Source: ySJ1HwLs9k.exe |
Virustotal: Detection: 53% |
Perma Link |
Source: ySJ1HwLs9k.exe |
ReversingLabs: Detection: 80% |
Source: 0.0.ySJ1HwLs9k.exe.440000.0.unpack |
Avira: Label: LNK/Runner.VPGD |
Source: ySJ1HwLs9k.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: ySJ1HwLs9k.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Yara match |
File source: ySJ1HwLs9k.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.ySJ1HwLs9k.exe.440000.0.unpack, type: UNPACKEDPE |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
DNS query: name: ip-api.com |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: Joe Sandbox View |
IP Address: 208.95.112.1 208.95.112.1 |
Source: ySJ1HwLs9k.exe |
String found in binary or memory: http://exmple.com/Uploader.php |
Source: ySJ1HwLs9k.exe, 00000000.00000002.246400285.0000000002758000.00000004.00000800.00020000.00000000.sdmp, ySJ1HwLs9k.exe, 00000000.00000002.246418693.000000000276F000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.com |
Source: ySJ1HwLs9k.exe |
String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: ySJ1HwLs9k.exe, 00000000.00000002.246400285.0000000002758000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://ip-api.comx |
Source: ySJ1HwLs9k.exe, 00000000.00000002.246400285.0000000002758000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: unknown |
DNS traffic detected: queries for: ip-api.com |
Source: global traffic |
HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: ySJ1HwLs9k.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: ySJ1HwLs9k.exe, 00000000.00000002.245886288.00000000008B9000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs ySJ1HwLs9k.exe |
Source: ySJ1HwLs9k.exe, 00000000.00000000.237922513.000000000044E000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameXWorm.exe4 vs ySJ1HwLs9k.exe |
Source: ySJ1HwLs9k.exe |
Binary or memory string: OriginalFilenameXWorm.exe4 vs ySJ1HwLs9k.exe |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Code function: 0_2_00007FFC017C5412 |
0_2_00007FFC017C5412 |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Code function: 0_2_00007FFC017C4666 |
0_2_00007FFC017C4666 |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Code function: 0_2_00007FFC017C0DCB |
0_2_00007FFC017C0DCB |
Source: ySJ1HwLs9k.exe |
Virustotal: Detection: 53% |
Source: ySJ1HwLs9k.exe |
ReversingLabs: Detection: 80% |
Source: ySJ1HwLs9k.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: ySJ1HwLs9k.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80% |
|
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Mutant created: \Sessions\1\BaseNamedObjects\DfPMuDiGLmV7f2GT |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\ySJ1HwLs9k.exe.log |
Jump to behavior |
Source: classification engine |
Classification label: mal80.troj.evad.winEXE@1/1@1/1 |
Source: ySJ1HwLs9k.exe, Stub/Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: ySJ1HwLs9k.exe, Stub/Helper.cs |
Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock' |
Source: 0.0.ySJ1HwLs9k.exe.440000.0.unpack, Stub/Helper.cs |
Cryptographic APIs: 'TransformFinalBlock' |
Source: 0.0.ySJ1HwLs9k.exe.440000.0.unpack, Stub/Helper.cs |
Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock' |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
File read: C:\Windows\System32\drivers\etc\hosts |
Jump to behavior |
Source: ySJ1HwLs9k.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: ySJ1HwLs9k.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: ySJ1HwLs9k.exe, Stub/Helper.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 0.0.ySJ1HwLs9k.exe.440000.0.unpack, Stub/Helper.cs |
.Net Code: Plugin System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: ySJ1HwLs9k.exe |
Binary or memory string: SBIEDLL.DLLMHTTP://IP-API.COM/LINE/?FIELDS=HOSTING |
Source: ySJ1HwLs9k.exe, 00000000.00000002.246279336.00000000026DE000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe TID: 5440 |
Thread sleep time: -30000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe TID: 4012 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: ySJ1HwLs9k.exe |
Binary or memory string: vmware |
Source: ySJ1HwLs9k.exe |
Binary or memory string: DetectVirtualMachine |
Source: ySJ1HwLs9k.exe, 00000000.00000002.246553755.000000001B4E8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Code function: 0_2_00007FFC017C649D CheckRemoteDebuggerPresent, |
0_2_00007FFC017C649D |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Queries volume information: C:\Users\user\Desktop\ySJ1HwLs9k.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\ySJ1HwLs9k.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |