Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

0pF5Vz4xG4.exe

PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows

initial sample

Chrome Cache Entry: 100

PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 101

ASCII text, with very long lines (46318), with CRLF line terminators

downloaded

Chrome Cache Entry: 102

PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 103

JSON data

dropped

Chrome Cache Entry: 104

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1300x300, components 3

dropped

Chrome Cache Entry: 105

ASCII text, with very long lines (65409)

downloaded

Chrome Cache Entry: 106

JSON data

downloaded

Chrome Cache Entry: 107

PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 71

ASCII text, with CRLF line terminators

downloaded

Chrome Cache Entry: 72

PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 73

PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 74

SVG Scalable Vector Graphics image

dropped

Chrome Cache Entry: 75

JSON data

dropped

Chrome Cache Entry: 76

PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced

dropped

Chrome Cache Entry: 77

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 1300x300, components 3

downloaded

Chrome Cache Entry: 78

JSON data

dropped

Chrome Cache Entry: 79

JSON data

downloaded

Chrome Cache Entry: 80

Web Open Font Format (Version 2), TrueType, length 18768, version 1.0

downloaded

Chrome Cache Entry: 81

PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 82

ASCII text, with very long lines (52717), with no line terminators

downloaded

Chrome Cache Entry: 83

exported SGML document, ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 84

ASCII text, with no line terminators

downloaded

Chrome Cache Entry: 85

HTML document, ASCII text, with very long lines (516), with CRLF, LF line terminators

downloaded

Chrome Cache Entry: 86

PNG image data, 533 x 478, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 87

JSON data

dropped

Chrome Cache Entry: 88

MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors

downloaded

Chrome Cache Entry: 89

JSON data

dropped

Chrome Cache Entry: 90

ASCII text, with very long lines (65536), with no line terminators

downloaded

Chrome Cache Entry: 91

MS Windows icon resource - 6 icons, -128x-128, 16 colors, 72x72, 16 colors

dropped

Chrome Cache Entry: 92

PNG image data, 658 x 480, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 93

ASCII text, with very long lines (31813), with no line terminators

dropped

Chrome Cache Entry: 94

JSON data

downloaded

Chrome Cache Entry: 95

PNG image data, 475 x 212, 8-bit/color RGBA, non-interlaced

downloaded

Chrome Cache Entry: 96

JSON data

downloaded

Chrome Cache Entry: 97

JSON data

dropped

Chrome Cache Entry: 98

SVG Scalable Vector Graphics image

downloaded

Chrome Cache Entry: 99

ASCII text, with very long lines (31813), with no line terminators

downloaded

There are 28 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\0pF5Vz4xG4.exe

"C:\Users\user\Desktop\0pF5Vz4xG4.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7156
Target ID:	0
Parent PID:	4004
Name:	0pF5Vz4xG4.exe
Path:	C:\Users\user\Desktop\0pF5Vz4xG4.exe
Commandline:	"C:\Users\user\Desktop\0pF5Vz4xG4.exe"
Size:	6596488
MD5:	769A1873247D5024808CF7BD70555B01
Time:	03:46:57
Date:	26/05/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0xb70000
Modulesize:	6596488
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Found malware configuration	AV Detection
Multi AV Scanner detection for submitted file	AV Detection
Yara detected AsyncRAT	Key, Mouse, Clipboard, Microphone and Screen Capturing, Boot Survival, Malware Analysis System Evasion, Lowering of HIPS / PFW / Operating System Security Settings	Scheduled Task/Job Obfuscated Files or Information
Machine Learning detection for sample	AV Detection
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)	Malware Analysis System Evasion	Security Software Discovery
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
PE file does not import any functions	System Summary
Sample file is different than original file name gathered from version info	System Summary
PE file has an executable .text section and no other executable section	System Summary
Parts of this applications are using the .NET runtime (Probably coded in C#)	System Summary
Sample is known by Antivirus	System Summary
Spawns processes	System Summary	Process Injection
Contains modern PE file flags such as dynamic base (ASLR) or NX	Compliance, System Summary
PE file contains a COM descriptor data directory	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

Details

Is windows:	true
Is dropped:	false
PID:	6248
Target ID:	3
Parent PID:	7156
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Size:	3242272
MD5:	5BBFA6CBDF4C254EB368D534F9E23C92
Time:	03:47:02
Date:	26/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff684c40000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=2072,i,2833464812255304590,11198771505965286401,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	6008
Target ID:	5
Parent PID:	6248
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1556 --field-trial-handle=2072,i,2833464812255304590,11198771505965286401,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	5BBFA6CBDF4C254EB368D534F9E23C92
Time:	03:47:03
Date:	26/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff684c40000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

Details

Is windows:	true
Is dropped:	false
PID:	2744
Target ID:	6
Parent PID:	7156
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Size:	3242272
MD5:	5BBFA6CBDF4C254EB368D534F9E23C92
Time:	03:47:04
Date:	26/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff684c40000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1928,i,15172110000776622718,9297871655836015958,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8

Details

Is windows:	true
Is dropped:	false
PID:	7320
Target ID:	7
Parent PID:	2744
Name:	chrome.exe
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2052 --field-trial-handle=1928,i,15172110000776622718,9297871655836015958,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Size:	3242272
MD5:	5BBFA6CBDF4C254EB368D534F9E23C92
Time:	03:47:05
Date:	26/05/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff684c40000
Modulesize:	3325952
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Creates a process in suspended mode (likely to inject code)	HIPS / PFW / Operating System Protection Evasion	Process Injection
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://authoring-docs-microsoft.poolparty.biz/devrel/7696cda6-0510-47f6-8302-71bb5d2e28cf

unknown

https://github.com/dotnet/docs/blob/live/docs/framework/install/application-not-started.md

unknown

https://authoring-docs-microsoft.poolparty.biz/devrel/69c76c32-967e-4c65-b89a-74cc527db725

unknown

https://management.azure.com/providers/Microsoft.Portal/consoles/default?api-version=2017-12-01-prev

unknown

https://js.monitor.azure.com/scripts/c/ms.jsll-3.min.js

13.107.246.45

https://github.com/Thraka

unknown

https://aka.ms/MSBuildChallenge/T1?ocid=build24_csc_learnpromo_T1_cnl

unknown

https://github.com/dotnet/docs/issues

unknown

http://polymer.github.io/PATENTS.txt

unknown

https://aka.ms/certhelp

unknown

https://github.com/dotnet/docs/blob/17c4acca45e573a92878a44a2cce57d699fe9c7c/docs/framework/install/

unknown

https://www.linkedin.com/cws/share?url=$

unknown

https://aka.ms/ContentUserFeedback

unknown

https://github.com/mairaw

unknown

https://schema.org

unknown

http://polymer.github.io/LICENSE.txt

unknown

https://github.com/Youssef1313

unknown

http://polymer.github.io/AUTHORS.txt

unknown

https://aka.ms/banner_mslearn_tier1?wt.mc_id=build24_t1_learnpromotion_events

unknown

https://aka.ms/yourcaliforniaprivacychoices

unknown

https://github.com/dotnet/docs/issues/new?template=z-customer-feedback.yml

unknown

https://github.com/nschonni

unknown

https://management.azure.com/subscriptions?api-version=2016-06-01

unknown

https://github.com/adegeo

unknown

https://github.com/dotnet/docs/blob/main/docs/framework/install/application-not-started.md

unknown

https://aka.ms/pshelpmechoose

unknown

https://aka.ms/feedback/report?space=61

unknown

https://github.com/jonschlinkert/is-plain-object

unknown

https://octokit.github.io/rest.js/#throttling

unknown

https://management.azure.com/providers/Microsoft.Portal/userSettings/cloudconsole?api-version=2017-0

unknown

https://github.com/js-cookie/js-cookie

unknown

https://learn-video.azurefd.net/vod/player

unknown

https://twitter.com/intent/tweet?original_referer=$

unknown

https://github.com/$

unknown

https://github.com/gewarren

unknown

http://schema.org/Organization

unknown

http://polymer.github.io/CONTRIBUTORS.txt

unknown

https://channel9.msdn.com/

unknown

https://www.linkedin.com/profile/add?startTask=CERTIFICATION_NAME&name=$

unknown

https://learn-video.azurefd.net/

unknown

https://github.com/dotnet/try

unknown

There are 31 hidden URLs, click here to show them.

Domains

Name

Malicious

part-0017.t-0009.t-msedge.net

13.107.246.45

part-0032.t-0009.t-msedge.net

13.107.246.60

www.google.com

216.58.206.36

Details

Name:	www.google.com
IP:	216.58.206.36
TargetID:	5
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol

js.monitor.azure.com

unknown

Details

Name:	js.monitor.azure.com
TargetID:	5
Current Path:	C:\Program Files\Google\Chrome\Application\chrome.exe

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking

mdec.nelreports.net

unknown

IPs

Domain

Country

Malicious

13.107.246.45

part-0017.t-0009.t-msedge.net

United States

13.107.246.60

part-0032.t-0009.t-msedge.net

United States

192.168.2.6

unknown

216.58.206.36

www.google.com

United States

239.255.255.250

unknown

Reserved

Memdumps

Base Address

Regiontype

Protect

Malicious

B72000

unkown

page readonly

797B000

stack

page read and write

1A20000

heap

page read and write

1920000

heap

page read and write

1CA5000

heap

page read and write

5530000

heap

page read and write

1960000

heap

page read and write

17F7000

stack

page read and write

1A46000

heap

page read and write

1A2C000

heap

page read and write

7D7F000

stack

page read and write

1840000

heap

page read and write

717E000

stack

page read and write

19E0000

heap

page read and write

6D7E000

stack

page read and write

1BD0000

heap

page read and write

B70000

unkown

page readonly

1A8E000

heap

page read and write

1940000

heap

page read and write

5980000

trusted library allocation

page read and write

3CB0000

heap

page read and write

41AE000

stack

page read and write

5533000

heap

page read and write

1CA0000

heap

page read and write

1ACC000

heap

page read and write

817E000

stack

page read and write

2295000

heap

page read and write

697B000

stack

page read and write

269E000

stack

page read and write

2290000

heap

page read and write

20AE000

stack

page read and write

1AD4000

heap

page read and write

229A000

heap

page read and write

757F000

stack

page read and write

657B000

stack

page read and write

1A26000

heap

page read and write

There are 26 hidden memdumps, click here to show them.

DOM / HTML

URL

Malicious

https://learn.microsoft.com/en-us/dotnet/framework/install/application-not-started?version=(null)&processName=0pF5Vz4xG4.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
0pF5Vz4xG4.exe

Files

Processes

URLs

Domains

IPs

Memdumps

DOM / HTML

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report0pF5Vz4xG4.exe

Files

Processes

URLs

Domains

IPs

Memdumps

DOM / HTML

IOC Report
0pF5Vz4xG4.exe