ,Uml.d%#*(^VVSU@|#3I~OBq(C5sNTE\&Elgg|u~


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:13:39:58
                Start date:27/06/2024
                Path:C:\Users\user\Desktop\ClientAny.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\ClientAny.exe"
                Imagebase:0xda0000
                File size:92'160 bytes
                MD5 hash:51A43245ECF3A5F9871D4E2003A36032
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.1239383107.0000000000DA2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.1283717322.0000000013135000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                General

                Target ID:8
                Start time:13:40:02
                Start date:27/06/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"' & exit
                Imagebase:0x7ff756450000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:9
                Start time:13:40:02
                Start date:27/06/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:10
                Start time:13:40:02
                Start date:27/06/2024
                Path:C:\Windows\System32\cmd.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmp73F0.tmp.bat""
                Imagebase:0x7ff756450000
                File size:289'792 bytes
                MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:11
                Start time:13:40:02
                Start date:27/06/2024
                Path:C:\Windows\System32\conhost.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Imagebase:0x7ff75da10000
                File size:862'208 bytes
                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:12
                Start time:13:40:02
                Start date:27/06/2024
                Path:C:\Windows\System32\schtasks.exe
                Wow64 process (32bit):false
                Commandline:schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\user\AppData\Roaming\svchost.exe"'
                Imagebase:0x7ff68c8e0000
                File size:235'008 bytes
                MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high
                Has exited:true

                General

                Target ID:13
                Start time:13:40:02
                Start date:27/06/2024
                Path:C:\Windows\System32\timeout.exe
                Wow64 process (32bit):false
                Commandline:timeout 3
                Imagebase:0x7ff68eb10000
                File size:32'768 bytes
                MD5 hash:100065E21CFBBDE57CBA2838921F84D6
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate
                Has exited:true

                General

                Target ID:16
                Start time:13:40:04
                Start date:27/06/2024
                Path:C:\Users\user\AppData\Roaming\svchost.exe
                Wow64 process (32bit):false
                Commandline:C:\Users\user\AppData\Roaming\svchost.exe
                Imagebase:0xd30000
                File size:92'160 bytes
                MD5 hash:51A43245ECF3A5F9871D4E2003A36032
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Joe Security
                • Rule: INDICATOR_SUSPICIOUS_EXE_WMI_EnumerateVideoDevice, Description: Detects executables attemping to enumerate video devices using WMI, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 100%, Joe Sandbox ML
                • Detection: 81%, ReversingLabs
                Reputation:low
                Has exited:true

                General

                Target ID:17
                Start time:13:40:05
                Start date:27/06/2024
                Path:C:\Users\user\AppData\Roaming\svchost.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                Imagebase:0xe00000
                File size:92'160 bytes
                MD5 hash:51A43245ECF3A5F9871D4E2003A36032
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:low
                Has exited:false

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:23.1%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:62.5%
                  Total number of Nodes:8
                  Total number of Limit Nodes:1
                  execution_graph 2324 7ffaaccc42a5 2325 7ffaaccc42cf RtlSetProcessIsCritical 2324->2325 2327 7ffaaccc4360 2325->2327 2328 7ffaaccc3d5e 2330 7ffaaccc3dbc 2328->2330 2329 7ffaaccc3efb 2330->2329 2331 7ffaaccc4084 NtProtectVirtualMemory 2330->2331 2332 7ffaaccc40c5 2331->2332

                  Executed Functions

                  Function 00007FFAACCC3D5E Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 439COMMON
                  Download Yara Rule

