Windows Analysis Report
oaUNY8P657.exe

Overview

General Information

Sample name: oaUNY8P657.exe
renamed because original name is a hash value
Original sample name: 4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42.exe
Analysis ID: 1557202
MD5: 4f0c8a81138b78a1f40ef1d383632130
SHA1: 96b6c6ff5c5b1aa90014e975bb851d23acbed598
SHA256: 4560c263255a3f4682b69a3e989591ee4b4df60a8a7680a3905c0c7b33a83d42
Tags: exeuser-Chainskilabs
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Sample uses string decryption to hide its real strings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
May check the online IP address of the machine
One or more processes crash
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Use Short Name Path in Command Line
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: left-noon.gl.at.ply.gg Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Avira: detection malicious, Label: TR/Spy.Gen
Found malware configuration
Source: 00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Xworm {"C2 url": ["left-noon.gl.at.ply.gg"], "Port": 60705, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "US11B.exe"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp ReversingLabs: Detection: 79%
Multi AV Scanner detection for submitted file
Source: oaUNY8P657.exe ReversingLabs: Detection: 50%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Joe Sandbox ML: detected
Machine Learning detection for sample
Source: oaUNY8P657.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 4.0.sms561F.tmp.1e0000.0.unpack String decryptor: left-noon.gl.at.ply.gg
Source: 4.0.sms561F.tmp.1e0000.0.unpack String decryptor: 60705
Source: 4.0.sms561F.tmp.1e0000.0.unpack String decryptor: <123456789>
Source: 4.0.sms561F.tmp.1e0000.0.unpack String decryptor: <Xwormmm>
Source: 4.0.sms561F.tmp.1e0000.0.unpack String decryptor: US11B.exe
Source: oaUNY8P657.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Xml.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: mscorlib.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.ni.pdbRSDS source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Management.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Management.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Core.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Configuration.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.pdbSystem.Core.ni.dllMicrosoft.VisualBasic.dllpD6 source: WER7417.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Configuration.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Core.pdbh source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Xml.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER7417.tmp.dmp.8.dr
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 4x nop then push rbx 0_2_00007FF78CB221D6
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 4x nop then push rbx 3_2_00007FF78CB221D6

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: left-noon.gl.at.ply.gg
Yara detected Generic Downloader
Source: Yara match File source: 4.0.sms561F.tmp.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, type: DROPPED
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 208.95.112.1 208.95.112.1
May check the online IP address of the machine
Source: unknown DNS query: name: ip-api.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ip-api.com
Source: sms561F.tmp, 00000004.00000002.1579490182.000000001B1ED000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.micu
Source: sms561F.tmp, 00000004.00000002.1578890311.00000000023E8000.00000004.00000800.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000002.1578890311.0000000002400000.00000004.00000800.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000002.1578890311.00000000023F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ip-api.com
Source: oaUNY8P657.exe, 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, sms561F.tmp.3.dr String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: sms561F.tmp, 00000004.00000002.1578890311.00000000023E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Amcache.hve.8.dr String found in binary or memory: http://upx.sf.net
Source: oaUNY8P657.exe, 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, sms561F.tmp.3.dr String found in binary or memory: https://i.ibb.co/Dwrj41N/Image.png

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.0.sms561F.tmp.1e0000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Detected potential crypto function
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 3_2_00402203 3_2_00402203
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 3_2_00401F98 3_2_00401F98
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 3_2_004021DB 3_2_004021DB
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 3_2_00401F6F 3_2_00401F6F
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Code function: 4_2_00007FFAAC481148 4_2_00007FFAAC481148
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Code function: 4_2_00007FFAAC487372 4_2_00007FFAAC487372
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Code function: 4_2_00007FFAAC4861C6 4_2_00007FFAAC4861C6
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Code function: 4_2_00007FFAAC481659 4_2_00007FFAAC481659
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Code function: 4_2_00007FFAAC4810F2 4_2_00007FFAAC4810F2
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Code function: 4_2_00007FFAAC4821C9 4_2_00007FFAAC4821C9
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7508 -s 1664
PE file contains more sections than normal
Source: oaUNY8P657.exe Static PE information: Number of sections : 18 > 10
Sample file is different than original file name gathered from version info
Source: oaUNY8P657.exe, 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameWizClient.exe4 vs oaUNY8P657.exe
Yara signature match
Source: 4.0.sms561F.tmp.1e0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: sms561F.tmp.3.dr, 2PFYT6fKVKtP258l.cs Cryptographic APIs: 'TransformFinalBlock'
Source: sms561F.tmp.3.dr, CfOxDqrrlu3NvLEu.cs Cryptographic APIs: 'TransformFinalBlock'
Source: sms561F.tmp.3.dr, CfOxDqrrlu3NvLEu.cs Cryptographic APIs: 'TransformFinalBlock'
Source: sms561F.tmp.3.dr, 2PFYT6fKVKtP258l.cs Base64 encoded string: 'rPuqQq1xOQbCQnrE4cq3Xs26BOFqQQv8fkMLyoFP3mFIfcMAXi9zpr4HpV3emTR4kkIpPbFiKpeip3fFC9mg'
Source: sms561F.tmp.3.dr, CfOxDqrrlu3NvLEu.cs Base64 encoded string: 'QoM0VtExe81XcnZLEO3SM3sBMNMMGshqFTI06NW2EkIjr5SFk5zrB7vGunPUecofdrwAzpGpvPa3MxoWEIWG', 'J5eCkOtQfZsc0XN4pnjoW5hUYGSrxCBHFKzOJAoW6ZsSXJJXf5JpoiqPX285IGbpnW3jmTdFcEXjVjE8PpXU', 'ZEvC59Na6zoJgAE8FRZpal7eF8ajvJxnl45AXgmT5cVmrRixgpsBTdWgXweiQ4o3Y5QwJGEivlYCc7ljTLZk', 'mFulPueE5RKEZTKk8GQyJItfTzZH3oMRQ7R4F7E4PlxGrtlNNYPVp4cTipHD039pix8itKW8o1BXB1soM4qG'
