Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
RUNIT2.EXE

Overview

General Information

Sample name:RUNIT2.EXE
Analysis ID:1544695
MD5:78b8d332d18f94d703dfb6678287dd36
SHA1:4929120c6e4d0173d4dbb1c8a314ab9e0ff7fdd5
SHA256:6600911a77bf03e0d42290e1bcf8b7094c21670d6695d4746e16999db2b96cdc
Infos:

Detection

Score:52
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Sigma detected: Dot net compiler compiles file from suspicious location
Binary contains a suspicious time stamp
Compiles C# or VB.Net code
Creates a process in suspended mode (likely to inject code)
Drops PE files
Found dropped PE file which has not been started or loaded
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sigma detected: Dynamic .NET Compilation Via Csc.EXE

Classification

Process Tree

  • System is w10x64_ra
  • pcwrun.exe (PID: 5764 cmdline: C:\Windows\system32\pcwrun.exe "C:\Users\user\Desktop\RUNIT2.EXE" ContextMenu MD5: CA01951C3320758133D16E542FD6AFC0)
    • msdt.exe (PID: 1460 cmdline: C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\user\AppData\Local\Temp\PCWF86D.xml /skip TRUE MD5: 3AE6BFDF0257B303EDD695DA183C8462)
  • csc.exe (PID: 904 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hr5jugav.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
    • cvtres.exe (PID: 2912 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES857A.tmp" "c:\Users\user\AppData\Local\Temp\CSC79526781084487E8E42D8F778C3DF69.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
  • csc.exe (PID: 3916 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rgr4voti.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
    • cvtres.exe (PID: 1344 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8D3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC5FF1484DFEAC4FAA872A2D156A7AC56A.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
  • csc.exe (PID: 1868 cmdline: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w3fyocc2.cmdline" MD5: F65B029562077B648A6A5F6A1AA76A66)
    • cvtres.exe (PID: 2044 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES99AE.tmp" "c:\Users\user\AppData\Local\Temp\CSC5B8025FC83464292BBE495898E339EBE.TMP" MD5: C877CBB966EA5939AA2A17B6A5160950)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Dynamic .NET Compilation Via Csc.EXE
Source: Process startedAuthor: Florian Roth (Nextron Systems), X__Junior (Nextron Systems): Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hr5jugav.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hr5jugav.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7140, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hr5jugav.cmdline", ProcessId: 904, ProcessName: csc.exe
Sigma detected: Indirect Command Execution By Program Compatibility Wizard
Source: Process startedAuthor: A. Sungurov , oscd.community: Data: Command: C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\user\AppData\Local\Temp\PCWF86D.xml /skip TRUE, CommandLine: C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\user\AppData\Local\Temp\PCWF86D.xml /skip TRUE, CommandLine|base64offset|contains: , Image: C:\Windows\System32\msdt.exe, NewProcessName: C:\Windows\System32\msdt.exe, OriginalFileName: C:\Windows\System32\msdt.exe, ParentCommandLine: C:\Windows\system32\pcwrun.exe "C:\Users\user\Desktop\RUNIT2.EXE" ContextMenu, ParentImage: C:\Windows\System32\pcwrun.exe, ParentProcessId: 5764, ParentProcessName: pcwrun.exe, ProcessCommandLine: C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\user\AppData\Local\Temp\PCWF86D.xml /skip TRUE, ProcessId: 1460, ProcessName: msdt.exe

Data Obfuscation

barindex
Sigma detected: Dot net compiler compiles file from suspicious location
Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hr5jugav.cmdline", CommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hr5jugav.cmdline", CommandLine|base64offset|contains: zw, Image: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, NewProcessName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, OriginalFileName: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 7140, ProcessCommandLine: "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hr5jugav.cmdline", ProcessId: 904, ProcessName: csc.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Antivirus / Scanner detection for submitted sample
Source: RUNIT2.EXEAvira: detected
Source: DiagPackage.dll.mui.11.drStatic PE information: No import functions for PE file found
Source: DiagPackage.dll.11.drStatic PE information: No import functions for PE file found
Source: classification engineClassification label: mal52.expl.winEXE@12/18@0/0
Source: C:\Windows\System32\pcwrun.exeFile created: C:\Users\user\AppData\Local\Temp\PCWF86D.tmpJump to behavior
Source: C:\Windows\System32\pcwrun.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Windows\System32\pcwrun.exe C:\Windows\system32\pcwrun.exe "C:\Users\user\Desktop\RUNIT2.EXE" ContextMenu
Source: C:\Windows\System32\pcwrun.exeProcess created: C:\Windows\System32\msdt.exe C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\user\AppData\Local\Temp\PCWF86D.xml /skip TRUE
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hr5jugav.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES857A.tmp" "c:\Users\user\AppData\Local\Temp\CSC79526781084487E8E42D8F778C3DF69.TMP"
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rgr4voti.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8D3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC5FF1484DFEAC4FAA872A2D156A7AC56A.TMP"
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w3fyocc2.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES99AE.tmp" "c:\Users\user\AppData\Local\Temp\CSC5B8025FC83464292BBE495898E339EBE.TMP"
Source: C:\Windows\System32\pcwrun.exeProcess created: C:\Windows\System32\msdt.exe C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\user\AppData\Local\Temp\PCWF86D.xml /skip TRUEJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES857A.tmp" "c:\Users\user\AppData\Local\Temp\CSC79526781084487E8E42D8F778C3DF69.TMP"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8D3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC5FF1484DFEAC4FAA872A2D156A7AC56A.TMP"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES99AE.tmp" "c:\Users\user\AppData\Local\Temp\CSC5B8025FC83464292BBE495898E339EBE.TMP"Jump to behavior
Source: C:\Windows\System32\pcwrun.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\pcwrun.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\System32\pcwrun.exeSection loaded: msxml6.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\pcwrun.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a05-f192-11d4-a65f-0040963251e5}\InProcServer32Jump to behavior
Source: C:\Windows\System32\msdt.exeFile opened: C:\Windows\System32\MSFTEDIT.DLLJump to behavior
Source: DiagPackage.dll.11.drStatic PE information: 0xA1455ED7 [Mon Sep 27 17:13:59 2055 UTC]
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hr5jugav.cmdline"
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rgr4voti.cmdline"
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w3fyocc2.cmdline"
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\hr5jugav.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\rgr4voti.dllJump to dropped file
Source: C:\Windows\System32\msdt.exeFile created: C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\DiagPackage.dllJump to dropped file
Source: C:\Windows\System32\msdt.exeFile created: C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\en-GB\DiagPackage.dll.muiJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeFile created: C:\Users\user\AppData\Local\Temp\w3fyocc2.dllJump to dropped file
Source: C:\Windows\System32\msdt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\hr5jugav.dllJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rgr4voti.dllJump to dropped file
Source: C:\Windows\System32\msdt.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\DiagPackage.dllJump to dropped file
Source: C:\Windows\System32\msdt.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\en-GB\DiagPackage.dll.muiJump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\w3fyocc2.dllJump to dropped file
Source: RUNIT2.EXEBinary or memory string: TXUH99iD0gD32l3LgD4CCwJyEGbB4hCL0GbT6ovCZsHqEMuD4R90BtHq0dji+suAPgILAnIQZsHi
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES857A.tmp" "c:\Users\user\AppData\Local\Temp\CSC79526781084487E8E42D8F778C3DF69.TMP"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8D3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC5FF1484DFEAC4FAA872A2D156A7AC56A.TMP"Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES99AE.tmp" "c:\Users\user\AppData\Local\Temp\CSC5B8025FC83464292BBE495898E339EBE.TMP"Jump to behavior
Source: C:\Windows\System32\msdt.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0316~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading		11
Process Injection		11
Process Injection		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Timestomp		LSASS Memory12
System Information Discovery		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
DLL Side-Loading		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1544695 Sample: RUNIT2.EXE Startdate: 29/10/2024 Architecture: WINDOWS Score: 52 34 Antivirus / Scanner detection for submitted sample 2->34 36 Sigma detected: Dot net compiler compiles file from suspicious location 2->36 6 pcwrun.exe 2 2->6         started        8 csc.exe 3 2->8         started        11 csc.exe 3 2->11         started        13 csc.exe 3 2->13         started        process3 file4 15 msdt.exe 21 6->15         started        24 C:\Users\user\AppData\Local\...\hr5jugav.dll, PE32 8->24 dropped 18 cvtres.exe 1 8->18         started        26 C:\Users\user\AppData\Local\...\rgr4voti.dll, PE32 11->26 dropped 20 cvtres.exe 1 11->20         started        28 C:\Users\user\AppData\Local\...\w3fyocc2.dll, PE32 13->28 dropped 22 cvtres.exe 1 13->22         started        process5 file6 30 C:\Users\user\AppData\...\DiagPackage.dll.mui, PE32 15->30 dropped 32 C:\Users\user\AppData\...\DiagPackage.dll, PE32+ 15->32 dropped

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RUNIT2.EXE100%AviraJOKE/KeepCool

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\DiagPackage.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\en-GB\DiagPackage.dll.mui0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

No contacted IP infos

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1544695
Start date and time:2024-10-29 16:29:47 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 49s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:defaultwindowsinteractivecookbook.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:RUNIT2.EXE
Detection:MAL
Classification:mal52.expl.winEXE@12/18@0/0
EGA Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Found application associated with file extension: .EXE

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, sdiagnhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
  • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, settings-win.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • VT rate limit hit for: RUNIT2.EXE

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

No context

JA3 Fingerprints

No context

Dropped Files

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\en-GB\DiagPackage.dll.muiEvernote.exeGet hashmaliciousLummaCBrowse
    Dervish-Document-Reader.zipGet hashmaliciousUnknownBrowse
      uesglDghrxGet hashmaliciousUnknownBrowse
        amd-demo-pingpong-v1.4.msiGet hashmaliciousUnknownBrowse
          AMD-Demo-PingPong-v1.5 (2).msiGet hashmaliciousUnknownBrowse
            https://advanceds-ip-scanner.netGet hashmaliciousUnknownBrowse
              https://advanceds-ip-scanner.netGet hashmaliciousUnknownBrowse
                C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\DiagPackage.dllEvernote.exeGet hashmaliciousLummaCBrowse
                  Dervish-Document-Reader.zipGet hashmaliciousUnknownBrowse
                    uesglDghrxGet hashmaliciousUnknownBrowse
                      amd-demo-pingpong-v1.4.msiGet hashmaliciousUnknownBrowse
                        AMD-Demo-PingPong-v1.5 (2).msiGet hashmaliciousUnknownBrowse
                          https://advanceds-ip-scanner.netGet hashmaliciousUnknownBrowse
                            https://advanceds-ip-scanner.netGet hashmaliciousUnknownBrowse

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Temp\CSC5B8025FC83464292BBE495898E339EBE.TMP

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:MSVC .res
                              Category:dropped
                              Size (bytes):652
                              Entropy (8bit):3.1129424357512567
                              Encrypted:false
                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryIjak7YnqqpsPN5Dlq5J:+RI+ycuZhNqakSCPNnqX
                              MD5:6547145303D4BFAA32599CA3B4E61339
                              SHA1:F8982E8361A93095FDBF49C2E38B8650A3151F90
                              SHA-256:C507AFD9E7369B9540E9F2496A6C0C0E457F183958078FE34F3C216BC3C96DF9
                              SHA-512:C3255955D4E8862E3615F012F84ECE2776D37197A40FB48E3BC227A1FBCC147621C488548D7AA2030370E8B490348E9D014F8239DFD202FF6D6137C69426BC27
                              Malicious:false
                              Reputation:low
                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.3.f.y.o.c.c.2...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...w.3.f.y.o.c.c.2...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                              C:\Users\user\AppData\Local\Temp\CSC5FF1484DFEAC4FAA872A2D156A7AC56A.TMP

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:MSVC .res
                              Category:dropped
                              Size (bytes):652
                              Entropy (8bit):3.074939217247894
                              Encrypted:false
                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryUk9ak7Ynqq1kSPN5Dlq5J:+RI+ycuZhNf9akSuSPNnqX
                              MD5:DDF2C9EB0CDC51D7CAD3C0E28E001735
                              SHA1:71AB0074F093743CA373E01D1B0F51F29CFCFA2A
                              SHA-256:36B3B6DAE46C199D229FE8B926E997F310289247FF4C0D13C911863DC24B193A
                              SHA-512:14EF054C03E20A3A1E2EF856C38CCB53E90627AEE147912EDF52F9CF84EEE3F579C26F2E66E721F9470469D0FF5ECE8E39B67D73D95FD3B51CD8F0E87A53B15A
                              Malicious:false
                              Reputation:low
                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.g.r.4.v.o.t.i...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...r.g.r.4.v.o.t.i...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                              C:\Users\user\AppData\Local\Temp\CSC79526781084487E8E42D8F778C3DF69.TMP

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:MSVC .res
                              Category:dropped
                              Size (bytes):652
                              Entropy (8bit):3.1110151325426756
                              Encrypted:false
                              SSDEEP:12:DXt4Ii3ntuAHia5YA49aUGiqMZAiN5gryJ0ak7YnqqaZPN5Dlq5J:+RI+ycuZhN4akSUPNnqX
                              MD5:327C73D1F994E6E76E1C4A658E5E9C28
                              SHA1:FFB695C9D6B1D1DBF8EF38032D3A1CFADAC33EEB
                              SHA-256:9ECD853A0CE65EFB292B61B04B0FD53C7CDCC0D64209A8D07BBCA2A991F60EDD
                              SHA-512:CA34014A9C93E766F0987E056787E0232872E0F2500C461AD45E15FACC3BC7B18B6CD886D6DAA29BEA0DA4FEF83F642D4FC8EC7BA8221BBA792896DBB27D21DA
                              Malicious:false
                              Preview:.... ...........................L...<...............0...........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.r.5.j.u.g.a.v...d.l.l.....(.....L.e.g.a.l.C.o.p.y.r.i.g.h.t... ...D.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e...h.r.5.j.u.g.a.v...d.l.l.....4.....P.r.o.d.u.c.t.V.e.r.s.i.o.n...0...0...0...0...8.....A.s.s.e.m.b.l.y. .V.e.r.s.i.o.n...0...0...0...0...

                              C:\Users\user\AppData\Local\Temp\PCWF86D.xml

                              Download File
                              Process:C:\Windows\System32\pcwrun.exe
                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):704
                              Entropy (8bit):3.613388240908538
                              Encrypted:false
                              SSDEEP:12:QF/LXYRWe8/DmonuKNptnzrljBmuKNMTVbCzln97jBmuKN7SqGBPmQNAlHTUjBUp:QlL+jonuwzrhBmu9TZIl9vBmugpFkBG
                              MD5:CB308BF9068006B4A9FF4E848B1FE84C
                              SHA1:B3A6D0B9F4064EB10D2FFFE710C277AD4062AC33
                              SHA-256:B80FD36AEC7EB790E5E330877859DB459DEE9889E211CD1B7DE010D7733188BF
                              SHA-512:05B753CEA219372A1B2C9636C7D015D571584CDA8B1D892055AB6F476D2BACB5AD48B6A2C50410837EF5E6629B262203F93E5363A983E1136A95B683C348BCAD
                              Malicious:false
                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".u.t.f.-.1.6.".?.>.....<.A.n.s.w.e.r.s. .V.e.r.s.i.o.n.=.".1...0.".>.......<.I.n.t.e.r.a.c.t.i.o.n. .I.D.=.".I.T._.L.a.u.n.c.h.M.e.t.h.o.d.".>.........<.V.a.l.u.e.>.C.o.n.t.e.x.t.M.e.n.u.<./.V.a.l.u.e.>.......<./.I.n.t.e.r.a.c.t.i.o.n.>.......<.I.n.t.e.r.a.c.t.i.o.n. .I.D.=.".I.T._.S.e.l.e.c.t.P.r.o.g.r.a.m.".>.........<.V.a.l.u.e.>.N.o.t.L.i.s.t.e.d.<./.V.a.l.u.e.>.......<./.I.n.t.e.r.a.c.t.i.o.n.>.......<.I.n.t.e.r.a.c.t.i.o.n. .I.D.=.".I.T._.B.r.o.w.s.e.F.o.r.F.i.l.e.".>.........<.V.a.l.u.e.>.C.:.\.U.s.e.r.s.\.c.a.l.i.\.D.e.s.k.t.o.p.\.R.U.N.I.T.2...E.X.E.<./.V.a.l.u.e.>.......<./.I.n.t.e.r.a.c.t.i.o.n.>.....<./.A.n.s.w.e.r.s.>.....

                              C:\Users\user\AppData\Local\Temp\RES857A.tmp

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ba, 9 symbols, created Tue Oct 29 17:16:59 2024, 1st section name ".debug$S"
                              Category:dropped
                              Size (bytes):1376
                              Entropy (8bit):4.0943724905330035
                              Encrypted:false
                              SSDEEP:24:HxO9uPWVl3HdEhwKR9wNwI+ycuZhN4akSUPNnqSQEgd:H+/9EKKvwm1ul4a30qSZ0
                              MD5:B0328745C3B50213F4B3B6140CAFFA1E
                              SHA1:E85CD6A4354748745B71B09176481B550DFF94CE
                              SHA-256:6F2A1BF2416518965E7C59FAAD035C0ED38B581F1AC49DEAEBF47FD4C0D3EEAD
                              SHA-512:3207FD9F0A51D2BEF240DEDA5C3A17246F3AD81759FFDE318689DED20F2CBA57E458BC7C9458BF4B136BA81A0BC994139F64197A671C7C469086DC231E5BA2A6
                              Malicious:false
                              Preview:L.....!g.............debug$S........|...................@..B.rsrc$01........X.......`...........@..@.rsrc$02........P...j...............@..@........I....c:\Users\user\AppData\Local\Temp\CSC79526781084487E8E42D8F778C3DF69.TMP..................2|s.....n.Je.^.(..........3.......C:\Users\user\AppData\Local\Temp\RES857A.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...h.r.5.j.u.g.a.v...d.l.l.....(.....L.e.

                              C:\Users\user\AppData\Local\Temp\RES8D3A.tmp

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ba, 9 symbols, created Tue Oct 29 17:17:01 2024, 1st section name ".debug$S"
                              Category:dropped
                              Size (bytes):1376
                              Entropy (8bit):4.096743114478158
                              Encrypted:false
                              SSDEEP:24:HHO9Dx/R84HdDwKR9wNwI+ycuZhNf9akSuSPNnqSQEgd:SxC49UKvwm1ulf9a3u+qSZ0
                              MD5:3BB040A1B8B7F82DABD6D62C4B3D3A6F
                              SHA1:6AEC8ECB40CB719C66D86D396B33A64CC1B97604
                              SHA-256:90E867BEF49A3697D41EB7AE4504403E992CA05407368060A6D61DD20CD89EAD
                              SHA-512:2B894748882A723A8C607F8DC3CCAF0AF14B750F059ACADAAFBE44AD8113CE71E8157F5CE493BDAA21802E49000C10CDE1A0C99ED0203A248CA6369BB97B3B07
                              Malicious:false
                              Preview:L.....!g.............debug$S........|...................@..B.rsrc$01........X.......`...........@..@.rsrc$02........P...j...............@..@........J....c:\Users\user\AppData\Local\Temp\CSC5FF1484DFEAC4FAA872A2D156A7AC56A.TMP.......................Q.......5..........3.......C:\Users\user\AppData\Local\Temp\RES8D3A.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...r.g.r.4.v.o.t.i...d.l.l.....(.....L.e.

                              C:\Users\user\AppData\Local\Temp\RES99AE.tmp

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                              File Type:Intel 80386 COFF object file, not stripped, 3 sections, symbol offset=0x4ba, 9 symbols, created Tue Oct 29 17:17:04 2024, 1st section name ".debug$S"
                              Category:dropped
                              Size (bytes):1376
                              Entropy (8bit):4.100135604434026
                              Encrypted:false
                              SSDEEP:24:HbMO9DxGWc/HSQwKR9wNwI+ycuZhNqakSCPNnqSQEgd:7dxD4y/Kvwm1ulqa3OqSZ0
                              MD5:B2C301FADE1436D38BCA443D92E98C92
                              SHA1:CD07DAFDCE7D88825150151BB890A875BF32D8FA
                              SHA-256:606838BE314F79D0E1E387C4BFBA8CD53C49D55584511EB956968A0557E7BE44
                              SHA-512:961AA5C7B9D50261CBF92120D6B56AAC50E51D4F7EC9CAB5BBE66CBB8B9750ABEEF10F6626C090BA46BC45F60CC9688437BC38716AE2941326050A2F546C7B4B
                              Malicious:false
                              Preview:L.....!g.............debug$S........|...................@..B.rsrc$01........X.......`...........@..@.rsrc$02........P...j...............@..@........J....c:\Users\user\AppData\Local\Temp\CSC5B8025FC83464292BBE495898E339EBE.TMP.................eG.S...2Y.....9..........3.......C:\Users\user\AppData\Local\Temp\RES99AE.tmp.-.<....................a..Microsoft (R) CVTRES...=..cwd.C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277.exe.C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe.................................................0.......................H.......L...........H.........L.4...V.S._.V.E.R.S.I.O.N._.I.N.F.O.............................?...........................D.....V.a.r.F.i.l.e.I.n.f.o.....$.....T.r.a.n.s.l.a.t.i.o.n...............S.t.r.i.n.g.F.i.l.e.I.n.f.o.........0.0.0.0.0.4.b.0...,.....F.i.l.e.D.e.s.c.r.i.p.t.i.o.n..... ...0.....F.i.l.e.V.e.r.s.i.o.n.....0...0...0...0...<.....I.n.t.e.r.n.a.l.N.a.m.e...w.3.f.y.o.c.c.2...d.l.l.....(.....L.e.

                              C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\DiagPackage.diagpkg

                              Download File
                              Process:C:\Windows\System32\msdt.exe
                              File Type:HTML document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):24702
                              Entropy (8bit):4.37978533849437
                              Encrypted:false
                              SSDEEP:96:fO3MDP8m2xaqade1tXv8v/XPSwTkal+7lOaNeHdXQZvczyJuz4UnPz0Kuz+NGTEP:O5NzuCWNaEcU8mjapMVOHW
                              MD5:191959B4C3F91BE170B30BF5D1BC2965
                              SHA1:1891E3CB588516B94FDC53794DA4DF5469A4C6D0
                              SHA-256:8EC3A8F67BAF1E4658FC772F9F35230CA1B0318DDAF7A4C84789A329B6F7F047
                              SHA-512:092CC417FBFE7F6E02A60FF169209D7B60362B585CBF92521BFC71C0B378D978DFB9265A3E48C630CE6ABAB263711D71F3917FFAF51B6FD449CFC394E9D8C3A9
                              Malicious:false
                              Preview:<dcmPS:DiagnosticPackage SchemaVersion="1.0" Louserzed="true" xmlns:dcmPS="http://www.microsoft.com/schemas/dcm/package/2007" xmlns:dcmRS="http://www.microsoft.com/schemas/dcm/resource/2007">.. <DiagnosticIdentification>.. <ID>PCW</ID>.. <Version>3.0</Version>.. </DiagnosticIdentification>.. <DisplayInformation>.. <Parameters/>.. <Name>@diagpackage.dll,-1</Name>.. <Description>@diagpackage.dll,-2</Description>.. </DisplayInformation>.. <PrivacyLink>https://go.microsoft.com/fwlink/?LinkId=534597</PrivacyLink>.. <PowerShellVersion>2.0</PowerShellVersion>.. <SupportedOSVersion clientSupported="true" serverSupported="true">6.1</SupportedOSVersion>.. <Troubleshooter>.. <Script>.. <Parameters/>.. <ProcessArchitecture>Any</ProcessArchitecture>.. <RequiresElevation>false</RequiresElevation>.. <RequiresInteractivity>true</RequiresInteractivity>.. <FileName>TS_ProgramCompatibilityWizard.ps1</FileName>.. <ExtensionPoint/>.. </Script>..

                              C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\DiagPackage.dll

                              Download File
                              Process:C:\Windows\System32\msdt.exe
                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                              Category:dropped
                              Size (bytes):66560
                              Entropy (8bit):6.927843721694817
                              Encrypted:false
                              SSDEEP:1536:bXLADXf3iFGQ+/ReBQBJJgUKZgyxMBGb:bXcDXvKoRqKuxgyx
                              MD5:CE244E177285966BD35254381D942281
                              SHA1:6C94F89B184803A7976925346ECAAE994F86869A
                              SHA-256:A1A6084F83D9C71A2AF179BB9F12D16F2ACCC7432F01346A9BA046ACA1B26E34
                              SHA-512:DC2BD7444CA70B07822731B32F4844EE5E5CDE0FFBFB2854C33EA5EED0254172489DDA6F36C276D9B617DBB7340FF6C6C1E151E4C6ECCA25FC795D11D0C73E21
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: Evernote.exe, Detection: malicious, Browse
                              • Filename: Dervish-Document-Reader.zip, Detection: malicious, Browse
                              • Filename: uesglDghrx, Detection: malicious, Browse
                              • Filename: amd-demo-pingpong-v1.4.msi, Detection: malicious, Browse
                              • Filename: AMD-Demo-PingPong-v1.5 (2).msi, Detection: malicious, Browse
                              • Filename: , Detection: malicious, Browse
                              • Filename: , Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.PE..d....^E..........." ......................................................... .......8....`A......................................................... ..`...............................T............................................................................rdata..............................@..@.rsrc...`.... ......................@..@.....^E.........T...T...T........^E.........$................^E.............................T....rdata..T...|....rdata$zzzdbg.... .......rsrc$01.....#.......rsrc$02.... ...C.RG...m....O......5..D..7].^E.............................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\RS_ProgramCompatibilityWizard.ps1

                              Download File
                              Process:C:\Windows\System32\msdt.exe
                              File Type:ISO-8859 text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):49962
                              Entropy (8bit):4.918570409593022
                              Encrypted:false
                              SSDEEP:384:/wugEs5GhrQzYjGBHvPbD9FZahXuDzsP6qqF8DdEakDiqeXacgcRjdhGPtl0MHQy:/c5AMHvDDf2VE+quAT0Mw4
                              MD5:E6B5B69A9F0C44BDDA6A5662054CD8BF
                              SHA1:7F13936283B9E9C107F98B36B2580DD54D15E107
                              SHA-256:F7FD69FAA5D66BEDD294BFCBF5962F7A70D60F69D04251F8CF3ACA927D878E3A
                              SHA-512:F0162EF5EA68296171977967DF68EAD762D6EDDD3C9255382E57720BB3C9667C8ECAE2B8F5C603D5F1A72370F876C19BD64CE1D865F9BC6EAF45C206DC5FF4E0
                              Malicious:false
                              Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#This is passed from the troubleshooter via 'Add-DiagRootCause'..PARAM($targetPath, $appName)....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008..#rfink - 01 Sept 2008 - rewrite to support dynamic choices....#set-psdebug -strict -trace 0....#change HKLM\Software\Windows NT\CurrentVersion\AppCompatFlags\CompatTS EnableTracing(DWORD) to 1..#if you want to enable tracing..$SpewTraceToDesktop = $false....Import-LouserzedData -BindingVariable CompatibilityStrings -FileName CL_LouserzationData....#Compatibility modes..$CompatibilityModes = new-Object System.Collections.Hashtable..$CompatibilityModes.Add("Version_WIN8RTM", "WIN8RTM")..$CompatibilityModes.Add("Version_WIN7RTM", "WIN7RTM")..$CompatibilityModes.Add("Version_WINVISTA2", "VISTASP2")..$CompatibilityModes.Add("Version_WINXP3", "WINXPSP3")..$CompatibilityModes.Add("Version_MSIAUTO", "MSIAUTO")..$CompatibilityModes.Add("Version_UNKNOWN", "WINXPSP3")..$Comp

                              C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\TS_ProgramCompatibilityWizard.ps1

                              Download File
                              Process:C:\Windows\System32\msdt.exe
                              File Type:Unicode text, UTF-8 text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):16952
                              Entropy (8bit):4.859642827029613
                              Encrypted:false
                              SSDEEP:384:3Fpt+5vu9IOM7BTDLwU7GHf7FajKFzB9Ww:6vu9I9dQYWB9Ww
                              MD5:925F0B68B4DE450CABE825365A43A05B
                              SHA1:B6C57383A9BD732DB7234D1BB34FD75D06E1FB72
                              SHA-256:5B1BE3F6C280ACFE041735C2E7C9A245E806FD7F1BF6029489698B0376E85025
                              SHA-512:012AADEC4ED60B311F2B5374DB3A2E409A0708272E6217049643BF33353AB49E4E144D60260B04E3AE29DEF8A4E1B8ADA853A93972F703CA11B827FEBE7725AF
                              Malicious:false
                              Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#TS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....$ShortcutListing = New-Object System.Collections.Hashtable..$ExeListing = New-Object System.Collections.ArrayList..$CombinedListing = New-Object System.Collections.ArrayList....Import-LouserzedData -BindingVariable CompatibilityStrings -FileName CL_LouserzationData....# Block PCW on unsupported SKUs..$BlockedSKUs = @(178)..[Int32]$OSSKU = (Get-WmiObject -Class "Win32_OperatingSystem").OperatingSystemSKU..if ($BlockedSKUs.Contains($OSSKU))..{.. return..}....$typeDefinition = @"....using System;..using System.IO;..using System.Runtime.InteropServices;..using System.Text;..using System.Collections;....public class Utility..{.. public static string GetStartMenuPath().. {.. return Environment.GetFolderPath(Environment.SpecialFolder.StartMenu);.. }.... public static string GetAllUsersStartMenuPath().. {.. return Path.Combine(Environ

                              C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\VF_ProgramCompatibilityWizard.ps1

                              Download File
                              Process:C:\Windows\System32\msdt.exe
                              File Type:ISO-8859 text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):453
                              Entropy (8bit):4.983419443697541
                              Encrypted:false
                              SSDEEP:12:QcM3BFN+dxmVdyKVCkLZI4S2xhzoJNIDER5lI02xzS4svc3uVr:Qb3DQbeCklTxhzoJUoS02tCr
                              MD5:60A20CE28D05E3F9703899DF58F17C07
                              SHA1:98630ABC4B46C3F9BD6AF6F1D0736F2B82551CA9
                              SHA-256:B71BC60C5707337F4D4B42BA2B3D7BCD2BA46399D361E948B9C2E8BC15636DA2
                              SHA-512:2B2331B2DD28FB0BBF95DC8C6CA7E40AA56D4416C269E8F1765F14585A6B5722C689BCEBA9699DFD7D97903EF56A7A535E88EAE01DFCC493CEABB69856FFF9AA
                              Malicious:false
                              Preview:# Copyright . 2008, Microsoft Corporation. All rights reserved.......#if this environment variable is set, we say that we don't detect the problem anymore so it will..#show as fixed in the final screen..PARAM($appName)....$detected = $true..if ($Env:AppFixed -eq $true)..{.. $detected = $false ..}....Update-DiagRootCause -id "RC_IncompatibleApplication" -iid $appName -Detected $detected....#RS_ProgramCompatibilityWizard..#rparsons - 05 May 2008....

                              C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\en-GB\CL_LouserzationData.psd1

                              Download File
                              Process:C:\Windows\System32\msdt.exe
                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):6678
                              Entropy (8bit):3.6761773359489522
                              Encrypted:false
                              SSDEEP:96:i300B3hpieJGhn8n/yT+aqRcPFcisZjx+cWUchpy746D9RUh5EE7UB5dm:i300Rhp6SyiRMj+VEKLvFm
                              MD5:BFEEDA2FDE4E58A9A05A3374285698B8
                              SHA1:493F6A34E242A27149632D84B1987925C19F1CED
                              SHA-256:981FD9676E369F291D3840D106C52E71E28A32A2E3D2DE262CF922639298F57D
                              SHA-512:F3E0B813FB714CE5D80CA845BD96EC839A93893FFE90CBED175CB47EC322041EDE5B21CDF09DDB5D5A2CA7335DB976F3B9E9B815B4CEC1ABF7129975C5ED1451
                              Malicious:false
                              Preview:..#. .L.o.c.a.l.i.z.e.d...1.2./.0.7./.2.0.1.9. .1.1.:.5.3. .A.M. .(.G.M.T.)...3.0.3.:.6...4.0...2.0.5.2.0. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....#. .L.o.c.a.l.i.z.e.d...0.1./.0.4./.2.0.1.3. .1.1.:.3.2. .A.M. .(.G.M.T.)...3.0.3.:.4...8.0...0.4.1.1. ...C.L._.L.o.c.a.l.i.z.a.t.i.o.n.D.a.t.a...p.s.d.1.....C.o.n.v.e.r.t.F.r.o.m.-.S.t.r.i.n.g.D.a.t.a. .@.'.....#.#.#.P.S.L.O.C.....P.r.o.g.r.a.m._.C.h.o.i.c.e._.N.O.T.L.I.S.T.E.D.=.N.o.t. .L.i.s.t.e.d.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.D.E.F.A.U.L.T.=.N.o.n.e.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.8.R.T.M.=.W.i.n.d.o.w.s. .8.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.7.R.T.M.=.W.i.n.d.o.w.s. .7.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.V.I.S.T.A.2.=.W.i.n.d.o.w.s. .V.i.s.t.a. .(.S.e.r.v.i.c.e. .P.a.c.k. .2.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.W.I.N.X.P.S.P.3.=.W.i.n.d.o.w.s. .X.P. .(.S.e.r.v.i.c.e. .P.a.c.k. .3.).....V.e.r.s.i.o.n._.C.h.o.i.c.e._.M.S.I.A.U.T.O.=.S.k.i.p. .V.e.r.s.i.o.n. .C.h.e.c.k.....V.e.r.s.i.o.n._.C.h.o.i.c.e._.U.

                              C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\en-GB\DiagPackage.dll.mui

                              Download File
                              Process:C:\Windows\System32\msdt.exe
                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):11264
                              Entropy (8bit):3.537253914554955
                              Encrypted:false
                              SSDEEP:96:8rcd+6MYC7R2h2C92BBrHh7R2CYKwtzXHQcN48vISzPktmM5Cuxh+SWguv0WwI:wcYGgRuZGvRUdXz8tmWrdW98Wj
                              MD5:BCC772243EA9B8CD150702BFC53DAA1D
                              SHA1:9C7988C2FB6DA004893E79165FC626B39B0C955B
                              SHA-256:1C68D54404C606A6C7F71EB079E0BF1F63A05E23C67346181935E1B9B0700111
                              SHA-512:FBAA51023913AA3E55EE4240BA45D89DC7B058FE4EE794403BA499B96D1F75D8ADF912FBC0B3A408C214C206B8E82FC1D5F77C1F8D15E501E77B81037CF32193
                              Malicious:false
                              Antivirus:
                              • Antivirus: ReversingLabs, Detection: 0%
                              Joe Sandbox View:
                              • Filename: Evernote.exe, Detection: malicious, Browse
                              • Filename: Dervish-Document-Reader.zip, Detection: malicious, Browse
                              • Filename: uesglDghrx, Detection: malicious, Browse
                              • Filename: amd-demo-pingpong-v1.4.msi, Detection: malicious, Browse
                              • Filename: AMD-Demo-PingPong-v1.5 (2).msi, Detection: malicious, Browse
                              • Filename: , Detection: malicious, Browse
                              • Filename: , Detection: malicious, Browse
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........*...............................................P......k ....@.......................................... ..<&..............................8............................................................................rdata..............................@..@.rsrc....0... ...(..................@..@.....Q..........T...8...8........Q..........$...................8....rdata..8...x....rdata$zzzdbg.... .......rsrc$01.....#..8"...rsrc$02.... ....0.......2.9..-...;..z..R.j.Q..........................................................................................................................................................................................................................................................................................................................

                              C:\Users\user\AppData\Local\Temp\SDIAG_3769ae4e-01bf-480c-897c-dac247b4f277\result\results.xsl

                              Download File
                              Process:C:\Windows\System32\msdt.exe
                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):48956
                              Entropy (8bit):5.103589775370961
                              Encrypted:false
                              SSDEEP:768:hUeTHmb0+tk+Ci10ycNV6OW9a+KDoVxrVF+bBH0t9mYNJ7u2+d:hUcHXDY10tNV6OW9abDoVxrVF+bBH0tO
                              MD5:310E1DA2344BA6CA96666FB639840EA9
                              SHA1:E8694EDF9EE68782AA1DE05470B884CC1A0E1DED
                              SHA-256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
                              SHA-512:62AB361FFEA1F0B6FF1CC76C74B8E20C2499D72F3EB0C010D47DBA7E6D723F9948DBA3397EA26241A1A995CFFCE2A68CD0AAA1BB8D917DD8F4C8F3729FA6D244
                              Malicious:false
                              Preview:<?xml version="1.0"?>..<?Copyright (c) Microsoft Corporation. All rights reserved.?>..<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:msxsl="urn:schemas-microsoft-com:xslt" xmlns:ms="urn:microsoft-performance" exclude-result-prefixes="msxsl" version="1.0">...<xsl:output method="html" indent="yes" standalone="yes" encoding="UTF-16"/>...<xsl:template name="louserzation">....<_locDefinition>.....<_locDefault _loc="locNone"/>.....<_locTag _loc="locData">String</_locTag>.....<_locTag _loc="locData">Font</_locTag>.....<_locTag _loc="locData">Mirror</_locTag>....</_locDefinition>...</xsl:template>... ********** Images ********** -->...<xsl:variable name="images">....<Image id="check">res://sdiageng.dll/check.png</Image>....<Image id="error">res://sdiageng.dll/error.png</Image>....<Image id="info">res://sdiageng.dll/info.png</Image>....<Image id="warning">res://sdiageng.dll/warning.png</Image>....<Image id="expand">res://sdiageng.dll/expand.png</Image>....<Image id="

                              C:\Users\user\AppData\Local\Temp\hr5jugav.dll

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):5120
                              Entropy (8bit):3.7966355502449747
                              Encrypted:false
                              SSDEEP:48:670PhmKraYZkH8Krib9BtPNCH+EYwkwjj0JzCuCFSlwY4FQ1ul4a30q:ZDaAkHHw9BhNCH+EYwk8+Cu4F2K
                              MD5:638255E0E5AD6EA04AA7BDD1D3A1E926
                              SHA1:38B6697A4B55895062D4AD4AF92304F0B2A197C4
                              SHA-256:87074F405AFFC7A2DBA917D6108DCF56969C163C6A796E0C7FB23DBA2CC44BDF
                              SHA-512:947196BF4590568A0365C24FC12E427DA52E6224FDBC18DDECE97E654908D197294373B3DD6CE8BED17FA5A07D832E9D4B6FC6E882E19BA5348F110604834546
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g...........!................>*... ...@....... ....................................@..................................)..O....@.......................`....................................................... ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................ *......H....... ".............................................................."..(....*J.#(....r...p(....*..(....*2~.....(....*....0.......... ....s..... ....s...............r;..p.........(......s.............5.....".....5.....3+E...../...(.-...2.3+1...:3...+)....3...+....+...+...+...+...,...+...+......r;..p...o................ ...o.........+Y.......r=..p..o......1.r=..p..o..........+(r...p..o...........(........r...p(.........X.......i2..........(.........o........o....-.r...p....

                              C:\Users\user\AppData\Local\Temp\rgr4voti.dll

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):3584
                              Entropy (8bit):3.0780585063046453
                              Encrypted:false
                              SSDEEP:24:etGSp9pz1qlkCe745Q7GslPor5jvX5ekjV4gztkZfdy6Iv+7FoOBWI+ycuZhNf9Z:6Jpqb927GslPSDRjyJdbk1ulf9a3u+q
                              MD5:1CB65BDC9F1057E6835E2297D0D18B4B
                              SHA1:C0674D2BBA708595F5C7401170067E012982CF40
                              SHA-256:F9354A07B51C998DFCED93EEE53DD3F80F12C088D15515585A84B65207BB5018
                              SHA-512:2826C7274001780DFDF0E4EB882A714E70FBEE3170CE5AB379A985094A64BB86FC1DF1C8F5C67C37FC477383ED2D803CDDE10ADF63B940DE6A15620CB2619AAC
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g...........!.................%... ...@....... ....................................@..................................$..K....@.......................`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................%......H........ ..4............................................................0..6....... ....s........o....(....,..o....r...pr...po....*~....*F.r...pr...po....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID.......t...#Blob...........W=........%3............................................................................2.+...N.B.....................0.....W.......+.............................Q.9.......... \.....P ......j...... ..

                              C:\Users\user\AppData\Local\Temp\w3fyocc2.dll

                              Download File
                              Process:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):9728
                              Entropy (8bit):4.79487600641367
                              Encrypted:false
                              SSDEEP:96:IRKqedmYoNKvUTCSH3gR8H8FgwSHwBVkwZYPaSJ365OLEieMjQZazRnIjcK:HElNK8TCSfHyPVkwZ+vKOnQZ6n8
                              MD5:3C2874860B0D3BF98102B3815FDACD29
                              SHA1:5B600F4B63A8C582842D9A1E93F5AAAF88454001
                              SHA-256:9056DF76DB819D6A7F0EB377F80B325C2ED5EAC9F0D0768BD74A79E3ECBAE06B
                              SHA-512:78D924A9B3E409AF2B10362EA556EAC83C566FA3BA8EE9A69776C2CEB0F0F1C3BEB35EB21B744B35573B3213FE897E06126DAEA5AC943B0A7C61D8AFEAABBCAC
                              Malicious:false
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....!g...........!................^<... ...@....... ....................................@..................................<..K....@.......................`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......$..............@..B................@<......H........$..4............................................................0..%....... ....s.....r...p.(....,..o....*~....*....0..!....... ....s.......(....,..o....*~....*....0...........(....s......o.........o....*....0..@....... ....s..... ....s........(....s.......o....o....&..o....o....&.*.0...........,.. .+.....o.....+).o......t....~....(....,...t.......(....&.o....-....u........,...o......o......+*..o......t....~....(....,...t.......(....&..o....-.....u........,...o.....*

                              Static File Info

                              General

                              File type:ASCII text, with CRLF line terminators
                              Entropy (8bit):5.392094607292656
                              TrID:
                                File name:RUNIT2.EXE
                                File size:335'535 bytes
                                MD5:78b8d332d18f94d703dfb6678287dd36
                                SHA1:4929120c6e4d0173d4dbb1c8a314ab9e0ff7fdd5
                                SHA256:6600911a77bf03e0d42290e1bcf8b7094c21670d6695d4746e16999db2b96cdc
                                SHA512:3809bf94dfa5b8066c1221545109eda3720c35f1566074a96ecf6ee1409d83efa83032b1ebf6efbe42752de772c37d211478b00b7d9851daf2c3d3ed03d6869f
                                SSDEEP:6144:D6fQrJVt25uv5tXZR+xL8EZ/onsva5HDcwNWr9rwFJudh6kVip:DVs5Yvhn9idMkVip
                                TLSH:056409FB8C4A88A8D2623D64C0487F2E4C0466E371793D44472A4FDD765C0AA6FAED7D
                                File Content Preview:------=_NextPart_000_01BC5ED1.0283D020..Content-Type: application/octet-stream; name="RUNIT2.EXE"..Content-Transfer-Encoding: base64..Content-Description: Runit2 (Application)..Content-Disposition: attachment; filename="RUNIT2.EXE"....TVoAAQEAAAAIABAA//8I

                                File Icon

                                Icon Hash:90cececece8e8eb0

                                Network Behavior

                                No network behavior found

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:10
                                Start time:11:31:33
                                Start date:29/10/2024
                                Path:C:\Windows\System32\pcwrun.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\pcwrun.exe "C:\Users\user\Desktop\RUNIT2.EXE" ContextMenu
                                Imagebase:0x7ff6faa30000
                                File size:16'384 bytes
                                MD5 hash:CA01951C3320758133D16E542FD6AFC0
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:true

                                General

                                Target ID:11
                                Start time:11:31:33
                                Start date:29/10/2024
                                Path:C:\Windows\System32\msdt.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\user\AppData\Local\Temp\PCWF86D.xml /skip TRUE
                                Imagebase:0x7ff6ea400000
                                File size:499'200 bytes
                                MD5 hash:3AE6BFDF0257B303EDD695DA183C8462
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:14
                                Start time:11:32:09
                                Start date:29/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\hr5jugav.cmdline"
                                Imagebase:0x7ff62d510000
                                File size:2'759'232 bytes
                                MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:15
                                Start time:11:32:09
                                Start date:29/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES857A.tmp" "c:\Users\user\AppData\Local\Temp\CSC79526781084487E8E42D8F778C3DF69.TMP"
                                Imagebase:0x7ff7b4f60000
                                File size:52'744 bytes
                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:16
                                Start time:11:32:11
                                Start date:29/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\rgr4voti.cmdline"
                                Imagebase:0x7ff62d510000
                                File size:2'759'232 bytes
                                MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:17
                                Start time:11:32:11
                                Start date:29/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES8D3A.tmp" "c:\Users\user\AppData\Local\Temp\CSC5FF1484DFEAC4FAA872A2D156A7AC56A.TMP"
                                Imagebase:0x7ff7b4f60000
                                File size:52'744 bytes
                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:18
                                Start time:11:32:14
                                Start date:29/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                                Wow64 process (32bit):false
                                Commandline:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\w3fyocc2.cmdline"
                                Imagebase:0x7ff62d510000
                                File size:2'759'232 bytes
                                MD5 hash:F65B029562077B648A6A5F6A1AA76A66
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:19
                                Start time:11:32:14
                                Start date:29/10/2024
                                Path:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\user\AppData\Local\Temp\RES99AE.tmp" "c:\Users\user\AppData\Local\Temp\CSC5B8025FC83464292BBE495898E339EBE.TMP"
                                Imagebase:0x7ff7b4f60000
                                File size:52'744 bytes
                                MD5 hash:C877CBB966EA5939AA2A17B6A5160950
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Reputation:moderate
                                Has exited:true

                                Disassembly

                                No disassembly