                  Control-flow Graph

                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296288983.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaaccc0000_ClientAny.jbxd
                  Similarity
                  • API ID:
                  • String ID: cT_H
                  • API String ID: 0-642156964
                  • Opcode ID: 459194e024d82ad503d891b7fd418769e1b34171b6a8c49b678905b7d4058bbe
                  • Instruction ID: 1b73d1f312837d505cac67ca860691f1bcc69a7ad592040a92f224501065759d
                  • Opcode Fuzzy Hash: 459194e024d82ad503d891b7fd418769e1b34171b6a8c49b678905b7d4058bbe
                  • Instruction Fuzzy Hash: 96C15B31D0CB494FE71DAB38D8566FA7BE1EF96310F0485BED48AC3193DD28A8068781
                  Function 00007FFAACCC0E70 Relevance: 2.9, Strings: 2, Instructions: 371COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 152 7ffaaccc0e70 153 7ffaaccc0e75-7ffaaccc0e78 152->153 154 7ffaaccc0e7a-7ffaaccc0f29 153->154 155 7ffaaccc0e2e 153->155 168 7ffaaccc0f2b-7ffaaccc0f3c 154->168 155->152 170 7ffaaccc0f3e-7ffaaccc0f7c 168->170 175 7ffaaccc0fb0-7ffaaccc0fb4 170->175 176 7ffaaccc0f7e-7ffaaccc0f8d 170->176 178 7ffaaccc0fbc-7ffaaccc0fd9 call 7ffaaccc0638 175->178 177 7ffaaccc0f8f-7ffaaccc0fa1 176->177 179 7ffaaccc0fab-7ffaaccc0faf 177->179 184 7ffaaccc0fe2-7ffaaccc0ff5 178->184 179->175 187 7ffaaccc1000-7ffaaccc100a 184->187 188 7ffaaccc1014-7ffaaccc1016 187->188 189 7ffaaccc104b-7ffaaccc1056 188->189 190 7ffaaccc1058-7ffaaccc105a 189->190 191 7ffaaccc105c-7ffaaccc1083 189->191 192 7ffaaccc1085-7ffaaccc1087 190->192 191->192 193 7ffaaccc1089 call 7ffaaccc0698 192->193 194 7ffaaccc1018 192->194 198 7ffaaccc108e-7ffaaccc1090 193->198 197 7ffaaccc1022-7ffaaccc1038 194->197 205 7ffaaccc1049 197->205 206 7ffaaccc103a-7ffaaccc1044 call 7ffaaccc0198 197->206 200 7ffaaccc1092 198->200 201 7ffaaccc1099 call 7ffaaccc06b8 198->201 200->201 207 7ffaaccc109e-7ffaaccc10aa 201->207 205->189 206->205 210 7ffaaccc10ac-7ffaaccc10ae 207->210 211 7ffaaccc10b0-7ffaaccc10b6 207->211 212 7ffaaccc10b9-7ffaaccc10bb 210->212 211->212 213 7ffaaccc10c3 call 7ffaaccc0718 212->213 214 7ffaaccc10bd call 7ffaaccc0bf8 212->214 219 7ffaaccc10c8-7ffaaccc10d0 call 7ffaaccc0738 213->219 218 7ffaaccc10c2 214->218 218->213 222 7ffaaccc10d2-7ffaaccc10d9 219->222 223 7ffaaccc10da-7ffaaccc10e6 219->223 222->223 224 7ffaaccc10e8-7ffaaccc10ea 223->224 225 7ffaaccc10ec-7ffaaccc10f2 223->225 227 7ffaaccc10f5-7ffaaccc10f7 224->227 225->227 228 7ffaaccc10f9-7ffaaccc10fe call 7ffaaccc0b90 227->228 229 7ffaaccc10ff-7ffaaccc110b 227->229 228->229 232 7ffaaccc110d-7ffaaccc110f 229->232 233 7ffaaccc1111-7ffaaccc1117 229->233 235 7ffaaccc111a-7ffaaccc111c 232->235 233->235 237 7ffaaccc112d-7ffaaccc1139 235->237 238 7ffaaccc111e-7ffaaccc1125 call 7ffaaccc0770 235->238 239 7ffaaccc113b-7ffaaccc113d 237->239 240 7ffaaccc113f-7ffaaccc1145 237->240 238->237 247 7ffaaccc1127 call 7ffaaccc0800 238->247 242 7ffaaccc1148-7ffaaccc114a 239->242 240->242 245 7ffaaccc1152-7ffaaccc115f call 7ffaaccc07a0 call 7ffaaccc0770 242->245 246 7ffaaccc114c call 7ffaaccc07e0 242->246 256 7ffaaccc1167-7ffaaccc1172 245->256 257 7ffaaccc1161-7ffaaccc1166 call 7ffaaccc07b0 245->257 251 7ffaaccc1151 246->251 253 7ffaaccc112c 247->253 251->245 253->237 258 7ffaaccc1174 256->258 259 7ffaaccc11ba-7ffaaccc11c5 256->259 257->256 262 7ffaaccc1175-7ffaaccc1191 258->262 259->262 265 7ffaaccc11c7-7ffaaccc11f2 call 7ffaaccc0558 259->265 266 7ffaaccc11f3-7ffaaccc1220 262->266 267 7ffaaccc1193-7ffaaccc11b8 262->267 267->259
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296288983.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaaccc0000_ClientAny.jbxd
                  Similarity
                  • API ID:
                  • String ID: 0D%$#CN_^
                  • API String ID: 0-3929108571
                  • Opcode ID: 90bd78a88daf161df9a2eaaf45da96f9795e6f0de767b42745682563ca05aa3d
                  • Instruction ID: 269158e293b17e3860761d1820811b66d5c61cffc669046489e1090084ca7d3a
                  • Opcode Fuzzy Hash: 90bd78a88daf161df9a2eaaf45da96f9795e6f0de767b42745682563ca05aa3d
                  • Instruction Fuzzy Hash: A1C1E4A2D0FA869FF757AFB984652B96A90EF52300F1484BAD44DC71C3DD18EC0983C1
                  Function 00007FFAACCC0E5D Relevance: 1.6, Strings: 1, Instructions: 315COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 284 7ffaaccc0e5d-7ffaaccc0e78 287 7ffaaccc0e7a-7ffaaccc0f29 284->287 288 7ffaaccc0e2e-7ffaaccc0e78 284->288 303 7ffaaccc0f2b-7ffaaccc0f3c 287->303 288->287 305 7ffaaccc0f3e-7ffaaccc0f7c 303->305 310 7ffaaccc0fb0-7ffaaccc0fb4 305->310 311 7ffaaccc0f7e-7ffaaccc0f8d 305->311 313 7ffaaccc0fbc-7ffaaccc0fd9 call 7ffaaccc0638 310->313 312 7ffaaccc0f8f-7ffaaccc0fa1 311->312 314 7ffaaccc0fab-7ffaaccc0faf 312->314 319 7ffaaccc0fe2-7ffaaccc0ff5 313->319 314->310 322 7ffaaccc1000-7ffaaccc100a 319->322 323 7ffaaccc1014-7ffaaccc1016 322->323 324 7ffaaccc104b-7ffaaccc1056 323->324 325 7ffaaccc1058-7ffaaccc105a 324->325 326 7ffaaccc105c-7ffaaccc1083 324->326 327 7ffaaccc1085-7ffaaccc1087 325->327 326->327 328 7ffaaccc1089 call 7ffaaccc0698 327->328 329 7ffaaccc1018 327->329 333 7ffaaccc108e-7ffaaccc1090 328->333 332 7ffaaccc1022-7ffaaccc1038 329->332 340 7ffaaccc1049 332->340 341 7ffaaccc103a-7ffaaccc1044 call 7ffaaccc0198 332->341 335 7ffaaccc1092 333->335 336 7ffaaccc1099 call 7ffaaccc06b8 333->336 335->336 342 7ffaaccc109e-7ffaaccc10aa 336->342 340->324 341->340 345 7ffaaccc10ac-7ffaaccc10ae 342->345 346 7ffaaccc10b0-7ffaaccc10b6 342->346 347 7ffaaccc10b9-7ffaaccc10bb 345->347 346->347 348 7ffaaccc10c3 call 7ffaaccc0718 347->348 349 7ffaaccc10bd call 7ffaaccc0bf8 347->349 354 7ffaaccc10c8-7ffaaccc10d0 call 7ffaaccc0738 348->354 353 7ffaaccc10c2 349->353 353->348 357 7ffaaccc10d2-7ffaaccc10d9 354->357 358 7ffaaccc10da-7ffaaccc10e6 354->358 357->358 359 7ffaaccc10e8-7ffaaccc10ea 358->359 360 7ffaaccc10ec-7ffaaccc10f2 358->360 362 7ffaaccc10f5-7ffaaccc10f7 359->362 360->362 363 7ffaaccc10f9-7ffaaccc10fe call 7ffaaccc0b90 362->363 364 7ffaaccc10ff-7ffaaccc110b 362->364 363->364 367 7ffaaccc110d-7ffaaccc110f 364->367 368 7ffaaccc1111-7ffaaccc1117 364->368 370 7ffaaccc111a-7ffaaccc111c 367->370 368->370 372 7ffaaccc112d-7ffaaccc1139 370->372 373 7ffaaccc111e-7ffaaccc1125 call 7ffaaccc0770 370->373 374 7ffaaccc113b-7ffaaccc113d 372->374 375 7ffaaccc113f-7ffaaccc1145 372->375 373->372 382 7ffaaccc1127 call 7ffaaccc0800 373->382 377 7ffaaccc1148-7ffaaccc114a 374->377 375->377 380 7ffaaccc1152-7ffaaccc115f call 7ffaaccc07a0 call 7ffaaccc0770 377->380 381 7ffaaccc114c call 7ffaaccc07e0 377->381 391 7ffaaccc1167-7ffaaccc1172 380->391 392 7ffaaccc1161-7ffaaccc1166 call 7ffaaccc07b0 380->392 386 7ffaaccc1151 381->386 388 7ffaaccc112c 382->388 386->380 388->372 393 7ffaaccc1174 391->393 394 7ffaaccc11ba-7ffaaccc11c5 391->394 392->391 397 7ffaaccc1175-7ffaaccc1191 393->397 394->397 400 7ffaaccc11c7-7ffaaccc11f2 call 7ffaaccc0558 394->400 401 7ffaaccc11f3-7ffaaccc1220 397->401 402 7ffaaccc1193-7ffaaccc11b8 397->402 402->394
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296288983.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaaccc0000_ClientAny.jbxd
                  Similarity
                  • API ID:
                  • String ID: 0D%
                  • API String ID: 0-2933537624
                  • Opcode ID: 76f47c8f5c91217b8db4a377829b6d2dc7f44f980dc362b4cf9e51e171b10c05
                  • Instruction ID: e9dc11b0cbdda13b822656bc0bdf05d20efd035c4168d85dcfd783ff4fc35063
                  • Opcode Fuzzy Hash: 76f47c8f5c91217b8db4a377829b6d2dc7f44f980dc362b4cf9e51e171b10c05
                  • Instruction Fuzzy Hash: D8A1A4A2D0FA829FF797AFA948652796E91EF53310F1884BAD44C871C7DD18EC0983C1
                  Function 00007FFAACCC42A5 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 277 7ffaaccc42a5-7ffaaccc435e RtlSetProcessIsCritical 281 7ffaaccc4366-7ffaaccc4388 277->281 282 7ffaaccc4360 277->282 282->281
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1296288983.00007FFAACCC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCC0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffaaccc0000_ClientAny.jbxd
                  Similarity
                  • API ID: CriticalProcess
                  • String ID:
                  • API String ID: 2695349919-0
                  • Opcode ID: f5b7b2d08b66b6f4106afcf041e4c1a2c246ce28f467fde8d43d47e66f22bbc4
                  • Instruction ID: 519abc5c6a96f0b3392d9aef618078bcfec3a289531e32cdd84992629a70f8b3
                  • Opcode Fuzzy Hash: f5b7b2d08b66b6f4106afcf041e4c1a2c246ce28f467fde8d43d47e66f22bbc4
                  • Instruction Fuzzy Hash: F731F87184D7888FD719DBA8DC46AF97BF0EF56320F04416FE08AC3553CA686806CB91

                  Execution Graph

                  Execution Coverage:30.7%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:5
                  Total number of Limit Nodes:1
                  execution_graph 1509 7ffaaccb3dbe 1511 7ffaaccb3def 1509->1511 1510 7ffaaccb3f5b 1511->1510 1512 7ffaaccb40e4 NtProtectVirtualMemory 1511->1512 1513 7ffaaccb4125 1512->1513

                  Executed Functions

                  Function 00007FFAACCB3DBE Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 442nativeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000010.00000002.1345168954.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_16_2_7ffaaccb0000_svchost.jbxd
                  Similarity
                  • API ID: MemoryProtectVirtual
                  • String ID: cU_H
                  • API String ID: 2706961497-663020435
                  • Opcode ID: 1b607faa6fc594c49c7879920c8d07ffa8ed07001b89d6b799427f4fd4961e71
                  • Instruction ID: 7eca3ce4f457032990cca7402b6dcab94bef22cae695b34020c01e913f8eb0f6
                  • Opcode Fuzzy Hash: 1b607faa6fc594c49c7879920c8d07ffa8ed07001b89d6b799427f4fd4961e71
                  • Instruction Fuzzy Hash: 4CC14C7190CB494FE71DEB78C8555F97BE5EF96310F0485BEE48AC3193DD28A8068781

                  Execution Graph

                  Execution Coverage:21.7%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:0%
                  Total number of Nodes:19
                  Total number of Limit Nodes:1
                  execution_graph 6793 7ffaaccb4305 6794 7ffaaccb432f RtlSetProcessIsCritical 6793->6794 6796 7ffaaccb43c0 6794->6796 6775 7ffaaccb5378 6776 7ffaaccb5381 SetWindowsHookExW 6775->6776 6778 7ffaaccb5451 6776->6778 6779 7ffaaccbc96d 6780 7ffaaccbc981 6779->6780 6785 7ffaaccb2988 6780->6785 6786 7ffaaccb2991 RtlSetProcessIsCritical 6785->6786 6788 7ffaaccb43c0 6786->6788 6789 7ffaaccb2998 6788->6789 6790 7ffaaccb29a1 RtlSetProcessIsCritical 6789->6790 6792 7ffaaccb43c0 6790->6792 6770 7ffaaccb3dbe 6772 7ffaaccb3def 6770->6772 6771 7ffaaccb3f5b 6772->6771 6773 7ffaaccb40e4 NtProtectVirtualMemory 6772->6773 6774 7ffaaccb4125 6773->6774

                  Executed Functions

                  Function 00007FFAACCB3DBE Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 442nativeCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000011.00000002.3724953006.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_7ffaaccb0000_svchost.jbxd
                  Similarity
                  • API ID: MemoryProtectVirtual
                  • String ID: cU_H
                  • API String ID: 2706961497-663020435
                  • Opcode ID: 01a7cce8a018bd5b4c69bebe9cd79b4f0cdf40db9385da83e763b17b965b4a95
                  • Instruction ID: 7eca3ce4f457032990cca7402b6dcab94bef22cae695b34020c01e913f8eb0f6
                  • Opcode Fuzzy Hash: 01a7cce8a018bd5b4c69bebe9cd79b4f0cdf40db9385da83e763b17b965b4a95
                  • Instruction Fuzzy Hash: 4CC14C7190CB494FE71DEB78C8555F97BE5EF96310F0485BEE48AC3193DD28A8068781
                  Function 00007FFAACCB5378 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 479 7ffaaccb5378-7ffaaccb537f 480 7ffaaccb538a-7ffaaccb53fd 479->480 481 7ffaaccb5381-7ffaaccb5389 479->481 485 7ffaaccb5403-7ffaaccb5408 480->485 486 7ffaaccb5489-7ffaaccb548d 480->486 481->480 488 7ffaaccb540f-7ffaaccb5410 485->488 487 7ffaaccb5412-7ffaaccb544f SetWindowsHookExW 486->487 489 7ffaaccb5457-7ffaaccb5488 487->489 490 7ffaaccb5451 487->490 488->487 490->489
                  APIs
                  Memory Dump Source
                  • Source File: 00000011.00000002.3724953006.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_7ffaaccb0000_svchost.jbxd
                  Similarity
                  • API ID: HookWindows
                  • String ID:
                  • API String ID: 2559412058-0
                  • Opcode ID: e6fc8af920d4cfe9064910598ca78d4c972c69fbc84cb93ea1342a3dbe36f50f
                  • Instruction ID: 0547d24c39bd9770b6bda8927602474761a7e60cf122f66546caeecd101a690c
                  • Opcode Fuzzy Hash: e6fc8af920d4cfe9064910598ca78d4c972c69fbc84cb93ea1342a3dbe36f50f
                  • Instruction Fuzzy Hash: A431DA7191CA5D8FDB58DF68D8456F9B7E1EF59311F00427ED00DD3292CA74A8168BC1
                  Function 00007FFAACCB4305 Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 564 7ffaaccb4305-7ffaaccb4379 567 7ffaaccb4381-7ffaaccb43be RtlSetProcessIsCritical 564->567 568 7ffaaccb43c6-7ffaaccb43e8 567->568 569 7ffaaccb43c0 567->569 569->568
                  APIs
                  Memory Dump Source
                  • Source File: 00000011.00000002.3724953006.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_7ffaaccb0000_svchost.jbxd
                  Similarity
                  • API ID: CriticalProcess
                  • String ID:
                  • API String ID: 2695349919-0
                  • Opcode ID: c07a408ed5bcd610cc3f0cf9698f20bb888ea8c69bd146bc3f5e8e67bb2dc6e1
                  • Instruction ID: e01e46e2650ef580357c73318c23d34495614c88e2142cb5e9b5cd76f06ced1b
                  • Opcode Fuzzy Hash: c07a408ed5bcd610cc3f0cf9698f20bb888ea8c69bd146bc3f5e8e67bb2dc6e1
                  • Instruction Fuzzy Hash: 8731F67044D7888FD719DBA8DC4AAE97FF0EF5A321F04016FE08AC3553CA696846CB91
                  Function 00007FFAACCB2988 Relevance: 1.6, APIs: 1, Instructions: 112COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 571 7ffaaccb2988-7ffaaccb43be RtlSetProcessIsCritical 577 7ffaaccb43c6-7ffaaccb43e8 571->577 578 7ffaaccb43c0 571->578 578->577
                  APIs
                  Memory Dump Source
                  • Source File: 00000011.00000002.3724953006.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_7ffaaccb0000_svchost.jbxd
                  Similarity
                  • API ID: CriticalProcess
                  • String ID:
                  • API String ID: 2695349919-0
                  • Opcode ID: d24b2e90d1ae80713a4365756382d782578e13cb3970d26d632c7aebb962209c
                  • Instruction ID: 56fc57cbf25e8358cb97dbb887684179a66a8bfb03cd6d5538990aed1737937f
                  • Opcode Fuzzy Hash: d24b2e90d1ae80713a4365756382d782578e13cb3970d26d632c7aebb962209c
                  • Instruction Fuzzy Hash: 5731C87191CB488FE718EB98D84A6F977F0EB65311F14413ED08ED3552DB64A845CB81
                  Function 00007FFAACCB2998 Relevance: 1.6, APIs: 1, Instructions: 107COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 580 7ffaaccb2998-7ffaaccb43be RtlSetProcessIsCritical 585 7ffaaccb43c6-7ffaaccb43e8 580->585 586 7ffaaccb43c0 580->586 586->585
                  APIs
                  Memory Dump Source
                  • Source File: 00000011.00000002.3724953006.00007FFAACCB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFAACCB0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_17_2_7ffaaccb0000_svchost.jbxd
                  Similarity
                  • API ID: CriticalProcess
                  • String ID:
                  • API String ID: 2695349919-0
                  • Opcode ID: 3acc6c4f652f19cb43fb1d1668873d42aff944dabb3644bbc40bbfcebc44fcfd
                  • Instruction ID: fd00e4a814c102933f351f3eeffaa55a3781c4db68088b6033571447b120b039
                  • Opcode Fuzzy Hash: 3acc6c4f652f19cb43fb1d1668873d42aff944dabb3644bbc40bbfcebc44fcfd
                  • Instruction Fuzzy Hash: 3B31A77191CB088FEB18EB98D84AAF977E0EB59311F10413ED04ED3552DB646845CB85