Source: classification engine Classification label: mal100.troj.evad.winEXE@7/6@1/1
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 0_2_00007FF78CB21450 GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource, 0_2_00007FF78CB21450
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Mutant created: NULL
Source: C:\Windows\System32\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7508
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Mutant created: \Sessions\1\BaseNamedObjects\FgDl5YTJAMA8a3S4
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Users\user\Desktop\oaUNY8P657.exe File created: C:\Users\user~1\AppData\Local\Temp\sms561F.tmp Jump to behavior
Source: oaUNY8P657.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\oaUNY8P657.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: oaUNY8P657.exe ReversingLabs: Detection: 50%
Source: unknown Process created: C:\Users\user\Desktop\oaUNY8P657.exe "C:\Users\user\Desktop\oaUNY8P657.exe"
Source: C:\Users\user\Desktop\oaUNY8P657.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\oaUNY8P657.exe Process created: C:\Users\user\Desktop\oaUNY8P657.exe "C:\Users\user\Desktop\oaUNY8P657.exe"
Source: C:\Users\user\Desktop\oaUNY8P657.exe Process created: C:\Users\user\AppData\Local\Temp\sms561F.tmp "C:\Users\user~1\AppData\Local\Temp\sms561F.tmp"
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process created: C:\Windows\System32\WerFault.exe C:\Windows\system32\WerFault.exe -u -p 7508 -s 1664
Source: C:\Users\user\Desktop\oaUNY8P657.exe Process created: C:\Users\user\Desktop\oaUNY8P657.exe "C:\Users\user\Desktop\oaUNY8P657.exe" Jump to behavior
Source: C:\Users\user\Desktop\oaUNY8P657.exe Process created: C:\Users\user\AppData\Local\Temp\sms561F.tmp "C:\Users\user~1\AppData\Local\Temp\sms561F.tmp" Jump to behavior
Source: C:\Users\user\Desktop\oaUNY8P657.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\oaUNY8P657.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\oaUNY8P657.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: oaUNY8P657.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: oaUNY8P657.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: Microsoft.VisualBasic.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Xml.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: mscorlib.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.ni.pdbRSDS source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Management.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Management.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Core.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Configuration.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: mscorlib.ni.pdbRSDS7^3l source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.pdbSystem.Core.ni.dllMicrosoft.VisualBasic.dllpD6 source: WER7417.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.ni.pdbRSDS& source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Configuration.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Core.pdbh source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Xml.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdbRSDS source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Xml.ni.pdbRSDS# source: WER7417.tmp.dmp.8.dr
