Source: Lic.exe |
ReversingLabs: Detection: 19% |
Source: Lic.exe |
Virustotal: Detection: 19% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.4% probability |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE133027C0 CryptQueryObject,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalAlloc,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose, |
0_2_00007FFE133027C0 |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE13302E35 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext, |
0_2_00007FFE13302E35 |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE13302E00 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,LocalAlloc,CertFreeCertificateContext,CryptDecodeObject,CertFreeCertificateContext,CertFreeCertificateContext, |
0_2_00007FFE13302E00 |
Source: Lic.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: clrjit.pdb source: Lic.exe, 00000000.00000002.1725058787.0000024B719D2000.00000004.00000020.00020000.00000000.sdmp |
Source: Lic.exe |
String found in binary or memory: https://#/SCClientPing.php#Invalid |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE13301D70 |
0_2_00007FFE13301D70 |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE13303270 |
0_2_00007FFE13303270 |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE133014D0 |
0_2_00007FFE133014D0 |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFD9B7D6C12 |
0_2_00007FFD9B7D6C12 |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFD9B7D5E66 |
0_2_00007FFD9B7D5E66 |
Source: Lic.exe |
Binary or memory string: OriginalFilename vs Lic.exe |
Source: Lic.exe, 00000000.00000002.1725852927.00007FFE13313000.00000002.00000001.01000000.00000006.sdmp |
Binary or memory string: OriginalFilename vs Lic.exe |
Source: Lic.exe, 00000000.00000002.1724955220.0000024B69201000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilename vs Lic.exe |
Source: AgileDotNetRT64.dll.0.dr |
Static PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: AgileDotNetRT64.dll.0.dr |
Static PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: classification engine |
Classification label: mal60.evad.winEXE@1/2@0/0 |
Source: C:\Users\user\Desktop\Lic.exe |
File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Lic.exe.log |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Mutant created: NULL |
Source: C:\Users\user\Desktop\Lic.exe |
Mutant created: \Sessions\1\BaseNamedObjects\{37c18af4-686a-4078-aea2-125b9784b6de} |
Source: C:\Users\user\Desktop\Lic.exe |
File created: C:\Users\user\AppData\Local\Temp\9d157fef-9d80-4c40-8e32-b40db35317cb |
Jump to behavior |
Source: Lic.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Lic.exe |
Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80% |
Source: C:\Users\user\Desktop\Lic.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor |
Source: C:\Users\user\Desktop\Lic.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: Lic.exe |
ReversingLabs: Detection: 19% |
Source: Lic.exe |
Virustotal: Detection: 19% |
Source: Lic.exe |
String found in binary or memory: application/xml)/authorize/stops.xml1/authorize/authorize.xml'www.decisionbar.com |
Source: Lic.exe |
String found in binary or memory: application/xml)/authorize/stops.xml1/authorize/authorize.xml'www.decisionbar.com |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: wbemcomn.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 |
Jump to behavior |
Source: Lic.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: Lic.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: clrjit.pdb source: Lic.exe, 00000000.00000002.1725058787.0000024B719D2000.00000004.00000020.00020000.00000000.sdmp |
Source: Lic.exe |
Static PE information: 0xE66D18D1 [Thu Jul 3 07:44:17 2092 UTC] |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE13308C00 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetFileVersionInfoSizeExW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree, |
0_2_00007FFE13308C00 |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE13304803 push D84C6147h; ret |
0_2_00007FFE1330480C |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE1331F5C5 push 37ED6F56h; ret |
0_2_00007FFE1331F5CC |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFD9B7D00BD pushad ; iretd |
0_2_00007FFD9B7D00C1 |
Source: C:\Users\user\Desktop\Lic.exe |
File created: C:\Users\user\AppData\Local\Temp\9d157fef-9d80-4c40-8e32-b40db35317cb\AgileDotNetRT64.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
RDTSC instruction interceptor: First address: 7FFE13301F0F second address: 7FFE13301F90 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov dword ptr [esp+28h], eax 0x0000000e dec eax 0x0000000f mov eax, dword ptr [esp+30h] 0x00000013 dec eax 0x00000014 mov ecx, dword ptr [esp+28h] 0x00000018 dec eax 0x00000019 sub ecx, eax 0x0000001b dec eax 0x0000001c mov eax, ecx 0x0000001e dec eax 0x0000001f add esp, 48h 0x00000022 ret 0x00000023 dec eax 0x00000024 mov dword ptr [00010326h], eax 0x0000002a mov dword ptr [esp+28h], 00000000h 0x00000032 jmp 00007FBCC0E8733Ch 0x00000034 mov eax, dword ptr [esp+50h] 0x00000038 cmp dword ptr [esp+28h], eax 0x0000003c jnl 00007FBCC0E87374h 0x0000003e rdtsc |
Source: C:\Users\user\Desktop\Lic.exe |
Memory allocated: 24B59170000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Memory allocated: 24B71200000 memory reserve | memory write watch |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE13301F40 rdtsc |
0_2_00007FFE13301F40 |
Source: C:\Users\user\Desktop\Lic.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9d157fef-9d80-4c40-8e32-b40db35317cb\AgileDotNetRT64.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\Lic.exe TID: 6168 |
Thread sleep time: -922337203685477s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS |
Source: C:\Users\user\Desktop\Lic.exe |
WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor |
Source: C:\Users\user\Desktop\Lic.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\Lic.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\Lic.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\Lic.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\Lic.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE13301F40 rdtsc |
0_2_00007FFE13301F40 |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE13308C00 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetFileVersionInfoSizeExW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree, |
0_2_00007FFE13308C00 |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE133012E0 K32EnumProcessModules,GetProcessHeap,HeapAlloc,EnumProcessModules,K32EnumProcessModules,GetProcessHeap,HeapFree,GetModuleBaseNameA,K32GetModuleBaseNameA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, |
0_2_00007FFE133012E0 |
Source: C:\Users\user\Desktop\Lic.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Queries volume information: C:\Users\user\Desktop\Lic.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE13306880 MessageBoxW,GetSystemTimeAsFileTime,CompareFileTime,MessageBoxW, |
0_2_00007FFE13306880 |
Source: C:\Users\user\Desktop\Lic.exe |
Code function: 0_2_00007FFE133010A0 GetVersionExW, |
0_2_00007FFE133010A0 |
Source: C:\Users\user\Desktop\Lic.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |