Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OvA6x5v34G.exe

Overview

General Information

Sample Name:OvA6x5v34G.exe
Analysis ID:799028
MD5:c875bcf1a868fbd4d782072878787785
SHA1:71a396dcb26d19677f17c5b0f415918928081184
SHA256:8984004d5e340774e8e22b3945214f3d3d4645d71f88a10ffac19ba1f6c7bc28
Tags:AsyncRATexeRAT
Infos:

Detection

AsyncRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Yara detected AsyncRAT
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
.NET source code contains potential unpacker
Yara detected Generic Downloader
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Sample execution stops while process was sleeping (likely an evasion)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Detected TCP or UDP traffic on non-standard ports
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • OvA6x5v34G.exe (PID: 1240 cmdline: C:\Users\user\Desktop\OvA6x5v34G.exe MD5: C875BCF1A868FBD4D782072878787785)
    • cmd.exe (PID: 6136 cmdline: "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "scvhost" /tr '"C:\Users\user\AppData\Roaming\scvhost.exe"' & exit MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5392 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 3832 cmdline: schtasks /create /f /sc onlogon /rl highest /tn "scvhost" /tr '"C:\Users\user\AppData\Roaming\scvhost.exe"' MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 2192 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCC1F.tmp.bat"" MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • timeout.exe (PID: 1352 cmdline: timeout 3 MD5: 121A4EDAE60A7AF6F5DFA82F7BB95659)
      • scvhost.exe (PID: 2612 cmdline: "C:\Users\user\AppData\Roaming\scvhost.exe" MD5: C875BCF1A868FBD4D782072878787785)
  • scvhost.exe (PID: 6108 cmdline: C:\Users\user\AppData\Roaming\scvhost.exe MD5: C875BCF1A868FBD4D782072878787785)
  • cleanup
{"Server": "eu-central-7075.packetriot.net", "Ports": "1604,22993", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "%AppData%"}
SourceRuleDescriptionAuthorStrings
OvA6x5v34G.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
    OvA6x5v34G.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
      OvA6x5v34G.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
      • 0x99fd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
      SourceRuleDescriptionAuthorStrings
      dump.pcapMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x1797a:$x1: AsyncRAT
      • 0x179b8:$x1: AsyncRAT
      SourceRuleDescriptionAuthorStrings
      C:\Users\user\AppData\Roaming\scvhost.exeJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
        C:\Users\user\AppData\Roaming\scvhost.exeJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
          C:\Users\user\AppData\Roaming\scvhost.exeINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
          • 0x99fd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
          SourceRuleDescriptionAuthorStrings
          00000008.00000002.572203781.0000000004DD6000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0xa3b3:$x1: AsyncRAT
          • 0xa3f1:$x1: AsyncRAT
          00000000.00000002.320271119.000000000293C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
            00000000.00000002.320271119.000000000293C000.00000004.00000800.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
            • 0x9d19:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
            00000008.00000002.569516773.0000000000B18000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x65d7:$x1: AsyncRAT
            • 0x6615:$x1: AsyncRAT
            00000008.00000002.569133580.0000000000A53000.00000004.00000020.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x18497:$x1: AsyncRAT
            • 0x184d5:$x1: AsyncRAT
            Click to see the 20 entries
            SourceRuleDescriptionAuthorStrings
            0.0.OvA6x5v34G.exe.4d0000.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
              0.0.OvA6x5v34G.exe.4d0000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
                0.0.OvA6x5v34G.exe.4d0000.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                • 0x99fd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                0.2.OvA6x5v34G.exe.293c31c.0.unpackJoeSecurity_AsyncRATYara detected AsyncRATJoe Security
                  0.2.OvA6x5v34G.exe.293c31c.0.unpackINDICATOR_SUSPICIOUS_EXE_ASEP_REG_ReverseDetects file containing reversed ASEP Autorun registry keysditekSHen
                  • 0x7bfd:$s1: nuR\noisreVtnerruC\swodniW\tfosorciM
                  Click to see the 3 entries
                  No Sigma rule has matched
                  Timestamp:167.71.56.116192.168.2.422993496952030673 02/06/23-06:17:25.881065
                  SID:2030673
                  Source Port:22993
                  Destination Port:49695
                  Protocol:TCP
                  Classtype:A Network Trojan was detected
                  Timestamp:167.71.56.116192.168.2.422993496952035595 02/06/23-06:17:25.881065
                  SID:2035595
                  Source Port:22993
                  Destination Port:49695
                  Protocol:TCP
                  Classtype:A Network Trojan was detected

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: OvA6x5v34G.exeReversingLabs: Detection: 96%
                  Source: OvA6x5v34G.exeVirustotal: Detection: 71%Perma Link
                  Source: OvA6x5v34G.exeAvira: detected
                  Source: eu-central-7075.packetriot.netAvira URL Cloud: Label: malware
                  Source: eu-central-7075.packetriot.netVirustotal: Detection: 12%Perma Link
                  Source: eu-central-7075.packetriot.netVirustotal: Detection: 12%Perma Link
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeAvira: detection malicious, Label: HEUR/AGEN.1202835
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeReversingLabs: Detection: 82%
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeVirustotal: Detection: 71%Perma Link
                  Source: OvA6x5v34G.exeJoe Sandbox ML: detected
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeJoe Sandbox ML: detected
                  Source: OvA6x5v34G.exeMalware Configuration Extractor: AsyncRAT {"Server": "eu-central-7075.packetriot.net", "Ports": "1604,22993", "Version": "0.5.7B", "Autorun": "true", "Install_Folder": "%AppData%"}
                  Source: OvA6x5v34G.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: OvA6x5v34G.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Networking

                  barindex
                  Source: TrafficSnort IDS: 2035595 ET TROJAN Generic AsyncRAT Style SSL Cert 167.71.56.116:22993 -> 192.168.2.4:49695
                  Source: TrafficSnort IDS: 2030673 ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server) 167.71.56.116:22993 -> 192.168.2.4:49695
                  Source: Yara matchFile source: OvA6x5v34G.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.OvA6x5v34G.exe.4d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.OvA6x5v34G.exe.293c31c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\scvhost.exe, type: DROPPED
                  Source: Malware configuration extractorURLs: eu-central-7075.packetriot.net
                  Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                  Source: Joe Sandbox ViewIP Address: 167.71.56.116 167.71.56.116
                  Source: global trafficTCP traffic: 192.168.2.4:49695 -> 167.71.56.116:22993
                  Source: scvhost.exe, 00000008.00000003.488596244.0000000004E10000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                  Source: scvhost.exe, 00000008.00000002.572492895.0000000004E11000.00000004.00000020.00020000.00000000.sdmp, scvhost.exe, 00000008.00000003.488596244.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.8.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                  Source: OvA6x5v34G.exe, 00000000.00000002.320271119.00000000028BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                  Source: unknownDNS traffic detected: queries for: eu-central-7075.packetriot.net

                  Key, Mouse, Clipboard, Microphone and Screen Capturing

                  barindex
                  Source: Yara matchFile source: OvA6x5v34G.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.OvA6x5v34G.exe.4d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.OvA6x5v34G.exe.293c31c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.OvA6x5v34G.exe.293c31c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.320271119.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300462677.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: OvA6x5v34G.exe PID: 1240, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\scvhost.exe, type: DROPPED

                  System Summary

                  barindex
                  Source: OvA6x5v34G.exe, type: SAMPLEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: dump.pcap, type: PCAPMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 0.0.OvA6x5v34G.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 0.2.OvA6x5v34G.exe.293c31c.0.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 0.2.OvA6x5v34G.exe.293c31c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 00000008.00000002.572203781.0000000004DD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.320271119.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 00000008.00000002.569516773.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000008.00000002.569133580.0000000000A53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000008.00000002.569516773.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.320271119.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 00000000.00000002.320271119.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000008.00000002.570032129.0000000002985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 00000008.00000002.570032129.0000000002985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000002.322756813.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000007.00000002.349959689.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000008.00000003.488531299.0000000000B15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000000.00000000.300462677.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: 00000008.00000003.488596244.0000000004DED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000008.00000003.488596244.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000007.00000002.346842427.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: 00000008.00000002.570032129.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: Process Memory Space: OvA6x5v34G.exe PID: 1240, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: Process Memory Space: OvA6x5v34G.exe PID: 1240, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: Process Memory Space: scvhost.exe PID: 6108, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: Process Memory Space: scvhost.exe PID: 2612, type: MEMORYSTRMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: Process Memory Space: scvhost.exe PID: 2612, type: MEMORYSTRMatched rule: Detects AsyncRAT Author: ditekSHen
                  Source: C:\Users\user\AppData\Roaming\scvhost.exe, type: DROPPEDMatched rule: Detects file containing reversed ASEP Autorun registry keys Author: ditekSHen
                  Source: OvA6x5v34G.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                  Source: OvA6x5v34G.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: dump.pcap, type: PCAPMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 0.0.OvA6x5v34G.exe.4d0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 0.2.OvA6x5v34G.exe.293c31c.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 0.2.OvA6x5v34G.exe.293c31c.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 00000008.00000002.572203781.0000000004DD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.320271119.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 00000008.00000002.569516773.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000008.00000002.569133580.0000000000A53000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000008.00000002.569516773.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.320271119.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 00000000.00000002.320271119.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000008.00000002.570032129.0000000002985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 00000008.00000002.570032129.0000000002985000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000002.322756813.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000007.00000002.349959689.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000008.00000003.488531299.0000000000B15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000000.00000000.300462677.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: 00000008.00000003.488596244.0000000004DED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000008.00000003.488596244.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000007.00000002.346842427.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: 00000008.00000002.570032129.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: Process Memory Space: OvA6x5v34G.exe PID: 1240, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: Process Memory Space: OvA6x5v34G.exe PID: 1240, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: Process Memory Space: scvhost.exe PID: 6108, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: Process Memory Space: scvhost.exe PID: 2612, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: Process Memory Space: scvhost.exe PID: 2612, type: MEMORYSTRMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
                  Source: C:\Users\user\AppData\Roaming\scvhost.exe, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse author = ditekSHen, description = Detects file containing reversed ASEP Autorun registry keys
                  Source: OvA6x5v34G.exe, 00000000.00000002.320271119.000000000293C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameWinRAR. vs OvA6x5v34G.exe
                  Source: OvA6x5v34G.exe, 00000000.00000000.300475349.00000000004DE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameWinRAR. vs OvA6x5v34G.exe
                  Source: OvA6x5v34G.exeBinary or memory string: OriginalFilenameWinRAR. vs OvA6x5v34G.exe
                  Source: OvA6x5v34G.exeReversingLabs: Detection: 96%
                  Source: OvA6x5v34G.exeVirustotal: Detection: 71%
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeFile read: C:\Users\user\Desktop\OvA6x5v34G.exeJump to behavior
                  Source: OvA6x5v34G.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: unknownProcess created: C:\Users\user\Desktop\OvA6x5v34G.exe C:\Users\user\Desktop\OvA6x5v34G.exe
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "scvhost" /tr '"C:\Users\user\AppData\Roaming\scvhost.exe"' & exit
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCC1F.tmp.bat""
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "scvhost" /tr '"C:\Users\user\AppData\Roaming\scvhost.exe"'
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3
                  Source: unknownProcess created: C:\Users\user\AppData\Roaming\scvhost.exe C:\Users\user\AppData\Roaming\scvhost.exe
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\scvhost.exe "C:\Users\user\AppData\Roaming\scvhost.exe"
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "scvhost" /tr '"C:\Users\user\AppData\Roaming\scvhost.exe"' & exitJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCC1F.tmp.bat""Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "scvhost" /tr '"C:\Users\user\AppData\Roaming\scvhost.exe"' Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\scvhost.exe "C:\Users\user\AppData\Roaming\scvhost.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeFile created: C:\Users\user\AppData\Roaming\scvhost.exeJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeFile created: C:\Users\user\AppData\Local\Temp\tmpCC1F.tmpJump to behavior
                  Source: classification engineClassification label: mal100.troj.evad.winEXE@15/7@7/1
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: OvA6x5v34G.exe, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: OvA6x5v34G.exe, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: scvhost.exe.0.dr, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: scvhost.exe.0.dr, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: 0.0.OvA6x5v34G.exe.4d0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
                  Source: 0.0.OvA6x5v34G.exe.4d0000.0.unpack, Client/Helper/Methods.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
                  Source: OvA6x5v34G.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                  Source: OvA6x5v34G.exe, Client/Settings.csBase64 encoded string: '/Y2gU3vw/6p5z7lRLgRhZJIHHJexTBIuU0kG/JaSXL7Q4VVsEqGhGGknVPK4rs0P9w57eOw4Ri7EFQrvEwiDmiNbtEuSLuETQTQIA0pJTVg=', 'yhOV3e6FmQFuVykzXPTQT9O6b3EqBdAQrnjS4W0ml5X0yDrAHXR9Eg8D6qH6u5qxVd0E8QwYzNG064m1XQORCA==', 'jCNfYsY5r/6UivczokojRZKLfB9pUwBB8Bk1pdzs4XBEG61f99bLaxid/OM2xfzOerIMfL9qXxT7yE9BcqbtcD793xeJvTPoeUx80x9UkZOUGmcHqpYF9XU3Jj+s8H8g/f9P20EFN2AtL4ari+M21L0jk614HClpST2Mm0itOCImL/+lTpsacZxSrpUPaJCZKRKGY07984hPrzhWeerdnfYUr8+bVYknsMvXQmMIojof5s0u2J/H5/Oqjk2WgbHgScJa4QksQOrHwvvtD5tfyk8O6R8sT1iMMbDasd9vCTzs1R6buE76c8TYDutiUu18boANPcMhT8Ch1d+BhWEN4jDgGnY683Ke5Ra+08rILzHuiTbr+S8d7Dw7vRjQQlFWL+R0sJlc0gbZPXIJqIC5JcUuL6ddNqZjOLuzfOnLQH7Rwsh2QfpvyU1BqSymLg/+9He7w10dBl/w5CW+7sRtschN9uKOixowBROwmQbtNUzEGE+4V6N0yqO4u4EBlPyGipemE0ptbgOi/KBGbNvJvg7HOKad7Wm04nzAeJlxfDcIS+IOsZRuDhiZIpmxkKEcU8BYuOurR8Gt+xTI5MiIFOKZ9f7n+E8cqKpdIeIWdoPOBopKdMRIx7sI4mZHh3yjSNy000RyUeRg2Xzr3J9S0st1ioTPU+2wEaGGG2fX27Gpu13j0EmJ7mQGs9EoAZLE2qWTakAVCL86L70K2+B7YxQwgH/s3svPZamR7yZpfVxWdvhq3cIDTpPsQwOOVt+6+OGG1OvfI+S70j4TMHKWZQG0F5EqXAHn+mhMofCTuUBpefx95ZxWDM785wi+kwKw8Z1pfz1N7YebFvtrDIlZeKQ9VqGLI+44ZjHi50E6nch4DSK8Bm1CQv+nWorg4Kv16C4fEJhL5X2tQEvHpcxl5bk+3iHP+gj/0GVcVXZflULZPZBuvxCmqNC6C/0ah6VdP4WztheZyv/bKO32YA7Tn7YaPOkD2HKNRTNKzbz8mWBxFfeYSxi3pE126s0DrzvAL2ocmFq2MMmnBK+VVBAHdAqyU+2miPV/0M07FWAYSqSLn2ejtNo2bxPefOxjdECSANty63DWcr+L9Nr9t9fptGDuT2bWR7toitpcrUguJn6WMhifn7vM9wVPzZM1ewVp0F0TY+/p3oxTaFT36k8CouFR7XI9tRjZduLX+bHHP318zX3CoG+4W9kRKQdx/JV6Iwwgeo+mkjBXVS6uLTG4HMGliiK/izVfDXjhsu83Uap9NZd46IVaKFrmheqUG+eAzGvh3+3ICrDLBf6rU+B/q63yoK+g6CWV/uBtO96M+1zCD6U+pQYHgQHzTqLzp7RVKYcYOoKjvuXL52JIr8wZs4ZNVJ0+Reftv/A8MC7nMTIf61YKlWgwI7FGMNK+DDxLLC6BDN0edM+jN1s7qYYsk+m2t0BRppzXM/ez/wZifw3Bo/PBeoGxsAbftXwALBoHlyrJht0xWH8v+wBUcfCjB5tmspCqDJcKtC6vxA33Wi+Yky2TU7IERNWTKluFKzXUUz/EgiV9Qp+v0hnAijUKCSDplNCw8OQESsxu2twVhaUCOjWfqY+nyQAjzUcpA0I/3weTESZy+5qBeW8hfyz+/jLE+jUKQGzPUhOKqJVjWtfFyhEFaN3EjKlVS/GRfnDZTwL0yeXxuHdRRWejMXzy0J3vucGLsSk2nNXe7XUphaOkdxRJUK56xi186WYC5uhShAuBH/MtylbbftdRENzaNvz8oOyoIKZE6BQINVVuehHJopj6IHwaA6TgJklFupLpTLOSnwcou3qkY08PovUwhVvSF9k4b3uoLZYlPegIhhlfBHynOIxOlzl10G1EIDKOiywiq72q5mtX8SkJfg8SkIio3ja9m7viOrjZmAQrkd0QHLSt8VCQuqz7EtIvXRu0Gwqi44LhxTSVyzp1YfTTpvbdem1oJdNRDqQSyPDnh1bxBsKiRTNeSf67jIV9DCGLOvsODYS6CwrOvDzYjD1XBMo8l4auRqLrqwja/FloLwhKO8TQ2x6qeJnweDcultT6w8tKvukYrFr75lqa6a/Uj29v4q+gFDs/pTk5PvUMX4FkMPj5WbQoH7Y7Va4cmU9gYYF7prc5L07uc43QY/9M3nwbhpNtDTkr6H8j8xYmkPu6UDOzdnZHGEm46yi348SqqMd11jWi0m9Sq8UDGVbs2rSq/27Q81pIOHPtxHeJujslcSc7qAqjgZwo7ukdvSOHymBLTmC5b60xa5xKKitsWZ7PkCUo7Xd6tGCiiwvSmDAbrieWDC55+LfqErF2nHzQmv11BbjGSsJOO3GCbUWXgkavpxJftBIbsW++CwvuohE=', 'MwRbXKrjQlDDOrCuE1k1FgUSKeU2i3Bn32LVFY59RcwWCmcyVod6Fdo++9Yrjlb7vhQY7Z7K/xtJU4tQsynivgzZNR9mTNPNVz+M0WmX/htNtMRF/iKyXFpaIeMO5u/QRdblWQroQEbqTmEoogygtGw7GdG99Gy34XbIoT7BkwyDLZqcMXJMVjXlbqB2IkmmwOe8eaH/ywK38Uq3prdR3b7GaELE/0FjMXHIp0/47u2L0020k1YETCXfX1CnhQlgnP32KwJ1NpTsxqnhWfT+E/dDJXXXnn56qqTSuPz9ab0PBioqUO5W0i4/KgYFH641wEItP1gqZfVJRIl6Wk/aGVr59UAc9hGE/7HUPJ9zzOh/O2vTKmCUEyNDul2VtQva8b8qO6lJJXJ7aur4DIxgi8B+koycHbjcgPBK1E8TYwkiCXQP/FZ/CAS/l3P
                  Source: scvhost.exe.0.dr, Client/Settings.csBase64 encoded string: '/Y2gU3vw/6p5z7lRLgRhZJIHHJexTBIuU0kG/JaSXL7Q4VVsEqGhGGknVPK4rs0P9w57eOw4Ri7EFQrvEwiDmiNbtEuSLuETQTQIA0pJTVg=', 'yhOV3e6FmQFuVykzXPTQT9O6b3EqBdAQrnjS4W0ml5X0yDrAHXR9Eg8D6qH6u5qxVd0E8QwYzNG064m1XQORCA==', 'jCNfYsY5r/6UivczokojRZKLfB9pUwBB8Bk1pdzs4XBEG61f99bLaxid/OM2xfzOerIMfL9qXxT7yE9BcqbtcD793xeJvTPoeUx80x9UkZOUGmcHqpYF9XU3Jj+s8H8g/f9P20EFN2AtL4ari+M21L0jk614HClpST2Mm0itOCImL/+lTpsacZxSrpUPaJCZKRKGY07984hPrzhWeerdnfYUr8+bVYknsMvXQmMIojof5s0u2J/H5/Oqjk2WgbHgScJa4QksQOrHwvvtD5tfyk8O6R8sT1iMMbDasd9vCTzs1R6buE76c8TYDutiUu18boANPcMhT8Ch1d+BhWEN4jDgGnY683Ke5Ra+08rILzHuiTbr+S8d7Dw7vRjQQlFWL+R0sJlc0gbZPXIJqIC5JcUuL6ddNqZjOLuzfOnLQH7Rwsh2QfpvyU1BqSymLg/+9He7w10dBl/w5CW+7sRtschN9uKOixowBROwmQbtNUzEGE+4V6N0yqO4u4EBlPyGipemE0ptbgOi/KBGbNvJvg7HOKad7Wm04nzAeJlxfDcIS+IOsZRuDhiZIpmxkKEcU8BYuOurR8Gt+xTI5MiIFOKZ9f7n+E8cqKpdIeIWdoPOBopKdMRIx7sI4mZHh3yjSNy000RyUeRg2Xzr3J9S0st1ioTPU+2wEaGGG2fX27Gpu13j0EmJ7mQGs9EoAZLE2qWTakAVCL86L70K2+B7YxQwgH/s3svPZamR7yZpfVxWdvhq3cIDTpPsQwOOVt+6+OGG1OvfI+S70j4TMHKWZQG0F5EqXAHn+mhMofCTuUBpefx95ZxWDM785wi+kwKw8Z1pfz1N7YebFvtrDIlZeKQ9VqGLI+44ZjHi50E6nch4DSK8Bm1CQv+nWorg4Kv16C4fEJhL5X2tQEvHpcxl5bk+3iHP+gj/0GVcVXZflULZPZBuvxCmqNC6C/0ah6VdP4WztheZyv/bKO32YA7Tn7YaPOkD2HKNRTNKzbz8mWBxFfeYSxi3pE126s0DrzvAL2ocmFq2MMmnBK+VVBAHdAqyU+2miPV/0M07FWAYSqSLn2ejtNo2bxPefOxjdECSANty63DWcr+L9Nr9t9fptGDuT2bWR7toitpcrUguJn6WMhifn7vM9wVPzZM1ewVp0F0TY+/p3oxTaFT36k8CouFR7XI9tRjZduLX+bHHP318zX3CoG+4W9kRKQdx/JV6Iwwgeo+mkjBXVS6uLTG4HMGliiK/izVfDXjhsu83Uap9NZd46IVaKFrmheqUG+eAzGvh3+3ICrDLBf6rU+B/q63yoK+g6CWV/uBtO96M+1zCD6U+pQYHgQHzTqLzp7RVKYcYOoKjvuXL52JIr8wZs4ZNVJ0+Reftv/A8MC7nMTIf61YKlWgwI7FGMNK+DDxLLC6BDN0edM+jN1s7qYYsk+m2t0BRppzXM/ez/wZifw3Bo/PBeoGxsAbftXwALBoHlyrJht0xWH8v+wBUcfCjB5tmspCqDJcKtC6vxA33Wi+Yky2TU7IERNWTKluFKzXUUz/EgiV9Qp+v0hnAijUKCSDplNCw8OQESsxu2twVhaUCOjWfqY+nyQAjzUcpA0I/3weTESZy+5qBeW8hfyz+/jLE+jUKQGzPUhOKqJVjWtfFyhEFaN3EjKlVS/GRfnDZTwL0yeXxuHdRRWejMXzy0J3vucGLsSk2nNXe7XUphaOkdxRJUK56xi186WYC5uhShAuBH/MtylbbftdRENzaNvz8oOyoIKZE6BQINVVuehHJopj6IHwaA6TgJklFupLpTLOSnwcou3qkY08PovUwhVvSF9k4b3uoLZYlPegIhhlfBHynOIxOlzl10G1EIDKOiywiq72q5mtX8SkJfg8SkIio3ja9m7viOrjZmAQrkd0QHLSt8VCQuqz7EtIvXRu0Gwqi44LhxTSVyzp1YfTTpvbdem1oJdNRDqQSyPDnh1bxBsKiRTNeSf67jIV9DCGLOvsODYS6CwrOvDzYjD1XBMo8l4auRqLrqwja/FloLwhKO8TQ2x6qeJnweDcultT6w8tKvukYrFr75lqa6a/Uj29v4q+gFDs/pTk5PvUMX4FkMPj5WbQoH7Y7Va4cmU9gYYF7prc5L07uc43QY/9M3nwbhpNtDTkr6H8j8xYmkPu6UDOzdnZHGEm46yi348SqqMd11jWi0m9Sq8UDGVbs2rSq/27Q81pIOHPtxHeJujslcSc7qAqjgZwo7ukdvSOHymBLTmC5b60xa5xKKitsWZ7PkCUo7Xd6tGCiiwvSmDAbrieWDC55+LfqErF2nHzQmv11BbjGSsJOO3GCbUWXgkavpxJftBIbsW++CwvuohE=', 'MwRbXKrjQlDDOrCuE1k1FgUSKeU2i3Bn32LVFY59RcwWCmcyVod6Fdo++9Yrjlb7vhQY7Z7K/xtJU4tQsynivgzZNR9mTNPNVz+M0WmX/htNtMRF/iKyXFpaIeMO5u/QRdblWQroQEbqTmEoogygtGw7GdG99Gy34XbIoT7BkwyDLZqcMXJMVjXlbqB2IkmmwOe8eaH/ywK38Uq3prdR3b7GaELE/0FjMXHIp0/47u2L0020k1YETCXfX1CnhQlgnP32KwJ1NpTsxqnhWfT+E/dDJXXXnn56qqTSuPz9ab0PBioqUO5W0i4/KgYFH641wEItP1gqZfVJRIl6Wk/aGVr59UAc9hGE/7HUPJ9zzOh/O2vTKmCUEyNDul2VtQva8b8qO6lJJXJ7aur4DIxgi8B+koycHbjcgPBK1E8TYwkiCXQP/FZ/CAS/l3P
                  Source: 0.0.OvA6x5v34G.exe.4d0000.0.unpack, Client/Settings.csBase64 encoded string: '/Y2gU3vw/6p5z7lRLgRhZJIHHJexTBIuU0kG/JaSXL7Q4VVsEqGhGGknVPK4rs0P9w57eOw4Ri7EFQrvEwiDmiNbtEuSLuETQTQIA0pJTVg=', 'yhOV3e6FmQFuVykzXPTQT9O6b3EqBdAQrnjS4W0ml5X0yDrAHXR9Eg8D6qH6u5qxVd0E8QwYzNG064m1XQORCA==', 'jCNfYsY5r/6UivczokojRZKLfB9pUwBB8Bk1pdzs4XBEG61f99bLaxid/OM2xfzOerIMfL9qXxT7yE9BcqbtcD793xeJvTPoeUx80x9UkZOUGmcHqpYF9XU3Jj+s8H8g/f9P20EFN2AtL4ari+M21L0jk614HClpST2Mm0itOCImL/+lTpsacZxSrpUPaJCZKRKGY07984hPrzhWeerdnfYUr8+bVYknsMvXQmMIojof5s0u2J/H5/Oqjk2WgbHgScJa4QksQOrHwvvtD5tfyk8O6R8sT1iMMbDasd9vCTzs1R6buE76c8TYDutiUu18boANPcMhT8Ch1d+BhWEN4jDgGnY683Ke5Ra+08rILzHuiTbr+S8d7Dw7vRjQQlFWL+R0sJlc0gbZPXIJqIC5JcUuL6ddNqZjOLuzfOnLQH7Rwsh2QfpvyU1BqSymLg/+9He7w10dBl/w5CW+7sRtschN9uKOixowBROwmQbtNUzEGE+4V6N0yqO4u4EBlPyGipemE0ptbgOi/KBGbNvJvg7HOKad7Wm04nzAeJlxfDcIS+IOsZRuDhiZIpmxkKEcU8BYuOurR8Gt+xTI5MiIFOKZ9f7n+E8cqKpdIeIWdoPOBopKdMRIx7sI4mZHh3yjSNy000RyUeRg2Xzr3J9S0st1ioTPU+2wEaGGG2fX27Gpu13j0EmJ7mQGs9EoAZLE2qWTakAVCL86L70K2+B7YxQwgH/s3svPZamR7yZpfVxWdvhq3cIDTpPsQwOOVt+6+OGG1OvfI+S70j4TMHKWZQG0F5EqXAHn+mhMofCTuUBpefx95ZxWDM785wi+kwKw8Z1pfz1N7YebFvtrDIlZeKQ9VqGLI+44ZjHi50E6nch4DSK8Bm1CQv+nWorg4Kv16C4fEJhL5X2tQEvHpcxl5bk+3iHP+gj/0GVcVXZflULZPZBuvxCmqNC6C/0ah6VdP4WztheZyv/bKO32YA7Tn7YaPOkD2HKNRTNKzbz8mWBxFfeYSxi3pE126s0DrzvAL2ocmFq2MMmnBK+VVBAHdAqyU+2miPV/0M07FWAYSqSLn2ejtNo2bxPefOxjdECSANty63DWcr+L9Nr9t9fptGDuT2bWR7toitpcrUguJn6WMhifn7vM9wVPzZM1ewVp0F0TY+/p3oxTaFT36k8CouFR7XI9tRjZduLX+bHHP318zX3CoG+4W9kRKQdx/JV6Iwwgeo+mkjBXVS6uLTG4HMGliiK/izVfDXjhsu83Uap9NZd46IVaKFrmheqUG+eAzGvh3+3ICrDLBf6rU+B/q63yoK+g6CWV/uBtO96M+1zCD6U+pQYHgQHzTqLzp7RVKYcYOoKjvuXL52JIr8wZs4ZNVJ0+Reftv/A8MC7nMTIf61YKlWgwI7FGMNK+DDxLLC6BDN0edM+jN1s7qYYsk+m2t0BRppzXM/ez/wZifw3Bo/PBeoGxsAbftXwALBoHlyrJht0xWH8v+wBUcfCjB5tmspCqDJcKtC6vxA33Wi+Yky2TU7IERNWTKluFKzXUUz/EgiV9Qp+v0hnAijUKCSDplNCw8OQESsxu2twVhaUCOjWfqY+nyQAjzUcpA0I/3weTESZy+5qBeW8hfyz+/jLE+jUKQGzPUhOKqJVjWtfFyhEFaN3EjKlVS/GRfnDZTwL0yeXxuHdRRWejMXzy0J3vucGLsSk2nNXe7XUphaOkdxRJUK56xi186WYC5uhShAuBH/MtylbbftdRENzaNvz8oOyoIKZE6BQINVVuehHJopj6IHwaA6TgJklFupLpTLOSnwcou3qkY08PovUwhVvSF9k4b3uoLZYlPegIhhlfBHynOIxOlzl10G1EIDKOiywiq72q5mtX8SkJfg8SkIio3ja9m7viOrjZmAQrkd0QHLSt8VCQuqz7EtIvXRu0Gwqi44LhxTSVyzp1YfTTpvbdem1oJdNRDqQSyPDnh1bxBsKiRTNeSf67jIV9DCGLOvsODYS6CwrOvDzYjD1XBMo8l4auRqLrqwja/FloLwhKO8TQ2x6qeJnweDcultT6w8tKvukYrFr75lqa6a/Uj29v4q+gFDs/pTk5PvUMX4FkMPj5WbQoH7Y7Va4cmU9gYYF7prc5L07uc43QY/9M3nwbhpNtDTkr6H8j8xYmkPu6UDOzdnZHGEm46yi348SqqMd11jWi0m9Sq8UDGVbs2rSq/27Q81pIOHPtxHeJujslcSc7qAqjgZwo7ukdvSOHymBLTmC5b60xa5xKKitsWZ7PkCUo7Xd6tGCiiwvSmDAbrieWDC55+LfqErF2nHzQmv11BbjGSsJOO3GCbUWXgkavpxJftBIbsW++CwvuohE=', 'MwRbXKrjQlDDOrCuE1k1FgUSKeU2i3Bn32LVFY59RcwWCmcyVod6Fdo++9Yrjlb7vhQY7Z7K/xtJU4tQsynivgzZNR9mTNPNVz+M0WmX/htNtMRF/iKyXFpaIeMO5u/QRdblWQroQEbqTmEoogygtGw7GdG99Gy34XbIoT7BkwyDLZqcMXJMVjXlbqB2IkmmwOe8eaH/ywK38Uq3prdR3b7GaELE/0FjMXHIp0/47u2L0020k1YETCXfX1CnhQlgnP32KwJ1NpTsxqnhWfT+E/dDJXXXnn56qqTSuPz9ab0PBioqUO5W0i4/KgYFH641wEItP1gqZfVJRIl6Wk/aGVr59UAc9hGE/7HUPJ9zzOh/O2vTKmCUEyNDul2VtQva8b8qO6lJJXJ7aur4DIxgi8B+koycHbjcgPBK1E8TYwkiCXQP/FZ/CAS/l3P
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:996:120:WilError_01
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeMutant created: \Sessions\1\BaseNamedObjects\AsyncMutex_6SI8OkPnk
                  Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5392:120:WilError_01
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCC1F.tmp.bat""
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                  Source: OvA6x5v34G.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                  Source: OvA6x5v34G.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                  Data Obfuscation

                  barindex
                  Source: OvA6x5v34G.exe, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: scvhost.exe.0.dr, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: 0.0.OvA6x5v34G.exe.4d0000.0.unpack, Client/Handle_Packet/Packet.cs.Net Code: Invoke System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeCode function: 8_2_00C80A78 push ebp; ret 8_2_00C80A7E
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeCode function: 8_2_00C801D8 push ebp; ret 8_2_00C801EA
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeCode function: 8_2_00C80DD0 push ebp; ret 8_2_00C80E46
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeCode function: 8_2_00C81165 push eax; ret 8_2_00C81176
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeCode function: 8_2_00C80919 push esp; ret 8_2_00C8091E
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeCode function: 8_2_00C80F3A push ebp; ret 8_2_00C80F46
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeFile created: C:\Users\user\AppData\Roaming\scvhost.exeJump to dropped file

                  Boot Survival

                  barindex
                  Source: Yara matchFile source: OvA6x5v34G.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.OvA6x5v34G.exe.4d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.OvA6x5v34G.exe.293c31c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.OvA6x5v34G.exe.293c31c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.320271119.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300462677.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: OvA6x5v34G.exe PID: 1240, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\scvhost.exe, type: DROPPED
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "scvhost" /tr '"C:\Users\user\AppData\Roaming\scvhost.exe"'
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                  Malware Analysis System Evasion

                  barindex
                  Source: Yara matchFile source: OvA6x5v34G.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.OvA6x5v34G.exe.4d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.OvA6x5v34G.exe.293c31c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.OvA6x5v34G.exe.293c31c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.320271119.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300462677.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: OvA6x5v34G.exe PID: 1240, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\scvhost.exe, type: DROPPED
                  Source: OvA6x5v34G.exe, scvhost.exe.0.drBinary or memory string: SBIEDLL.DLL
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exe TID: 4764Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exe TID: 4280Thread sleep time: -922337203685477s >= -30000sJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exe TID: 836Thread sleep time: -30000s >= -30000sJump to behavior
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeLast function: Thread delayed
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess information queried: ProcessInformationJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeThread delayed: delay time: 922337203685477Jump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                  Source: OvA6x5v34G.exe, 00000000.00000002.320271119.000000000294D000.00000004.00000800.00020000.00000000.sdmp, scvhost.exe, 00000007.00000002.346842427.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, scvhost.exe, 00000008.00000002.570032129.00000000029B5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qEMu4
                  Source: scvhost.exe.0.drBinary or memory string: vmware
                  Source: scvhost.exe, 00000008.00000003.488554198.0000000004E46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW.
                  Source: scvhost.exe, 00000008.00000003.488596244.0000000004DED000.00000004.00000020.00020000.00000000.sdmp, scvhost.exe, 00000008.00000003.360576262.0000000004E44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeProcess token adjusted: DebugJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeMemory allocated: page read and write | page guardJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "scvhost" /tr '"C:\Users\user\AppData\Roaming\scvhost.exe"' & exitJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCC1F.tmp.bat""Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "scvhost" /tr '"C:\Users\user\AppData\Roaming\scvhost.exe"' Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 3 Jump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Roaming\scvhost.exe "C:\Users\user\AppData\Roaming\scvhost.exe" Jump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeQueries volume information: C:\Users\user\Desktop\OvA6x5v34G.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeQueries volume information: C:\Users\user\AppData\Roaming\scvhost.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeQueries volume information: C:\Users\user\AppData\Roaming\scvhost.exe VolumeInformationJump to behavior
                  Source: C:\Users\user\AppData\Roaming\scvhost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                  Source: C:\Users\user\Desktop\OvA6x5v34G.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                  Lowering of HIPS / PFW / Operating System Security Settings

                  barindex
                  Source: Yara matchFile source: OvA6x5v34G.exe, type: SAMPLE
                  Source: Yara matchFile source: 0.0.OvA6x5v34G.exe.4d0000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.OvA6x5v34G.exe.293c31c.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.OvA6x5v34G.exe.293c31c.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.320271119.000000000293C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000000.00000000.300462677.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                  Source: Yara matchFile source: Process Memory Space: OvA6x5v34G.exe PID: 1240, type: MEMORYSTR
                  Source: Yara matchFile source: C:\Users\user\AppData\Roaming\scvhost.exe, type: DROPPED
                  Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                  Valid Accounts2
                  Scheduled Task/Job
                  2
                  Scheduled Task/Job
                  11
                  Process Injection
                  1
                  Masquerading
                  OS Credential Dumping1
                  Query Registry
                  Remote ServicesData from Local SystemExfiltration Over Other Network Medium1
                  Non-Standard Port
                  Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                  Default Accounts1
                  Scripting
                  Boot or Logon Initialization Scripts2
                  Scheduled Task/Job
                  1
                  Disable or Modify Tools
                  LSASS Memory21
                  Security Software Discovery
                  Remote Desktop ProtocolData from Removable MediaExfiltration Over Bluetooth1
                  Non-Application Layer Protocol
                  Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                  Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
                  Virtualization/Sandbox Evasion
                  Security Account Manager1
                  Process Discovery
                  SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration11
                  Application Layer Protocol
                  Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                  Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
                  Process Injection
                  NTDS21
                  Virtualization/Sandbox Evasion
                  Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
                  Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
                  Scripting
                  LSA Secrets1
                  Remote System Discovery
                  SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                  Replication Through Removable MediaLaunchdRc.commonRc.common111
                  Obfuscated Files or Information
                  Cached Domain Credentials1
                  File and Directory Discovery
                  VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                  External Remote ServicesScheduled TaskStartup ItemsStartup Items1
                  Software Packing
                  DCSync13
                  System Information Discovery
                  Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                  Hide Legend

                  Legend:

                  • Process
                  • Signature
                  • Created File
                  • DNS/IP Info
                  • Is Dropped
                  • Is Windows Process
                  • Number of created Registry Values
                  • Number of created Files
                  • Visual Basic
                  • Delphi
                  • Java
                  • .Net C# or VB.NET
                  • C, C++ or other language
                  • Is malicious
                  • Internet
                  behaviorgraph top1 signatures2 2 Behavior Graph ID: 799028 Sample: OvA6x5v34G.exe Startdate: 06/02/2023 Architecture: WINDOWS Score: 100 35 Snort IDS alert for network traffic 2->35 37 Multi AV Scanner detection for domain / URL 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 9 other signatures 2->41 7 OvA6x5v34G.exe 7 2->7         started        10 scvhost.exe 3 2->10         started        process3 file4 29 C:\Users\user\AppData\Roaming\scvhost.exe, PE32 7->29 dropped 31 C:\Users\user\AppData\...\OvA6x5v34G.exe.log, ASCII 7->31 dropped 13 cmd.exe 1 7->13         started        16 cmd.exe 1 7->16         started        43 Antivirus detection for dropped file 10->43 45 Multi AV Scanner detection for dropped file 10->45 47 Machine Learning detection for dropped file 10->47 signatures5 process6 signatures7 49 Uses schtasks.exe or at.exe to add and modify task schedules 13->49 18 conhost.exe 13->18         started        20 schtasks.exe 1 13->20         started        22 scvhost.exe 2 16->22         started        25 conhost.exe 16->25         started        27 timeout.exe 1 16->27         started        process8 dnsIp9 33 eu-central-7075.packetriot.net 167.71.56.116, 1604, 22993, 49695 DIGITALOCEAN-ASNUS United States 22->33

                  This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                  windows-stand
                  SourceDetectionScannerLabelLink
                  OvA6x5v34G.exe96%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
                  OvA6x5v34G.exe71%VirustotalBrowse
                  OvA6x5v34G.exe100%AviraHEUR/AGEN.1202835
                  OvA6x5v34G.exe100%Joe Sandbox ML
                  SourceDetectionScannerLabelLink
                  C:\Users\user\AppData\Roaming\scvhost.exe100%AviraHEUR/AGEN.1202835
                  C:\Users\user\AppData\Roaming\scvhost.exe100%Joe Sandbox ML
                  C:\Users\user\AppData\Roaming\scvhost.exe82%ReversingLabsByteCode-MSIL.Backdoor.AsyncRAT
                  C:\Users\user\AppData\Roaming\scvhost.exe71%VirustotalBrowse
                  SourceDetectionScannerLabelLinkDownload
                  0.0.OvA6x5v34G.exe.4d0000.0.unpack100%AviraHEUR/AGEN.1202835Download File
                  SourceDetectionScannerLabelLink
                  eu-central-7075.packetriot.net12%VirustotalBrowse
                  SourceDetectionScannerLabelLink
                  eu-central-7075.packetriot.net100%Avira URL Cloudmalware
                  eu-central-7075.packetriot.net12%VirustotalBrowse
                  NameIPActiveMaliciousAntivirus DetectionReputation
                  eu-central-7075.packetriot.net
                  167.71.56.116
                  truetrueunknown
                  NameMaliciousAntivirus DetectionReputation
                  eu-central-7075.packetriot.nettrue
                  • 12%, Virustotal, Browse
                  • Avira URL Cloud: malware
                  unknown
                  NameSourceMaliciousAntivirus DetectionReputation
                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOvA6x5v34G.exe, 00000000.00000002.320271119.00000000028BA000.00000004.00000800.00020000.00000000.sdmpfalse
                    high
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    167.71.56.116
                    eu-central-7075.packetriot.netUnited States
                    14061DIGITALOCEAN-ASNUStrue
                    Joe Sandbox Version:36.0.0 Rainbow Opal
                    Analysis ID:799028
                    Start date and time:2023-02-06 06:16:07 +01:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 5m 29s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:14
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample file name:OvA6x5v34G.exe
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@15/7@7/1
                    EGA Information:Failed
                    HDC Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 57
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, WMIADAP.exe, conhost.exe, backgroundTaskHost.exe
                    • Excluded IPs from analysis (whitelisted): 209.197.3.8
                    • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
                    • Execution Graph export aborted for target OvA6x5v34G.exe, PID 1240 because it is empty
                    • Execution Graph export aborted for target scvhost.exe, PID 2612 because it is empty
                    • Execution Graph export aborted for target scvhost.exe, PID 6108 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • Report size getting too big, too many NtReadVirtualMemory calls found.
                    TimeTypeDescription
                    06:17:10Task SchedulerRun new task: scvhost path: "C:\Users\user\AppData\Roaming\scvhost.exe"
                    06:17:26API Interceptor1x Sleep call for process: scvhost.exe modified
                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                    167.71.56.116zUYpYikG7T.exeGet hashmaliciousBrowse
                      SdwkQEBnc3.exeGet hashmaliciousBrowse
                        riV1K85Awe.exeGet hashmaliciousBrowse
                          Malwarebytes Gears.exeGet hashmaliciousBrowse
                            H8RZSly6dG.exeGet hashmaliciousBrowse
                              8E8732B9BEBC8382E938B48697E79FEB4B06528DF41FD.exeGet hashmaliciousBrowse
                                qCotr6jZt2.exeGet hashmaliciousBrowse
                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  eu-central-7075.packetriot.netzUYpYikG7T.exeGet hashmaliciousBrowse
                                  • 167.71.56.116
                                  SdwkQEBnc3.exeGet hashmaliciousBrowse
                                  • 167.71.56.116
                                  riV1K85Awe.exeGet hashmaliciousBrowse
                                  • 167.71.56.116
                                  Malwarebytes Gears.exeGet hashmaliciousBrowse
                                  • 167.71.56.116
                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  DIGITALOCEAN-ASNUS7SjzSFSSVp.elfGet hashmaliciousBrowse
                                  • 157.245.157.40
                                  e5A3ahhY01.elfGet hashmaliciousBrowse
                                  • 157.245.169.53
                                  fyjuX2c2uD.elfGet hashmaliciousBrowse
                                  • 157.230.1.139
                                  https://daily.news.humanevents.com/link.php?AGENCY=THEPM&M=1731557&N=6537&L=8063&F=H&drurl=aHR0cDovLzZTbEp1UUktTUQ1LmNsZW9tYXIuY29tLmJyLz9hRzlxZFVCdmIyTnNMbU52YlE9PQ==Get hashmaliciousBrowse
                                  • 159.89.244.186
                                  tIr9H2zXH7.elfGet hashmaliciousBrowse
                                  • 167.172.53.212
                                  GFr09FV2bE.elfGet hashmaliciousBrowse
                                  • 157.245.170.67
                                  Creal.exeGet hashmaliciousBrowse
                                  • 159.89.102.253
                                  SdR6vL8QVT.elfGet hashmaliciousBrowse
                                  • 45.55.171.90
                                  uhCqa8i4WX.elfGet hashmaliciousBrowse
                                  • 134.123.157.204
                                  https://murchison-blasting.murchisonc.com/?Get hashmaliciousBrowse
                                  • 104.248.243.16
                                  INVOICE_(Q322) ready for review JAN 31 2023 1000AM.htmGet hashmaliciousBrowse
                                  • 134.209.238.18
                                  https://sourceforge.net/projects/processhacker/files/processhacker2/processhacker-2.39-setup.exe/downloadGet hashmaliciousBrowse
                                  • 159.65.194.197
                                  6bYYcZrts9.exeGet hashmaliciousBrowse
                                  • 161.35.61.102
                                  https://bit.ly/3XWc0EzGet hashmaliciousBrowse
                                  • 138.197.155.84
                                  iHNnlVPvr3.elfGet hashmaliciousBrowse
                                  • 167.174.154.121
                                  http://tiktok.ace2.us/gzp8FJTGet hashmaliciousBrowse
                                  • 64.227.23.114
                                  http://surl.li/dtyynGet hashmaliciousBrowse
                                  • 178.62.202.251
                                  https://app.adjust.com/w5i9q49?deeplink=sixt://&fallback=https://clubrianferreira.com.br/#bWljaGFlbC5jbGF1c2VsbEBzd2dhcy5jb20=Get hashmaliciousBrowse
                                  • 159.203.114.178
                                  https://rb.gy/f46lfxGet hashmaliciousBrowse
                                  • 161.35.120.173
                                  https://tours.pvphoto.co/8215/sociallinks?link=https://49-211-9099-071049-211-9099-0710-8xlgz.pagemaker.link/49-211-9099-071049-211-9099-0710Get hashmaliciousBrowse
                                  • 157.230.65.47
                                  No context
                                  No context
                                  Process:C:\Users\user\AppData\Roaming\scvhost.exe
                                  File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 62932 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                  Category:dropped
                                  Size (bytes):62932
                                  Entropy (8bit):7.9958071285043335
                                  Encrypted:true
                                  SSDEEP:1536:pvl2gmukMiArbge/oKIxf+Q9yNJLaRCfIElhUuDz:pvl2gmZhpehIxfJsJLawfIElhUu3
                                  MD5:FC4666CBCA561E864E7FDF883A9E6661
                                  SHA1:2F8D6094C7A34BF12EA0BBF0D51EE9C5BB7939A5
                                  SHA-256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B
                                  SHA-512:C71F54B571E01F247F072BE4BBEBDF5D8410B67EB79A61E7E0D9853FE857AB9BD12F53E6AF3394B935560178107291FC4BE351B27DEB388EBA90BA949633D57D
                                  Malicious:false
                                  Reputation:moderate, very likely benign file
                                  Preview:MSCF............,...................I.................oU.s .authroot.stl......5..CK..8U[...q.yL;sf!d.D..."2."C...2....RRRHnT...\...!2.)QQ*2..nN.\7.....lgYk;.^.....}..h4.....Kc.cG.q.tY..Drg<..G.D....c.qnx..G.......r.8.....w...;.Q6..o.xf:f..:NL[.`..]I.@ ,W..J..Qf.z9.<.../.D.p:0R...#..I,.%.+."...B.n)...[Y=.,0...R.#..G5..2..]........$p..3.M.O...._L.......g.....?=.J..!...G~.#.J:.Wj.........9(:..g.8,.o.b...3..C..t.7L=..+~%pc...%..b(.q.......F.'...@~P .6CA.(d.Z~..6....=.).9......A........p...Gy....7U.L....S...^.R.T.p...R..:.hr./..8...a&p.l(....g.3a)...[.M..v.......g,.U..l.F..._kJv.4.rG.{.K.6.X.rz.8.r..&..G.j..p".z...L...EUX.......;...Y.................j}..FrT.,J3.d?T.T}Q..hn.?.4F...~K...........'...c...X,.v..yk..0._.j|.(.q4k1....^b..6...z..\9'}.%.*...S.[..D.k....J.../D$.#..O.o~%S.9u....|61.........~....Q+.w.e....7}..:.....^.p.mKm._9v......'.3T..bY3..9a..p.'1..Lx.O.g..J5w+.r..K.R.P.....E0bf*r...c..;...`.j...i.;y.C..#|L.e.(.....w.X'...z../.-...c.......
                                  Process:C:\Users\user\AppData\Roaming\scvhost.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):328
                                  Entropy (8bit):3.1809764326412298
                                  Encrypted:false
                                  SSDEEP:6:kKWCl0qz7ksN+SkQlPlEGYRMY9z+4KlDA3RUe+OGNglcy:tl+kPlE99SNxAhUefblcy
                                  MD5:197EC8E69934486EB0B50ED7AC394439
                                  SHA1:B9DFBE7074344B58D9ABAF32E91E5495EF5FAA72
                                  SHA-256:419EFB0028A34CC7EC26D0B1466609710FB70B7E6D5B97509663815AC3958551
                                  SHA-512:7B8E2FC75E5CD742F9B15700BD95494D3DD304024920CBBFDE4EFE887F3DE163FD2C7927CCFDB0092DFFFBD5A3D225BFD90594DEBEDECD1E4FF5836C480AB012
                                  Malicious:false
                                  Reputation:low
                                  Preview:p...... ........O.yM.9..(....................................................... .........g.%.......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".8.0.a.1.6.7.1.3.2.5.4.d.9.1.:.0."...
                                  Process:C:\Users\user\Desktop\OvA6x5v34G.exe
                                  File Type:ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):522
                                  Entropy (8bit):5.348034597186669
                                  Encrypted:false
                                  SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhat92n4M6:ML9E4Ks2wKDE4KhK3VZ9pKhg84j
                                  MD5:07FC10473CB7F0DEC42EE8079EB0DF28
                                  SHA1:90FA6D0B604991B3E5E8F6DB041651B10FD4284A
                                  SHA-256:A42B61DFB4AF366D05CE1815C88E2392C7C4AA9B6B17604234BEB7A7DADA7E4C
                                  SHA-512:D7240EE88D207E631990907AFA96C8384FB51729A16247BD4BDB96CBA3C4CDB9A68ADCD07819B2242A0F395690AD831B1B547EC91E988CBE39398F472055D56F
                                  Malicious:true
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..
                                  Process:C:\Users\user\AppData\Roaming\scvhost.exe
                                  File Type:CSV text
                                  Category:dropped
                                  Size (bytes):425
                                  Entropy (8bit):5.340009400190196
                                  Encrypted:false
                                  SSDEEP:12:Q3La/KDLI4MWuPk21OKbbDLI4MWuPJKiUrRZ9I0ZKhav:ML9E4Ks2wKDE4KhK3VZ9pKhk
                                  MD5:CC144808DBAF00E03294347EADC8E779
                                  SHA1:A3434FC71BA82B7512C813840427C687ADDB5AEA
                                  SHA-256:3FC7B9771439E777A8F8B8579DD499F3EB90859AD30EFD8A765F341403FC7101
                                  SHA-512:A4F9EB98200BCAF388F89AABAF7EA57661473687265597B13192C24F06638C6339A3BD581DF4E002F26EE1BA09410F6A2BBDB4DA0CD40B59D63A09BAA1AADD3D
                                  Malicious:false
                                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..
                                  Process:C:\Users\user\Desktop\OvA6x5v34G.exe
                                  File Type:DOS batch file, ASCII text, with CRLF line terminators
                                  Category:dropped
                                  Size (bytes):151
                                  Entropy (8bit):5.032492424126052
                                  Encrypted:false
                                  SSDEEP:3:mKDDCMNqTtvL5ot+kiEaKC5lNDLACSmqRDt+kiE2J5xAInTRIMfLRI7ZPy:hWKqTtT6wknaZ5lhsmq1wkn23fTtfLGk
                                  MD5:96B68CA793FC6EDD2C19D85F5C7B6A9E
                                  SHA1:E7E2078C0DE4563A75E104FF87E91C414FD1BCF0
                                  SHA-256:09BBC24822051FD12A5E2CF5217A6FD2A3E663578AE456B43460CE5D056019B6
                                  SHA-512:A1CBCE4495CC765DD6430B086FCA85913C665C33E35619BFCF71C3A4B1E417A9D02135E864042B41C921A6A75CAD08C3FFD553E9D52ACDB00D039FED724CE25E
                                  Malicious:false
                                  Preview:@echo off..timeout 3 > NUL..START "" "C:\Users\user\AppData\Roaming\scvhost.exe"..CD C:\Users\user\AppData\Local\Temp\..DEL "tmpCC1F.tmp.bat" /f /q..
                                  Process:C:\Users\user\Desktop\OvA6x5v34G.exe
                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Category:dropped
                                  Size (bytes):46592
                                  Entropy (8bit):5.470529748948594
                                  Encrypted:false
                                  SSDEEP:768:JuK49TH4EjZWUR+ejmo2qrDKjGKG6PIyzjbFgX3i/Ei4s2/IBDZ7d:JuK49THf52OKYDy3bCXS/Eih2/ud7d
                                  MD5:C875BCF1A868FBD4D782072878787785
                                  SHA1:71A396DCB26D19677F17C5B0F415918928081184
                                  SHA-256:8984004D5E340774E8E22B3945214F3D3D4645D71F88A10FFAC19BA1F6C7BC28
                                  SHA-512:3732BBAA93A773054D2F63E947A450FE70018CF57BDDC68725408959F8BF7CE0F0769671A2FB2884324A5419B9E1DA3A88BF25DD5DC23C1DB41DE7A5340CAE82
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\scvhost.exe, Author: Joe Security
                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\scvhost.exe, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\scvhost.exe, Author: ditekSHen
                                  Antivirus:
                                  • Antivirus: Avira, Detection: 100%
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  • Antivirus: ReversingLabs, Detection: 82%
                                  • Antivirus: Virustotal, Detection: 71%, Browse
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^............................^.... ........@.. ....................... ............@.....................................W.................................................................................... ............... ..H............text...d.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................@.......H........Y...m.............................................................V..;...$0.xC.=VD..b......9A../.\.....(....*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.......*.~....*.~....*.......*.~....*.......*.~....*.......**.(>......*2~.....o?...*.s.........*.()...:(...(*...:....(+...:....('...:....((...9.....(v...*V(....s.... ...o....*n~....9....~....o..........*~~....(....9....(0...9....(@...*Vr.%.p~....(o....#...*.s...
                                  Process:C:\Windows\SysWOW64\timeout.exe
                                  File Type:ASCII text, with CRLF line terminators, with overstriking
                                  Category:dropped
                                  Size (bytes):60
                                  Entropy (8bit):4.41440934524794
                                  Encrypted:false
                                  SSDEEP:3:hYFqdLGAR+mQRKVxLZXt0sn:hYFqGaNZKsn
                                  MD5:3DD7DD37C304E70A7316FE43B69F421F
                                  SHA1:A3754CFC33E9CA729444A95E95BCB53384CB51E4
                                  SHA-256:4FA27CE1D904EA973430ADC99062DCF4BAB386A19AB0F8D9A4185FA99067F3AA
                                  SHA-512:713533E973CF0FD359AC7DB22B1399392C86D9FD1E715248F5724AAFBBF0EEB5EAC0289A0E892167EB559BE976C2AD0A0A0D8EFC407FFAF5B3C3A32AA9A0AAA4
                                  Malicious:false
                                  Preview:..Waiting for 3 seconds, press a key to continue ....2.1.0..
                                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                  Entropy (8bit):5.470529748948594
                                  TrID:
                                  • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                  • Win32 Executable (generic) a (10002005/4) 49.75%
                                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                  • Windows Screen Saver (13104/52) 0.07%
                                  • Generic Win/DOS Executable (2004/3) 0.01%
                                  File name:OvA6x5v34G.exe
                                  File size:46592
                                  MD5:c875bcf1a868fbd4d782072878787785
                                  SHA1:71a396dcb26d19677f17c5b0f415918928081184
                                  SHA256:8984004d5e340774e8e22b3945214f3d3d4645d71f88a10ffac19ba1f6c7bc28
                                  SHA512:3732bbaa93a773054d2f63e947a450fe70018cf57bddc68725408959f8bf7ce0f0769671a2fb2884324a5419b9e1da3a88bf25dd5dc23c1db41de7a5340cae82
                                  SSDEEP:768:JuK49TH4EjZWUR+ejmo2qrDKjGKG6PIyzjbFgX3i/Ei4s2/IBDZ7d:JuK49THf52OKYDy3bCXS/Eih2/ud7d
                                  TLSH:AB233A003BE8822BF2BE5F7898F26145467AF2A33603D55E2CC4519B5713FC696426FE
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..^............................^.... ........@.. ....................... ............@................................
                                  Icon Hash:00828e8e8686b000
                                  Entrypoint:0x40c75e
                                  Entrypoint Section:.text
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x5EB79023 [Sun May 10 05:24:51 2020 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:4
                                  OS Version Minor:0
                                  File Version Major:4
                                  File Version Minor:0
                                  Subsystem Version Major:4
                                  Subsystem Version Minor:0
                                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                  Instruction
                                  jmp dword ptr [00402000h]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xc7040x57.text
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xe0000x898.rsrc
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x100000xc.reloc
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  .text0x20000xa7640xa800False0.5005580357142857data5.509369989794829IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                  .rsrc0xe0000x8980xa00False0.36953125data5.120024649978191IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                  .reloc0x100000xc0x200False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                  NameRVASizeTypeLanguageCountry
                                  RT_VERSION0xe0a00x364data
                                  RT_MANIFEST0xe4040x493exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                  DLLImport
                                  mscoree.dll_CorExeMain
                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  167.71.56.116192.168.2.422993496952030673 02/06/23-06:17:25.881065TCP2030673ET TROJAN Observed Malicious SSL Cert (AsyncRAT Server)2299349695167.71.56.116192.168.2.4
                                  167.71.56.116192.168.2.422993496952035595 02/06/23-06:17:25.881065TCP2035595ET TROJAN Generic AsyncRAT Style SSL Cert2299349695167.71.56.116192.168.2.4
                                  TimestampSource PortDest PortSource IPDest IP
                                  Feb 6, 2023 06:17:20.022380114 CET4969522993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:20.052707911 CET2299349695167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:17:20.052958012 CET4969522993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:20.100876093 CET4969522993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:20.131176949 CET2299349695167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:17:25.881064892 CET2299349695167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:17:25.881105900 CET2299349695167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:17:25.881253004 CET4969522993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:25.902445078 CET4969522993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:25.932724953 CET2299349695167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:17:27.151149988 CET2299349695167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:17:27.205929995 CET4969522993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:33.476011038 CET4969522993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:33.506603956 CET2299349695167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:17:33.506808996 CET4969522993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:33.597286940 CET496971604192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:36.612971067 CET496971604192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:42.629106045 CET496971604192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:59.769681931 CET4969822993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:59.800350904 CET2299349698167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:17:59.800586939 CET4969822993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:59.801198006 CET4969822993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:59.831741095 CET2299349698167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:17:59.941629887 CET2299349698167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:17:59.942508936 CET4969822993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:17:59.972842932 CET2299349698167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:04.959999084 CET4969822993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:04.990771055 CET2299349698167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:04.992702961 CET4969822993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:05.075565100 CET4969922993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:05.105966091 CET2299349699167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:05.106065035 CET4969922993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:05.106508970 CET4969922993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:05.136650085 CET2299349699167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:05.227736950 CET2299349699167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:05.228492975 CET4969922993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:05.259005070 CET2299349699167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:10.283796072 CET4969922993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:10.314776897 CET2299349699167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:10.314971924 CET4969922993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:10.325856924 CET4970022993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:10.359054089 CET2299349700167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:10.363001108 CET4970022993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:10.380254984 CET4970022993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:10.411104918 CET2299349700167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:10.498779058 CET2299349700167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:10.569163084 CET4970022993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:11.061547041 CET4970022993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:11.092521906 CET2299349700167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:16.069967985 CET4970022993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:16.100887060 CET2299349700167.71.56.116192.168.2.4
                                  Feb 6, 2023 06:18:16.101000071 CET4970022993192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:16.126482010 CET497011604192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:19.132272005 CET497011604192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:25.132792950 CET497011604192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:42.207834005 CET497021604192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:45.212585926 CET497021604192.168.2.4167.71.56.116
                                  Feb 6, 2023 06:18:51.213120937 CET497021604192.168.2.4167.71.56.116
                                  TimestampSource PortDest PortSource IPDest IP
                                  Feb 6, 2023 06:17:19.980653048 CET5657253192.168.2.48.8.8.8
                                  Feb 6, 2023 06:17:20.017652988 CET53565728.8.8.8192.168.2.4
                                  Feb 6, 2023 06:17:33.491288900 CET5968353192.168.2.48.8.8.8
                                  Feb 6, 2023 06:17:33.594599009 CET53596838.8.8.8192.168.2.4
                                  Feb 6, 2023 06:17:59.739897013 CET6416753192.168.2.48.8.8.8
                                  Feb 6, 2023 06:17:59.768332005 CET53641678.8.8.8192.168.2.4
                                  Feb 6, 2023 06:18:04.964220047 CET5856553192.168.2.48.8.8.8
                                  Feb 6, 2023 06:18:05.071029902 CET53585658.8.8.8192.168.2.4
                                  Feb 6, 2023 06:18:10.293092012 CET5223953192.168.2.48.8.8.8
                                  Feb 6, 2023 06:18:10.314017057 CET53522398.8.8.8192.168.2.4
                                  Feb 6, 2023 06:18:16.091135979 CET5680753192.168.2.48.8.8.8
                                  Feb 6, 2023 06:18:16.123941898 CET53568078.8.8.8192.168.2.4
                                  Feb 6, 2023 06:18:42.167335987 CET6100753192.168.2.48.8.8.8
                                  Feb 6, 2023 06:18:42.205271959 CET53610078.8.8.8192.168.2.4
                                  TimestampSource IPDest IPChecksumCodeType
                                  Feb 6, 2023 06:17:33.628201008 CET167.71.56.116192.168.2.49f84(Unknown)Destination Unreachable
                                  Feb 6, 2023 06:17:36.643748999 CET167.71.56.116192.168.2.49f84(Unknown)Destination Unreachable
                                  Feb 6, 2023 06:17:42.663422108 CET167.71.56.116192.168.2.49f84(Unknown)Destination Unreachable
                                  Feb 6, 2023 06:18:16.157084942 CET167.71.56.116192.168.2.49f84(Unknown)Destination Unreachable
                                  Feb 6, 2023 06:18:19.162866116 CET167.71.56.116192.168.2.49f84(Unknown)Destination Unreachable
                                  Feb 6, 2023 06:18:25.163443089 CET167.71.56.116192.168.2.49f84(Unknown)Destination Unreachable
                                  Feb 6, 2023 06:18:42.238579035 CET167.71.56.116192.168.2.49f84(Unknown)Destination Unreachable
                                  Feb 6, 2023 06:18:45.243427038 CET167.71.56.116192.168.2.49f84(Unknown)Destination Unreachable
                                  Feb 6, 2023 06:18:51.244029999 CET167.71.56.116192.168.2.49f84(Unknown)Destination Unreachable
                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                  Feb 6, 2023 06:17:19.980653048 CET192.168.2.48.8.8.80x299bStandard query (0)eu-central-7075.packetriot.netA (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:17:33.491288900 CET192.168.2.48.8.8.80xa271Standard query (0)eu-central-7075.packetriot.netA (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:17:59.739897013 CET192.168.2.48.8.8.80x4b47Standard query (0)eu-central-7075.packetriot.netA (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:18:04.964220047 CET192.168.2.48.8.8.80x5e0bStandard query (0)eu-central-7075.packetriot.netA (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:18:10.293092012 CET192.168.2.48.8.8.80x23b0Standard query (0)eu-central-7075.packetriot.netA (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:18:16.091135979 CET192.168.2.48.8.8.80xbc7fStandard query (0)eu-central-7075.packetriot.netA (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:18:42.167335987 CET192.168.2.48.8.8.80x1b33Standard query (0)eu-central-7075.packetriot.netA (IP address)IN (0x0001)false
                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                  Feb 6, 2023 06:17:20.017652988 CET8.8.8.8192.168.2.40x299bNo error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:17:33.594599009 CET8.8.8.8192.168.2.40xa271No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:17:59.768332005 CET8.8.8.8192.168.2.40x4b47No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:18:05.071029902 CET8.8.8.8192.168.2.40x5e0bNo error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:18:10.314017057 CET8.8.8.8192.168.2.40x23b0No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:18:16.123941898 CET8.8.8.8192.168.2.40xbc7fNo error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false
                                  Feb 6, 2023 06:18:42.205271959 CET8.8.8.8192.168.2.40x1b33No error (0)eu-central-7075.packetriot.net167.71.56.116A (IP address)IN (0x0001)false

                                  Click to jump to process

                                  Click to jump to process

                                  Click to dive into process behavior distribution

                                  Click to jump to process

                                  Target ID:0
                                  Start time:06:16:59
                                  Start date:06/02/2023
                                  Path:C:\Users\user\Desktop\OvA6x5v34G.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\Desktop\OvA6x5v34G.exe
                                  Imagebase:0x4d0000
                                  File size:46592 bytes
                                  MD5 hash:C875BCF1A868FBD4D782072878787785
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000002.320271119.000000000293C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.320271119.000000000293C000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000002.320271119.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.320271119.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.322756813.0000000004EA6000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: 00000000.00000000.300462677.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000000.00000000.300462677.00000000004D2000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                                  Reputation:low

                                  Target ID:1
                                  Start time:06:17:07
                                  Start date:06/02/2023
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "scvhost" /tr '"C:\Users\user\AppData\Roaming\scvhost.exe"' & exit
                                  Imagebase:0xd90000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Target ID:2
                                  Start time:06:17:07
                                  Start date:06/02/2023
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7c72c0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Target ID:3
                                  Start time:06:17:07
                                  Start date:06/02/2023
                                  Path:C:\Windows\SysWOW64\cmd.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\tmpCC1F.tmp.bat""
                                  Imagebase:0xd90000
                                  File size:232960 bytes
                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Target ID:4
                                  Start time:06:17:07
                                  Start date:06/02/2023
                                  Path:C:\Windows\System32\conhost.exe
                                  Wow64 process (32bit):false
                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  Imagebase:0x7ff7c72c0000
                                  File size:625664 bytes
                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Target ID:5
                                  Start time:06:17:08
                                  Start date:06/02/2023
                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                  Wow64 process (32bit):true
                                  Commandline:schtasks /create /f /sc onlogon /rl highest /tn "scvhost" /tr '"C:\Users\user\AppData\Roaming\scvhost.exe"'
                                  Imagebase:0x1240000
                                  File size:185856 bytes
                                  MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Target ID:6
                                  Start time:06:17:08
                                  Start date:06/02/2023
                                  Path:C:\Windows\SysWOW64\timeout.exe
                                  Wow64 process (32bit):true
                                  Commandline:timeout 3
                                  Imagebase:0x880000
                                  File size:26112 bytes
                                  MD5 hash:121A4EDAE60A7AF6F5DFA82F7BB95659
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  Target ID:7
                                  Start time:06:17:10
                                  Start date:06/02/2023
                                  Path:C:\Users\user\AppData\Roaming\scvhost.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Users\user\AppData\Roaming\scvhost.exe
                                  Imagebase:0x560000
                                  File size:46592 bytes
                                  MD5 hash:C875BCF1A868FBD4D782072878787785
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.349959689.0000000004DE8000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000007.00000002.346842427.00000000028A1000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: JoeSecurity_AsyncRAT, Description: Yara detected AsyncRAT, Source: C:\Users\user\AppData\Roaming\scvhost.exe, Author: Joe Security
                                  • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Users\user\AppData\Roaming\scvhost.exe, Author: Joe Security
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: C:\Users\user\AppData\Roaming\scvhost.exe, Author: ditekSHen
                                  Antivirus matches:
                                  • Detection: 100%, Avira
                                  • Detection: 100%, Joe Sandbox ML
                                  • Detection: 82%, ReversingLabs
                                  • Detection: 71%, Virustotal, Browse
                                  Reputation:low

                                  Target ID:8
                                  Start time:06:17:11
                                  Start date:06/02/2023
                                  Path:C:\Users\user\AppData\Roaming\scvhost.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\AppData\Roaming\scvhost.exe"
                                  Imagebase:0x460000
                                  File size:46592 bytes
                                  MD5 hash:C875BCF1A868FBD4D782072878787785
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Yara matches:
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.572203781.0000000004DD6000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.569516773.0000000000B18000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.569133580.0000000000A53000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.569516773.0000000000B07000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse, Description: Detects file containing reversed ASEP Autorun registry keys, Source: 00000008.00000002.570032129.0000000002985000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.570032129.0000000002985000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000003.488531299.0000000000B15000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000003.488596244.0000000004DED000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000003.488596244.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, Author: ditekSHen
                                  • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000008.00000002.570032129.00000000029B5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                  Reputation:low

                                  Reset < >
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1eedb4d8fd543e35537a0063c7dc62e42b9553c09b304a5481de83be6cd3f401
                                    • Instruction ID: 0e04d1657019e34a0cb9462588296f7c3cb05b43842b2f5747dc2bf64dae6f93
                                    • Opcode Fuzzy Hash: 1eedb4d8fd543e35537a0063c7dc62e42b9553c09b304a5481de83be6cd3f401
                                    • Instruction Fuzzy Hash: DCB10678B00505CFDB18EB68D454AAD77F2AF89714B2584A8E406DB3A5DF75EC02CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cbe04cc51d5733804cf9456f6b0650595a282e3a63ced50c772eba86370e20e9
                                    • Instruction ID: e1c7de4d71972a30a467a4900ce27bd4b476da34f95ccb1762a4a3706d88d813
                                    • Opcode Fuzzy Hash: cbe04cc51d5733804cf9456f6b0650595a282e3a63ced50c772eba86370e20e9
                                    • Instruction Fuzzy Hash: 7091B574B101089FCB04EBBDC454A6EBBF6EF89710F2581A9E406EB391DE349D06CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 48c8046426de802d70908499261bcfdd2b4f5bae09d029f43381c05417a9f3b4
                                    • Instruction ID: 26bf83fe2c62d760f8fbfeff8f9a252ae177fc1753d14824fcc1f0c8adfb02f9
                                    • Opcode Fuzzy Hash: 48c8046426de802d70908499261bcfdd2b4f5bae09d029f43381c05417a9f3b4
                                    • Instruction Fuzzy Hash: 02910878B00504CFDB18EB78D494AAD77F2AF89714B2584A8E406DB3A5DF75EC42CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9bc696167002b8d77afac9b88af8a74fee78f07c98d73c5cb9f16060ccc28d3e
                                    • Instruction ID: d0e35a9e5940c6d5cd48422d901420d67a3c8c42fcf3b8d7326201c745c625f9
                                    • Opcode Fuzzy Hash: 9bc696167002b8d77afac9b88af8a74fee78f07c98d73c5cb9f16060ccc28d3e
                                    • Instruction Fuzzy Hash: 816117787005048FDB58EB68D494A6D77F6AF89710F258498E906DB3B5CF75EC02CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 860312ea161ede3c0bc3f3e8f33fb09281c5542c708caf626a5bdd7eb6e87f09
                                    • Instruction ID: 2f0d4e8007424a27af79d7eb440526d31619eac6009e346d38b7763176941e05
                                    • Opcode Fuzzy Hash: 860312ea161ede3c0bc3f3e8f33fb09281c5542c708caf626a5bdd7eb6e87f09
                                    • Instruction Fuzzy Hash: 1141D6347042458FDB15DB79C854BAEBBF6EF89304F1584AAE005EB3A2CA75DC09CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 96aed1edc702e797da0cb19e5e5b997f5a057aaa6a1cebe44148fce503033ea7
                                    • Instruction ID: 01e3c010b777b6ec52da46e4e9299bbe433a3d43c8afd7df84685ae1a705de0a
                                    • Opcode Fuzzy Hash: 96aed1edc702e797da0cb19e5e5b997f5a057aaa6a1cebe44148fce503033ea7
                                    • Instruction Fuzzy Hash: 2951FA38601E05CFD746FFBCE4458597B73FB8630935189A9D4018B268EBB5AA47CF80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 929e0ec396e285fb01815fa2739356a404892c488745feeed2b26c61d6e414f0
                                    • Instruction ID: 5728a0541d93f088eb50ed7eaa8b2bd130a6425128e5aa537f96322242fa2906
                                    • Opcode Fuzzy Hash: 929e0ec396e285fb01815fa2739356a404892c488745feeed2b26c61d6e414f0
                                    • Instruction Fuzzy Hash: E951CC38601E05CFD746FFBCE4448597B73FB8630935589A9D5018B268EBB5AA47CF80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1d45493964693e9195eabe872cc99dd45d2ef4709ed330fbb259a3a593e4d83d
                                    • Instruction ID: 092b5392f5af22e1dee24aad702ed4977abaea4f3d9933479a0844ae83ce353e
                                    • Opcode Fuzzy Hash: 1d45493964693e9195eabe872cc99dd45d2ef4709ed330fbb259a3a593e4d83d
                                    • Instruction Fuzzy Hash: A7412C34B101148FDB04DF69D598A6EBBF6AF88B10F258199E506EB3B1CB71EC058B90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: a8dd4423888e9a47be4608246ae45f2c81ea23f7b2ab4eefcde03e9b6bd3b085
                                    • Instruction ID: 9d01db293825a304b153a27a2e966d9d07e8ed09546acf3b2ac932c32a67a1b1
                                    • Opcode Fuzzy Hash: a8dd4423888e9a47be4608246ae45f2c81ea23f7b2ab4eefcde03e9b6bd3b085
                                    • Instruction Fuzzy Hash: 49310475F042168FCB14EB788855A7E7BF2AF88200B14407DE546DB3A1DF309C068BD0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0bab26448c49de6a04195072b8e4dfaf1d7e40e6c0ab2bd68167d2fd5b34e619
                                    • Instruction ID: f21089f3df1da65514546236dcbfb5921552e6633084b486f4f6db3942869a03
                                    • Opcode Fuzzy Hash: 0bab26448c49de6a04195072b8e4dfaf1d7e40e6c0ab2bd68167d2fd5b34e619
                                    • Instruction Fuzzy Hash: 1231A234A002098FDB14DF69C458BADBBF2FF89304F1585A9D405EB3A1CB759D49CB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 68348518e0c7117fa6c9559a25f627ece22ed1b5fdf3ac6ae680b17016c46c31
                                    • Instruction ID: 6b783b4345fdb56b2f7d814f9ead8568d519c483bf6a5cfe1662a6323836764c
                                    • Opcode Fuzzy Hash: 68348518e0c7117fa6c9559a25f627ece22ed1b5fdf3ac6ae680b17016c46c31
                                    • Instruction Fuzzy Hash: 01219F75F002168FCB58EBB98455A6EBBF2AF89600B14447DE546DB3A1EF30DC058BD1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3860162b51f66503d05e5e8f6520a1f12379dac0cd23aba1036e37f3f1ade9e6
                                    • Instruction ID: 9b6c6cf8097141601a65208185bd1b6e14d97825ccbe4ee2ffcd2f35c47acf54
                                    • Opcode Fuzzy Hash: 3860162b51f66503d05e5e8f6520a1f12379dac0cd23aba1036e37f3f1ade9e6
                                    • Instruction Fuzzy Hash: 73216D3CB05B128FEB58FBF99D5973E3BA0AF84345B050529D80BD6152DB60C449CE91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 405314d4ec6d52d82a6b1fb44bf8f7f15d5c94c0ce16555b61080601ff28c97b
                                    • Instruction ID: 30166e31be719d96c27fa30798ed758d3d10c7d0aa3bb00070514a01dd415423
                                    • Opcode Fuzzy Hash: 405314d4ec6d52d82a6b1fb44bf8f7f15d5c94c0ce16555b61080601ff28c97b
                                    • Instruction Fuzzy Hash: 48118EB1B00259AFDF48E7FE491426EA9DAEFC9640F10453DD00AE7381DE348D0247E9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 66201e1b17fcab6afb4e32be252f9a0b5ab33fee1ae5728f4ef7c460b9e8f1f1
                                    • Instruction ID: b3d2162003773f25d70739bbbb98ec3e34ed028feebf30b8db98c446666cfda9
                                    • Opcode Fuzzy Hash: 66201e1b17fcab6afb4e32be252f9a0b5ab33fee1ae5728f4ef7c460b9e8f1f1
                                    • Instruction Fuzzy Hash: 49216F7CB00B268FEB68FBF9995973E3AA46F84346B010529990BC6151EF70D445CEA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2cde944361d35585ca97441df32d537515b0fe2d56ce5adf6947055792c34de9
                                    • Instruction ID: 55a76ae6ce6adfa929b966cf2a373614a53ab6313c69da081aa624eabe7b7583
                                    • Opcode Fuzzy Hash: 2cde944361d35585ca97441df32d537515b0fe2d56ce5adf6947055792c34de9
                                    • Instruction Fuzzy Hash: 5A11C278B40645CFCB54EBB8DC84AADB7E1EF882507194578C40AEB710EB758907CB80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 8271a5727c9fcda0938c450737f1f7173ac81f859424f575eaae2d2da13667b0
                                    • Instruction ID: a8ba7121122bee12cd9dc0981a402fb7148de3d4cc1b52db7f7947687615bcc2
                                    • Opcode Fuzzy Hash: 8271a5727c9fcda0938c450737f1f7173ac81f859424f575eaae2d2da13667b0
                                    • Instruction Fuzzy Hash: 0111C078B00205CFCB54EBBCD84896ABBF6AF8820171504B8C40AEB314EF71DC02CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ec9752cef5540b09408d6cc284b52c5dc0e5aab6eb44d01017b72a293ce11a59
                                    • Instruction ID: b9409e874619871e607de2e6a24e8186f198492d607a24466de28e3d7bc5bb3e
                                    • Opcode Fuzzy Hash: ec9752cef5540b09408d6cc284b52c5dc0e5aab6eb44d01017b72a293ce11a59
                                    • Instruction Fuzzy Hash: 1701A92070E6900FC71693B9986542E7FF69FCB55031A44FBE149DB7A3CD158C06C7A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 416f5a43dcf63482f986c85bec4db7cd5611773d3f9d52453ece57930d1b1ede
                                    • Instruction ID: faebe6f844605081de7f8fc9269363e9d046021674e80aaa74cadf29bce45db9
                                    • Opcode Fuzzy Hash: 416f5a43dcf63482f986c85bec4db7cd5611773d3f9d52453ece57930d1b1ede
                                    • Instruction Fuzzy Hash: C6E026307441548FCB099BFDA4488ED3BB59F8A35075180BDE082DF7A2CE298C0A4FD1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 76a02cc239691bcb269e515be33023ca500d64c97f21fa5c6cac92608fc6ebb9
                                    • Instruction ID: d6f61830def5cce3d7e7c82e4c57f52b6d983817c6a3196cb2c601f95a735281
                                    • Opcode Fuzzy Hash: 76a02cc239691bcb269e515be33023ca500d64c97f21fa5c6cac92608fc6ebb9
                                    • Instruction Fuzzy Hash: A2E012357001145F875896BEA88485FB7DEEFCD5A5315407AF509C7321DD71DC018790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2f53471600e5dc61cce3f16d41148bebade05efb529722b33b27380dce6812ec
                                    • Instruction ID: 58a8e531bfb26e58388d2e7017947aaa81708eb8f2af442f8a9393ec678773e0
                                    • Opcode Fuzzy Hash: 2f53471600e5dc61cce3f16d41148bebade05efb529722b33b27380dce6812ec
                                    • Instruction Fuzzy Hash: 50E01231708B948BDB35E37DD0153DE7BE26F91318F04096ED58A57682CBABB90583A2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000000.00000002.320250912.0000000002880000.00000040.00000800.00020000.00000000.sdmp, Offset: 02880000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_2880000_OvA6x5v34G.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 3b05ea7a59ab6131d872ddcec26dcd5cce5f425e32714e8120e05ca6638b27e5
                                    • Instruction ID: c17adfdb6edbff8f29092f6a34296b76b2084affa966910f564535171d82b82c
                                    • Opcode Fuzzy Hash: 3b05ea7a59ab6131d872ddcec26dcd5cce5f425e32714e8120e05ca6638b27e5
                                    • Instruction Fuzzy Hash: CFD0A7317000145BCE08A6FAE00946D37DD9F8A7107910065E146DB351CE2AEC000BD5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.346796868.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_f20000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ce6623cf48c5f718c953b5c1da4e77442ec63adcb33a20fcec28ac2141a13093
                                    • Instruction ID: d85fb46b6b79d2734b79b19891fd58a7fba4b73883f492b8f8504311c56e6ffb
                                    • Opcode Fuzzy Hash: ce6623cf48c5f718c953b5c1da4e77442ec63adcb33a20fcec28ac2141a13093
                                    • Instruction Fuzzy Hash: 09519071B101148FCB04DF6CD458A5EBBF2EF89710F2585AAE406EB3A2CE749D05CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.346796868.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_f20000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 585e4db0dc7f3ee0120bdfbff4bccc8fe85d5f602d6c7b743471e08d7752bd8f
                                    • Instruction ID: 4bd72a2f55e34848bc52fdf7bb51393feb1e4fe7904f5032379365acc8d9aa10
                                    • Opcode Fuzzy Hash: 585e4db0dc7f3ee0120bdfbff4bccc8fe85d5f602d6c7b743471e08d7752bd8f
                                    • Instruction Fuzzy Hash: B741D431B002149FDB15DB68D854B5EBBF6AF89310F1484AAE005EB3A2CE78DC05CBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.346796868.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_f20000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6033d62a4dc486f7c3412fb778d0cfa0f2ef644693cd3944700199fce700a1a4
                                    • Instruction ID: e9554e60149afb75c0126812a76239fee2e5c36ea9caccdb87981939ca0a002c
                                    • Opcode Fuzzy Hash: 6033d62a4dc486f7c3412fb778d0cfa0f2ef644693cd3944700199fce700a1a4
                                    • Instruction Fuzzy Hash: A241A5B1E00219AFCB14DBBD944066EFBF6EFC5710F248569D449E7342DE349E4287A4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.346796868.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_f20000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 977e4ebb3c87e38183aa99306686d31dfdb2518a2548f825df29b8dc7baae786
                                    • Instruction ID: d8d6d50ba8b2dc6a35bfa389b2faff224d678459d2bbaf8ca0ec2175a88b31cd
                                    • Opcode Fuzzy Hash: 977e4ebb3c87e38183aa99306686d31dfdb2518a2548f825df29b8dc7baae786
                                    • Instruction Fuzzy Hash: 1E51C739601E05CFD746FF3CE45484977A2FB8634535589A9D4028B36CEBB5AA06CF90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.346796868.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_f20000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9aa4db90fa09167118c81bc1764b48c1771609588e2a7ab12bfe46b0b5dc50f5
                                    • Instruction ID: 7d1fcb8662f7183911ce87c5d1ad0cd865207892bba845eb52de5368b2965d97
                                    • Opcode Fuzzy Hash: 9aa4db90fa09167118c81bc1764b48c1771609588e2a7ab12bfe46b0b5dc50f5
                                    • Instruction Fuzzy Hash: 5D31C431A00215CFDB15DF68D458B9EBBF2BF89300F1489A9E401AB3A2CB789C05CF91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.346796868.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_f20000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: cc4ba5057cb93f8bd9fcae7dc70da6a54fd482114a6f4fedc941abf69023ac06
                                    • Instruction ID: 242f082d5a9e2658195e4973edeaf15c7852b74dd59e4868a74f8f3bc5a4fe0b
                                    • Opcode Fuzzy Hash: cc4ba5057cb93f8bd9fcae7dc70da6a54fd482114a6f4fedc941abf69023ac06
                                    • Instruction Fuzzy Hash: 8331C371F002168FCB58EB78985566FBBF2EF89610B1404BDE546DB362EE709C0187D1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.346796868.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_f20000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 84c74099b2bd3cd00afa04898d77a9d637752649498a20c00f4965090cef29b4
                                    • Instruction ID: bed4b088709daf85ae7196f9eb0acab5e1e81a7d25fd157c8078d37ade953f8e
                                    • Opcode Fuzzy Hash: 84c74099b2bd3cd00afa04898d77a9d637752649498a20c00f4965090cef29b4
                                    • Instruction Fuzzy Hash: 28219232A01B22CFEB58AB75F95973A3FA4AF94341B040429E803C2256DF74C850EFA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.346796868.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_f20000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1376c967e60fa60ee9f65a0f259a9e682c58cc2f255769cc2087caa8acad7a98
                                    • Instruction ID: 2d4114ed716d4eab6ff6319e41bccf83d7191dd97d0924f7be2f41a2737e7816
                                    • Opcode Fuzzy Hash: 1376c967e60fa60ee9f65a0f259a9e682c58cc2f255769cc2087caa8acad7a98
                                    • Instruction Fuzzy Hash: 9C216232A00B228FDB6CABB5F95573E3EA4AF84342B1404299806C2656EF759810AE61
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.346796868.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_f20000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b9e6e54b78adbdb3773a7ecc10af597b78477fee07ad22d345639aae274fd0a8
                                    • Instruction ID: 6d3cc59ec1ca92340e05c5f2b155340f4c88fad80863410eec211e78347179b2
                                    • Opcode Fuzzy Hash: b9e6e54b78adbdb3773a7ecc10af597b78477fee07ad22d345639aae274fd0a8
                                    • Instruction Fuzzy Hash: 4E110E70F00214CFCB54EBB9E8459AAB7E5EF8831070504B8C40ADB310EA358D06CBD0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.346796868.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_f20000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9de5ed3e2ad144714dc77f70ce1efe35562124e9b3d98c75b5a5de48eb7da496
                                    • Instruction ID: 7ea35098c7784f7be44309fefe2c6a4d6c1b65eadab50839c93cf993e4faee42
                                    • Opcode Fuzzy Hash: 9de5ed3e2ad144714dc77f70ce1efe35562124e9b3d98c75b5a5de48eb7da496
                                    • Instruction Fuzzy Hash: 8911CC74B00215DFCB58EBBDD844A6ABBF6BF8831171544B8C40ADB314EA71DC46CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000007.00000002.346796868.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_7_2_f20000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 9d4c1cbfdb6406403e70685c2e3859dd967abd73241801e62fa90c4cc41ac50d
                                    • Instruction ID: 468aaaed514c52bec79c7f84d03fc428ec77852f10201c2917a3eeb6a681e03c
                                    • Opcode Fuzzy Hash: 9d4c1cbfdb6406403e70685c2e3859dd967abd73241801e62fa90c4cc41ac50d
                                    • Instruction Fuzzy Hash: 7B01D1307092505FC30A9779A82842E7FE69FCA29035544E6E009CB3A2CD289C09C7B2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: ,$3"
                                    • API String ID: 0-173313251
                                    • Opcode ID: a97863ae5689b817d1fc24de56587f2dec408bbc21de5eb6e01d9c38331e88f0
                                    • Instruction ID: 8cd27ebe92148b90aeef6c446d901c9e698c58cb4512acb4d8ad1674491a8058
                                    • Opcode Fuzzy Hash: a97863ae5689b817d1fc24de56587f2dec408bbc21de5eb6e01d9c38331e88f0
                                    • Instruction Fuzzy Hash: 9C02CE70700200CFDB15EB68D894B6EBBA2BF84708F248568E4159F3A6DF78EC45CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID: 3"
                                    • API String ID: 0-3308957768
                                    • Opcode ID: cc418c368b98c359c7a0e5fc1cb1b75db400870adfd6e30e65cf728e2a49e1af
                                    • Instruction ID: c38c4948dac9dc43953c8ad143f14f823d1c39eb3b7d76fa1bec861e604447a2
                                    • Opcode Fuzzy Hash: cc418c368b98c359c7a0e5fc1cb1b75db400870adfd6e30e65cf728e2a49e1af
                                    • Instruction Fuzzy Hash: DC61AC74700210CFD719EB68E894B5EB7A2BFC5308F20852CE5159F3A5DB79EC458B94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5508b940f1f89f7e567705f47a7b98214979568a1c06d2e0601c064ebf73f06f
                                    • Instruction ID: d82ac0dbafbef36d1949739b8f398c04e59ec0064ad18b32590a17f041e2b562
                                    • Opcode Fuzzy Hash: 5508b940f1f89f7e567705f47a7b98214979568a1c06d2e0601c064ebf73f06f
                                    • Instruction Fuzzy Hash: A601C0B0A061518FCB09FF68D4A17AE7BF8AF45704B0C00ADD8598B252E7205902DBC5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1e9625ec59d9cb416b0d785ef53ad17bab5058d04e308b51009fa9f91ddd5bec
                                    • Instruction ID: 5b9d6d2d0f183d0e0fe21cd2df952355a18163afb0baa06ec74c9bb278b5a352
                                    • Opcode Fuzzy Hash: 1e9625ec59d9cb416b0d785ef53ad17bab5058d04e308b51009fa9f91ddd5bec
                                    • Instruction Fuzzy Hash: 91B1F774B10105CFCB08EB68D494AAD77F6BF88714F2544A8E806AB3A5DF75EC42CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e7703ee823a749cb7f77ad15f38acb7ab456b0f0db7ed8f3394c29bc5e5ce9bf
                                    • Instruction ID: 6c73718f7bb4d79f692408edd977f38c952a322ca228c8dc0b56ac23d37aef91
                                    • Opcode Fuzzy Hash: e7703ee823a749cb7f77ad15f38acb7ab456b0f0db7ed8f3394c29bc5e5ce9bf
                                    • Instruction Fuzzy Hash: A24195347101148FCB45DB6DD468A6E7BF2AF89700F2580A9E406EF3B2CE75DC058B95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 38531bb7edbc602997cf6a4bcdbab7154036ffe0a5560410ecd52cb8179670d4
                                    • Instruction ID: 88f82f4cce3cc5918279acf3a139fb3114d177e582894c98d9b4ec70d0de28cf
                                    • Opcode Fuzzy Hash: 38531bb7edbc602997cf6a4bcdbab7154036ffe0a5560410ecd52cb8179670d4
                                    • Instruction Fuzzy Hash: 3C51C738619205CFC746FF38E4C49597763FB85789350C969D40A8F2A8EB35A946EFC0
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ed49038bc30c2092ee69951a1a76b3d05f6fb2b1dba5be6bd6c2f9a860f5e406
                                    • Instruction ID: 868782ec1b00fa27cc8d3123d746157e64da4610ee2afcd954cca66ff634d6bd
                                    • Opcode Fuzzy Hash: ed49038bc30c2092ee69951a1a76b3d05f6fb2b1dba5be6bd6c2f9a860f5e406
                                    • Instruction Fuzzy Hash: 854182307002058FDB19DF69D454BADBBF2EF89304F2484A9E005EB3A1CA75DD09CB95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5db24ebe0c0fdb814ffb79b1d0236723778468bafcaaf3e6ca21732aaf54517b
                                    • Instruction ID: a0b293d3ed3938a7b16bd30834cacefef46837f980e2b446fc63f0f25bcfb761
                                    • Opcode Fuzzy Hash: 5db24ebe0c0fdb814ffb79b1d0236723778468bafcaaf3e6ca21732aaf54517b
                                    • Instruction Fuzzy Hash: 5A218D75F002168FCB58EBB89451A6EBBF2AF88604B24447DE546DB3A1DE309D058BD4
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: aff12b2b8cf886316e3cc2d611a7cbc31b5bbdb1c4dfa5d75763fa7e1720d9c2
                                    • Instruction ID: 7aaf4723cde5f526c31d737cbfb62d203b15dec3ad0978b6c5c1f4db7b5ec09a
                                    • Opcode Fuzzy Hash: aff12b2b8cf886316e3cc2d611a7cbc31b5bbdb1c4dfa5d75763fa7e1720d9c2
                                    • Instruction Fuzzy Hash: 2E317070A002098FDB14DF69C454BAEBBF2BF89304F248569E405AB3A1CB759D49DB91
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569675620.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c2d000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2eb274e4af53a1a15a40ce4ef0426b55fd835f502285da1252a69fd78f13348f
                                    • Instruction ID: a98a3eb9a60ad418d27d3c68e6a25149bbf464bef2da6b774868c5ff369cb365
                                    • Opcode Fuzzy Hash: 2eb274e4af53a1a15a40ce4ef0426b55fd835f502285da1252a69fd78f13348f
                                    • Instruction Fuzzy Hash: C72128B1504240DFDB01DF54E9C0B26BF65FBA4328F34C579E9060B616C37AE945DBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569675620.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c2d000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 2664413cf3300f842e18f9480a604a0656711342c6251590857b17bd0158956e
                                    • Instruction ID: f9ec5862b83c75525b3b6d87cf4717026cd3600c7db206e22c53e98f8d4ab915
                                    • Opcode Fuzzy Hash: 2664413cf3300f842e18f9480a604a0656711342c6251590857b17bd0158956e
                                    • Instruction Fuzzy Hash: D2213A71504240DFDB05EF14E8C0F16BF65FBA4324F34C569E9060BA46C33AE846DBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: da253665eacc7fe3b4c6ed4ae5e0ba5a3a0615ace0f1fddb849c6b99ef5fc60a
                                    • Instruction ID: 6137d58d78eb8048dbbd55353ac4ae1425863ff236ba2075f83dde3106e8d4bf
                                    • Opcode Fuzzy Hash: da253665eacc7fe3b4c6ed4ae5e0ba5a3a0615ace0f1fddb849c6b99ef5fc60a
                                    • Instruction Fuzzy Hash: 11118EB0B00259AFDB48A7FD581436EA9DAEFC9640F20443DD00AE7741DE388D0247E9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 89313296811943865cb71d8fce4e695e2ffe5295061bcbd8804b6f98bbc432a3
                                    • Instruction ID: 57ba5c41cdc50eda790ad3ff964c6fdd2bea07ee9806317ec6c33e9f22549a0f
                                    • Opcode Fuzzy Hash: 89313296811943865cb71d8fce4e695e2ffe5295061bcbd8804b6f98bbc432a3
                                    • Instruction Fuzzy Hash: CD1190B0B00259AFDF58A7FD581436FA9DAEFC9640F20453ED00AE7781DE388D0647A9
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: c52e4edbc020c895fc06e4a8315a96d322f01aa9f8ad762a065f35b94141a796
                                    • Instruction ID: 8df1e73f7c7027286b61854ffa5a16fe9c85f44a206a3494cac811e69dc28e1c
                                    • Opcode Fuzzy Hash: c52e4edbc020c895fc06e4a8315a96d322f01aa9f8ad762a065f35b94141a796
                                    • Instruction Fuzzy Hash: 6A216F70714602CFDBACBBB5994573E3BA4AF8438AF200429AC16C6190FE30DA149FA5
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 47bb57f361a17d265d81489f284dd4c1d38ececd4bb55f24dc685ac076745377
                                    • Instruction ID: c32752b28aafce7952660da2d3331f34a18f0d908d37c57cfc1eebd2d183ee65
                                    • Opcode Fuzzy Hash: 47bb57f361a17d265d81489f284dd4c1d38ececd4bb55f24dc685ac076745377
                                    • Instruction Fuzzy Hash: CA216F30714602CFDB98BB75994473E3BA46F94389F24042DAC17C6190FA308A18DF95
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569675620.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c2d000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                    • Instruction ID: de2ceb4141d2c3104e8546bad3a75551d6f2cecc3940c91320d3b021230fb4e6
                                    • Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                    • Instruction Fuzzy Hash: 0C1126B6804280CFDF12CF04D5C0B16BF72FB94324F24C2A9D8450B616C37AD956CBA2
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569675620.0000000000C2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C2D000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c2d000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                    • Instruction ID: 5a61fd21e52da7e1db13f14f716f761cd6b42dc111369836c0c69bedfc24addb
                                    • Opcode Fuzzy Hash: 592ece47119f67d140ea7e82aae040392f4fe946fa5bf8865279594dce73126f
                                    • Instruction Fuzzy Hash: 90112676404280CFCB12DF10D9C0B16BF72FB94324F24C6A9DC490BA16C33AE95ACBA1
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ed65e3cee588c7ffc719587cce825e6204da4aebfeebe7803fac919c7e7a88d9
                                    • Instruction ID: 0a6ccb595212908cd34b2a5d694571a5aafa993569f35cd9f11e19837152e844
                                    • Opcode Fuzzy Hash: ed65e3cee588c7ffc719587cce825e6204da4aebfeebe7803fac919c7e7a88d9
                                    • Instruction Fuzzy Hash: F211AD74B00215DFCB54EBB9D84496ABBEAAF887457154478C40ADB354EF31DC42CB94
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 584eef003d6b0ac835f74dd8173fe4438f0180553f31635da0fabde728fe33ac
                                    • Instruction ID: c9c96350232ca5d50f4de93a30fce4023c0b8af0fc1d0b35d1ffb0b2520864cf
                                    • Opcode Fuzzy Hash: 584eef003d6b0ac835f74dd8173fe4438f0180553f31635da0fabde728fe33ac
                                    • Instruction Fuzzy Hash: 7001CC74B04255CFCB54EBB9D88496EBBF6AF887457154478C80ADB350EB318C42CB90
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f7c2bc878a4077fabf44cd66ec1ae052079abaf4855eb3299ff2ec71a7c879b4
                                    • Instruction ID: 5e35f5b967a6502250f18e8959611513e4837ffc39a8df6a764592eae2cf8970
                                    • Opcode Fuzzy Hash: f7c2bc878a4077fabf44cd66ec1ae052079abaf4855eb3299ff2ec71a7c879b4
                                    • Instruction Fuzzy Hash: 05E012357001145F875896BEA88495FB7DEEFCD5A5315407AF509C7321DD71DC018790
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: f07a528e6b4862e361ceadd7a56742ae6de930b2613beda7aa87435acef1fb91
                                    • Instruction ID: acd370392f2394643378ccb0044d609b89e33d2dfe3f6c077b01d41b80aa3b43
                                    • Opcode Fuzzy Hash: f07a528e6b4862e361ceadd7a56742ae6de930b2613beda7aa87435acef1fb91
                                    • Instruction Fuzzy Hash: 9EE08C357041005F875896BEA8849AEBBDAAFC82A132540BAE00AC7322CDB1CC018B80
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: b874843b59362f1f4cdd216c415e02cad51a41a3a5169fc94b28a0bdc110759f
                                    • Instruction ID: f76bdd43d21293a63de807a8347c2ef746d984cbf5e44ca2eab99333fc50e1f6
                                    • Opcode Fuzzy Hash: b874843b59362f1f4cdd216c415e02cad51a41a3a5169fc94b28a0bdc110759f
                                    • Instruction Fuzzy Hash: 23D0C734169A808FC352E764D1B58557BF4FF4B95131980D1D4454F773C5115817E782
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 1c9f226db0a86c8ea28de033459c4371bff7f5bfd4efe0098abb8de7129fb0f0
                                    • Instruction ID: bdba4dedeb21ecaeb33208539ea55b1c80a3094e8f1846654750daacdfc9c7e8
                                    • Opcode Fuzzy Hash: 1c9f226db0a86c8ea28de033459c4371bff7f5bfd4efe0098abb8de7129fb0f0
                                    • Instruction Fuzzy Hash: 0FC08C70429A43CED39C33E0A908B2C2A115FF0309F200050B843485A09E351C284F1A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 6c02d4418a55ee47928ccb126bf60c30903ea500145e76e8f673516061eef39d
                                    • Instruction ID: a975267841b543cc2606e36f620daf8ccdffb3376d4448ade1609de8bf6ce93e
                                    • Opcode Fuzzy Hash: 6c02d4418a55ee47928ccb126bf60c30903ea500145e76e8f673516061eef39d
                                    • Instruction Fuzzy Hash: AFC08CB0429A82CEDB9C33A1A908B2C3B115FF0309F200050B803444A0AE351C288B0A
                                    Uniqueness

                                    Uniqueness Score: -1.00%

                                    Memory Dump Source
                                    • Source File: 00000008.00000002.569820633.0000000000C80000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C80000, based on PE: false
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_8_2_c80000_scvhost.jbxd
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 5899ecb6b1093d1ee961ad45424b61e132ba8f18406e3cdc33f790bce5c8ffef
                                    • Instruction ID: d93f29fb705e4a200e50edd7f65c2f530ffe79c332b813af00d19a6efb4c3038
                                    • Opcode Fuzzy Hash: 5899ecb6b1093d1ee961ad45424b61e132ba8f18406e3cdc33f790bce5c8ffef
                                    • Instruction Fuzzy Hash: 65C04839264208CF8280EB59E488C11B3E8BB59A203418095E5098B762CA21B810DA90
                                    Uniqueness

                                    Uniqueness Score: -1.00%