Source: Binary string: System.Core.ni.pdb source: WER7417.tmp.dmp.8.dr
Source: Binary string: Microsoft.VisualBasic.pdb source: WER7417.tmp.dmp.8.dr

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{U6Miq7mg8dicdNkJ0c9GvnLFQzMpASd2h1bUt3iIgXGEtDqs2sXc9xBz83yqN1MtZb5lKvBBrm0Jync59Tm8cIJXE.Qn58Ydns0vSS4KeRMKOGcNopDzqwDcDkHdX2ES9OsP6Y9BWWSi3SuF8agxOO0WO15mENKIKc3OHJYJmyie8qU1Xcj,U6Miq7mg8dicdNkJ0c9GvnLFQzMpASd2h1bUt3iIgXGEtDqs2sXc9xBz83yqN1MtZb5lKvBBrm0Jync59Tm8cIJXE.FoU2PbuQD8JnrF7IKWp6OMwNkNSWrPSdF57ErpqX9vT6znJpXI64FljVixvQ46Pm2h1FZBxLsvTIkRrjTKl6knNMD,U6Miq7mg8dicdNkJ0c9GvnLFQzMpASd2h1bUt3iIgXGEtDqs2sXc9xBz83yqN1MtZb5lKvBBrm0Jync59Tm8cIJXE._6RigNdzcvotYMmJS6U16u2yCAgrqsQh8Z9KFZiMmQMl7yP2OAN0XZZqO0Dmjyj6LBvYvyEQ3Z6j6ONUEUys24zm5V,U6Miq7mg8dicdNkJ0c9GvnLFQzMpASd2h1bUt3iIgXGEtDqs2sXc9xBz83yqN1MtZb5lKvBBrm0Jync59Tm8cIJXE.vypUA3oiLGxAFvRxTlknguPph3w0VcEFujOlqFnfI6P0pGGmKK1GVUepWNMnW0iCeOZiGu84HYeUjUEXwBMVXgxlY,CfOxDqrrlu3NvLEu.lHwfqQSpAbfiN3IY()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{MzDGpvkFkxueUC0I[2],CfOxDqrrlu3NvLEu.hIozlAtr03U5MtF3(Convert.FromBase64String(MzDGpvkFkxueUC0I[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { MzDGpvkFkxueUC0I[2] }}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs .Net Code: kBeA5MeiWf2bbj5tp0YDkgaCeztrGKF6ZnPxIyaJSuJ5VrVKFjh87xrqn5HRQaMHzKcO3JNnNO System.AppDomain.Load(byte[])
Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs .Net Code: _3Iirrw5wIfKEI8SD System.AppDomain.Load(byte[])
Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs .Net Code: _3Iirrw5wIfKEI8SD
Source: sms561F.tmp.3.dr, CfOxDqrrlu3NvLEu.cs .Net Code: zyOcyhiuwKGcUmq8 System.AppDomain.Load(byte[])
PE file contains an invalid checksum
Source: oaUNY8P657.exe Static PE information: real checksum: 0x133cf should be: 0x2a5d8
Source: sms561F.tmp.3.dr Static PE information: real checksum: 0x0 should be: 0x22e57
PE file contains sections with non-standard names
Source: oaUNY8P657.exe Static PE information: section name: .xdata
Source: oaUNY8P657.exe Static PE information: section name: /4
Source: oaUNY8P657.exe Static PE information: section name: /19
Source: oaUNY8P657.exe Static PE information: section name: /31
Source: oaUNY8P657.exe Static PE information: section name: /45
Source: oaUNY8P657.exe Static PE information: section name: /57
Source: oaUNY8P657.exe Static PE information: section name: /70
Source: oaUNY8P657.exe Static PE information: section name: /81
Source: sms561F.tmp.3.dr, ZZY0kMSImmoTRszS.cs High entropy of concatenated method names: '_7IVTtTcQI7aGvndt', 'uEQ71lTA2MCMxbvw', '_4BoSgaszw5Iy4eAH', '_9FOJheTGl08HwdTlDmlKcOlJV3', 'PURMgtnSsZQcEiMCzRaO1rvLi3', 'hD8euee6JJwU7hmtBhXtaruLOq', 'Q7jJjtBxODrzWyzrqfC2zIjNCd', 'AIw6wZS3KrTLB9oOI0xz6vdTiV', 'sX9e7zKrLVCp3iXqgE8Rr1llWa', 'PTJdgYinzBcsGQ52kYDxNkSOJK'
Source: sms561F.tmp.3.dr, U6Miq7mg8dicdNkJ0c9GvnLFQzMpASd2h1bUt3iIgXGEtDqs2sXc9xBz83yqN1MtZb5lKvBBrm0Jync59Tm8cIJXE.cs High entropy of concatenated method names: 'UzBps6fpp8QsyChO4HS08jfb43edsKm3UJ', 'x3tRJiMLynOThwr76IqFrTJ0QLexFcLiCP', 'oAiSvL14AyxYrNUMWf6I4ZLMX9E4Hn5bgB', 'NL7cMLH3i4zSQy47tiRsUHC4th9WMa8xgF'
Source: sms561F.tmp.3.dr, 54qJ9nuCm42kYVfcKKKLcxZh1yBzrUOZUOKYADh0tX2vgbqCdmkuX8h3K.cs High entropy of concatenated method names: 'Equals', 'GetHashCode', 'GetType', 'ToString', 'Create__Instance__', 'Dispose__Instance__', 'uxEAk38JOD8NrzrSDGhdspIXavg4QpfGdt', '_3Jm2QcrD1vk4T3iUyOOjT3suTtS8ijV5bh', 'XLp21V89RgXLntZ9NCqb7ifKyJbOaEELRB', 'aQ72rOcP3bGFEBOmEWzmcKZBM0KKkBXUEi'
Source: sms561F.tmp.3.dr, Jm0j5mjozQ9zCcZx.cs High entropy of concatenated method names: 'IkTuRcUhzkUGr4cp', 'JMm8DaPbu4ouVJlIoL86SG6SbcJrhQIritR8afuu85iEVXYv8L3hs0RwcS67fvRk2e', 'v8ZqP2g0K2hTNMxAlBbhQLIzzikXXYgvlYOobGZsy7Mvw43MTVwzqVtAe71RF6weN8', 'n1AklyhOz13CH86BMJ73VWxzo4GglkuaqPxUOVjbDC8PKyEV5hd9YyV8WaYebfFLtK', 'OXOEPq0ll3xpBwopsqkyGp7TXLGO5pAj2Eo81k4YpaU4PRHkDjiNg1l3iX4GbbqQOs'
Source: sms561F.tmp.3.dr, Ux5xT5SdUDgrmJoYwkXZ4wPj9TszCC1UbemG1uUDQeFag98fKpJjriWIEJYvAT5JeU3ZRcThgCIknGrOw2vbdhXCg.cs High entropy of concatenated method names: 'UzHOFA4VUd3iiJHLlRLT5m1VPBoz16haBPufTWd7ZVA23vbnRkU0CuCm2pTRQRMjXs0LdzRdlPZx6RiHLlimnPFJt', 'kHjfMRg5q7RpD34WVdDJM64d861pkZ3TDGtbPsbacWyUkNzdhJQ8YZaGaKc86pf9e6nUIQz99aK96b3IvoHQMex5s', 'VpsaG5I2MD4kMUGFk6hwdgCXWIy8o106pHamoQvxrTdEWyjrw9avITLVvPMsEYBx1Y0XT7zhuxbp0iG84mEEUixB0', 'wATTPfpRc10N0eufHRyVVoHsmMAtEdl5hnO38Rl2vpoKvTI2w2zk2Nv0Sy89UB6vC9X8GCoADvaC4Zfac0J51TlJr', 'QCAJYvJDTWIydB5yXGJGqG9fjSLLGyPHcjvGa6JLCvXvWvrB28kQodhez2I2x64fDM7uuzXCkxzNMHWTviNZeRjuS', 'D7Rosv8SiKfCVIZikT4ROx5G4Z4p3v61TsrzpydcQvh53rCwbziqa2R3DzcgAHu2qMk9QuzXKHR47JojfOx4T296R', '_9Ca0VrI51E2MUkIeYk6ftvJ1ahqLp0tSiHL5WvnUZRZgLI2ZUPPCOdL9zwK3b3xnLP088s8zjrIRNJ9cRwlBxMI9V', '_38fqEuegyVhrKBrsLiNrmwgJ1SnOFCffafGImGJcMa05gDGSKq7YAuQWyaiQwVJcSfyo36jwrFMPT9jNSuocpmfM2', '_79WmPsrHLl33ufsC4LsYyQFOh6crYOiqkL9rGLtmRSTRKjw91haNC66T6tC9BGQZwJrAzItcPG5dc9D55odIS0MFa', 'EiUzB5Q1VAbOeTFIhvkrGIL799E5Hg3w1r4BKnc68Ac63ZGqPIKu5VifnTP1W4YzxB7Rd8mzIOLnasyHbX08Xw3s0'
Source: sms561F.tmp.3.dr, 2PFYT6fKVKtP258l.cs High entropy of concatenated method names: 'ovJ69SMjolPj9MF5', 'CeqBJ7e9ZFYqv1UNgv5n6J0ocyYyCJ3OjHm73WfSSFkbYndeq1vinse0DCr63tpGycMuFybRGAX9X2OtKCk7', 'QgaurUKqWrvwJVa59QIYAkCQ6XEBD3wh80SZhu879n2VmrxZrFwiiBNclbFso80E1Ybs4UesgjkMMa0EyoLW', 'zqrlK2TEtLXi8eCzQmB77pmOgQ3LNr8ePoC242UBvpczjMrTLwblU4ZN5GNgPkq0LM6KpbPAxzuwaEpIiT6m', 'hh5odrhWvNu8lr2kA9Rvh22XzyJcbuyTnMf1mZTQ2eQ5GtgS54bgLJ2ygEs813CyJZ1BMksRMDZZsk8Qz5Zm'
Source: sms561F.tmp.3.dr, GxjjaV2cUpDuUZiR.cs High entropy of concatenated method names: '_2hFRviCosJqAAAku', 'O38Zj7OdzaOl1obR', 'QsccK2WP0FXimxh8', 'vZaFrjVVCQ5Mdg4UXVPQXA03HFp1pV2jyWwxn73K4LT58HfJWGCCUEEyFmov0NoTtg', 'na2WokX7EpIDJccJeBcJkTkN3TEXwBbkV3M42ps2Gah4qFzJuz4SGBy1iCwp9Gkj99', '_6ZlcJaM9J6FBzHTTUYTPrbXWpqjllkUzL1S6xGkctMSAAZUvSmO', 'fkzXpJ0nZaBkVC739qyLKRXm9KscK8iPtkDbqYIfunO7SZcUvOl', 'FgE6AThVg0ug7JhYWCQd9U1gIIdLRaSzidWtxtRz13OATIsG7If', 'R7XRtOaBRMMgW6BSHoUZkyHBKrALXwBI1Eb89VhzTl0bSbUZuNk', 'iijy5ZRjUEF0jvbzqNSYc0AWRMByS7MQaOgCtcvAz4Ss6RNdI2U'
Source: sms561F.tmp.3.dr, 8AcBw83iTTZR0gzOLr4D7gMPEV1kMtgYpJXHnJwhGkoKVV8Q4esUC8oADm8sux5LS019SK7qTTVTv9FBj4VPUeMGz.cs High entropy of concatenated method names: 'AHs9hYLZtHlvzhPB5egmLag6VVUND0ukDILJXfDpwCivkUAx2hAWqt2aBmfaGAOMAlT5jKWU62027iHiMjQbj60uI', '_3XOd53yGytMw0xVXZW9GjsWQMVxmVKE9LOimwKZ0l5EXvTG0nRb6QSfpA8k6sAIRzICC0q3HeoUGQyA7aCOFSqAqE', '_5wdxGPqPrGs9DzhtY9YatjiuMvXqfx3Qh6RkuEdSoMg57WhF8P8oebAaUS9VcSYTKDD8zURzdJx7J54s4tfLq1gRu', '_3OIeSsBy77psmlQA3gABEcuJYMOXz9b4pT3zPBfheophnYH7fEzFuFR8QoqNSDSGqryZ6cG4HLvxp5uDKvaMgTpRz', '_3EAy6OYn78QehlUvg9O3dcryr5VEt4ul9J04iTzxpbCRGjIoI9PeFWyk8torqPQSmXkMe1sv5kfT1AjzFuJ905IAg', 'xuOBzT4OUN2rOxBPWq4jdVyAJacIYPseni6iRj5uG8wk5WsRd2IyswUcIDqEyrwlReISqXCJGdcycOIIYgdzzguhW', '_8ebUR9S6nPyzTmWbvGFm3JcRqIBPylvJpaYR5aqTWuBbMlmSN0FPvltQWqpqIvHeBzLnQXOuoW', 'nZNrra2V1RvvxlNX3p7DZtJKMtpwIq0637OOcCDf4ZIUowrzwpc0EdoAU2pORdigjNyoBCuBAq', 'jLwd3zwzkLEU8BYtF0KLaBUelayoKyiZTe2IiNfdk2UhBZ3HFQTBIiESxb8DeR7DWQ7YtXYHvx', 'GioTMhUYsqPzfRxFwGqjaiaI9meiZh0Q3j3XF2aGTkOD3Gin3c6uh5Ge7cM4bWRyzk86tBquzp'
Source: sms561F.tmp.3.dr, qscAgj4aPLGJ38vR.cs High entropy of concatenated method names: 's7t483xDEddrktVx', 'S69T85VOd4y3bwhO', 'ug35Tss1pRsniwZg', 'R8SGq2kONKo5XjSH', 'xUglXcaJZqHHlkFWxplNlNPsr7W70E3Kmzs89NCNCWVAlrtWy6q', 'dHII5vmLBYQAhUhgszWSVzsIevuBl2tKWsGzg3GuqHlVEIJ7XaB', '_8b0MFfgkVAcyQp37764nAsZX8GITDTSnhGHB8Bo7QUsy1ULkIek', 'dDUXAmhif1eIqQPgu8aR4MbtxLUKn0pqhmK78q6b9TsmJGeOe6l', 'OOXu3EwIMu2kZ1GIH4uGMnEFIhyPNjNlhHOAZAeWFv3BP1W8jCU', 'hdbl6cTLNfFwmcjEXJKfTjPPKE4mTw5U7AUoZ4azaANBll7JHCo'
Source: sms561F.tmp.3.dr, MznL2R1AhOkghzwOdAYEOHu2ZE8TJXeufGdSA08XoR9P01q0IfoZPud7IvhhHTE0VwleriSnfV.cs High entropy of concatenated method names: 'BZBi7xApW8b9VeZsKqV74Hob6URHF0U7qBJxyUdOeP3RZ7I92LFa93QsclzS9jgoKcNeJYkHPk', 'kBeA5MeiWf2bbj5tp0YDkgaCeztrGKF6ZnPxIyaJSuJ5VrVKFjh87xrqn5HRQaMHzKcO3JNnNO', 'Wy3EMKMXP0xOOeRS75yH0SH12dnWmjTxbvzXhGtbVPvLu2WqJqcVS5S2JWJp3vruxJBYJwF2c4', '_6syQ1FNEp9LoDKGQG8IEYR5bEvFXgEqPXv8SdL1zYsVY24dPF1VCaCDR5Jp52Sh6cLe4MVHv3M', '_68zoW2eAfYPyeTKtwXzr5NoSJOdTZHObvVTLPeW0kdXGDMwlgO1FtAGUbjr35aUfrPnRNcnRYD', 'T1yZa7r0qpIPaLAYvIN7o5uALhB5hR1Pl0S4poLul3vYx5M84rxIft0RCevkClirA8pqvEKBDJ', 'OiaqDKql7eyByXmMBXPHKnhwAn8pLZhMKVEKWgs9Mx5nsQFsraOk7RmntpEpm89ODOLGsFkH2O', 'Brr5OtJlVzK2D88vAszYDISZmNR6ue3XOsHklYy17wiLDGYnQXNJb4hBHCsNuEXx2h4EuPFz4B', 'n1cm6SVhrxdk7TLga9qWAzujWP96MG3bLzciBJk8qILqCijftpgGPUPqKCDsJfUn3d9mzEBye0', '_5KJywWKXXbatDKz2'
Source: sms561F.tmp.3.dr, CfOxDqrrlu3NvLEu.cs High entropy of concatenated method names: 'kFRgAy4ceH6sLvWU', '_55FZ68YNLufkVkYm', 'iMhSIAmSzNQwTrQT', '_2ncpsofLzCWtDE7V', 'WSHgnj4COP5DmpCo', 'UfIW6IRrWjwb8HBr', 'vZDPzR4ro93fiARX', 'DpfZq4FF1WqQb75o', 'AZz6uTt9Jv1sYycA', 'lCM3qwIKhEyacjsV'
Source: sms561F.tmp.3.dr, cc0HsONsZA56M57M.cs High entropy of concatenated method names: 'QuTpVFjs5LhShU7t', 'SlbqSbp4X3V7uCLt', 'qB60QbG21Hk9JdQw', 'XsJgWzdQoQ9wnK74', 'p7olRxmfiVujoiwJ', '_3QQijd5s0gqMxRi9', 'Do2gm9jNiZZCKvMl', '_8A21HtwwODJIgloB', 'RhjgRJF8pzBni2Ck', 'hqBaphWstNJ8LeF2'
Drops PE files
Source: C:\Users\user\Desktop\oaUNY8P657.exe File created: C:\Users\user\AppData\Local\Temp\sms561F.tmp Jump to dropped file
Source: C:\Users\user\Desktop\oaUNY8P657.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Check if machine is in data center or colocation facility
Source: global traffic HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: oaUNY8P657.exe, 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, sms561F.tmp, 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, sms561F.tmp.3.dr Binary or memory string: SBIEDLL.DLLEBCQPZPPECY2J0TKFUUETJZ0U2QVRLEC4GSEXHANNPFMT7RZB6LKTR1Y9THG1RIIFL8CYZEQLAGMIGK9ZQ0OHCPPV0389XHAQKGWHO66OEQUNXBGHG18JI1FABXSOB4MEHR15D2AOACREJWFYPZOTTFCKVSTJPJ3QEV00EG0RE7BBJFEQYMKXWCRLQHDUBPVYUVULQYFKJXS6NFTXAEZQ8Q5DJ5HY5WXDNIMBMKGGFUO1YF0GMTAYE5CNDKG9FU0EALQICNT404AQ89Q0EEBAGXGETDLDEXRFDDSYNX2O4UCUCWUYPXMPBN4YAJEKIWQ3AQXRCMFBZO7TOP8XF5T8PWZSTA68FE9LHA0OWVQPLF2BJ7RFARMJPMSBGGULCMN8E7QSBRF7T9N1S2EIPKYVFCICREW9O4JXI2ME4HNPSI3JZDQNIIMAL65C4LPDLAAMOA0AQCEZBM2N1UJ11IYNFCOPBGQASSIWEZ4WQC0PAINFO
Source: sms561F.tmp, 00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Memory allocated: 21E0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Memory allocated: 1A340000 memory reserve | memory write watch Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\oaUNY8P657.exe API coverage: 9.0 %
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: Amcache.hve.8.dr Binary or memory string: VMware
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.8.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.8.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.8.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.8.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.8.dr Binary or memory string: vmci.sys
Source: Amcache.hve.8.dr Binary or memory string: vmci.syshbin`
Source: sms561F.tmp.3.dr Binary or memory string: vmware
Source: Amcache.hve.8.dr Binary or memory string: \driver\vmci,\driver\pci
Source: sms561F.tmp, 00000004.00000002.1579490182.000000001B1ED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllo
Source: Amcache.hve.8.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.8.dr Binary or memory string: VMware20,1
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.8.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.8.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.8.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.8.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.8.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.8.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.8.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.8.dr Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.8.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Code function: 4_2_00007FFAAC487B71 CheckRemoteDebuggerPresent, 4_2_00007FFAAC487B71
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process queried: DebugPort Jump to behavior
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 0_2_00007FF78CB21180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm, 0_2_00007FF78CB21180
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 0_2_00007FF78CB283AC SetUnhandledExceptionFilter, 0_2_00007FF78CB283AC
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 0_2_00007FF78CB22E61 SetUnhandledExceptionFilter, 0_2_00007FF78CB22E61
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 3_2_00007FF78CB283AC SetThreadContext,SetUnhandledExceptionFilter,WriteProcessMemory,__p__wenviron, 3_2_00007FF78CB283AC
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 3_2_00007FF78CB283AC SetThreadContext,SetUnhandledExceptionFilter,WriteProcessMemory,__p__wenviron, 3_2_00007FF78CB283AC
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 3_2_00007FF78CB283AC SetThreadContext,SetUnhandledExceptionFilter,WriteProcessMemory,__p__wenviron, 3_2_00007FF78CB283AC
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 3_2_00007FF78CB22E61 SetUnhandledExceptionFilter, 3_2_00007FF78CB22E61
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 3_2_00007FF78CB21180 Sleep,Sleep,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_initterm, 3_2_00007FF78CB21180
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\oaUNY8P657.exe Code function: 0_2_00007FF78CB21522 GetConsoleWindow,GetConsoleWindow,ShowWindow,memset,memset,GetModuleFileNameA,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,SetThreadContext,ResumeThread,ResumeThread,WaitForSingleObject, 0_2_00007FF78CB21522
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\oaUNY8P657.exe Memory written: C:\Users\user\Desktop\oaUNY8P657.exe base: 400000 value starts with: 4D5A Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\oaUNY8P657.exe Thread register set: target process: 7456 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\oaUNY8P657.exe Process created: C:\Users\user\Desktop\oaUNY8P657.exe "C:\Users\user\Desktop\oaUNY8P657.exe" Jump to behavior
Source: C:\Users\user\Desktop\oaUNY8P657.exe Process created: C:\Users\user\AppData\Local\Temp\sms561F.tmp "C:\Users\user~1\AppData\Local\Temp\sms561F.tmp" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Queries volume information: C:\Users\user\AppData\Local\Temp\sms561F.tmp VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sms561F.tmp Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.8.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected XWorm
Source: Yara match File source: 4.0.sms561F.tmp.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: oaUNY8P657.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sms561F.tmp PID: 7508, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, type: DROPPED

Remote Access Functionality
barindex
Yara detected XWorm
Source: Yara match File source: 4.0.sms561F.tmp.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1578890311.000000000234C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1580895297.000001F9C5F20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000000.1298513996.00000000001E2000.00000002.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: oaUNY8P657.exe PID: 7456, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sms561F.tmp PID: 7508, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\sms561F.tmp, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557202 Sample: oaUNY8P657.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 26 ip-api.com 2->26 30 Found malware configuration 2->30 32 Malicious sample detected (through community Yara rule) 2->32 34 Antivirus detection for URL or domain 2->34 36 10 other signatures 2->36 9 oaUNY8P657.exe 1 2->9         started        signatures3 process4 signatures5 46 Contains functionality to inject code into remote processes 9->46 48 Modifies the context of a thread in another process (thread injection) 9->48 50 Injects a PE file into a foreign processes 9->50 12 oaUNY8P657.exe 2 9->12         started        16 conhost.exe 9->16         started        process6 file7 24 C:\Users\user\AppData\Local\...\sms561F.tmp, PE32 12->24 dropped 52 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 12->52 18 sms561F.tmp 14 2 12->18         started        signatures8 process9 dnsIp10 28 ip-api.com 208.95.112.1, 49699, 80 TUT-ASUS United States 18->28 38 Antivirus detection for dropped file 18->38 40 Multi AV Scanner detection for dropped file 18->40 42 Machine Learning detection for dropped file 18->42 44 2 other signatures 18->44 22 WerFault.exe 16 18->22         started        signatures11 process12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
208.95.112.1
 ip-api.com United States
53334 TUT-ASUS false

Contacted Domains

Name IP Active
ip-api.com 208.95.112.1 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ip-api.com/line/?fields=hosting false
    		high
    left-noon.gl.at.ply.gg true
    • Avira URL Cloud: malware
    		 unknown