Click to jump to signature section
Source: Lic.exe | ReversingLabs: Detection: 19% |
Source: Lic.exe | Virustotal: Detection: 19% | Perma Link |
Source: Submited Sample | Integrated Neural Analysis Model: Matched 98.4% probability |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE133027C0 CryptQueryObject,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalAlloc,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,CryptMsgGetParam,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertCloseStore,CryptMsgClose, | 0_2_00007FFE133027C0 |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE13302E35 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext, | 0_2_00007FFE13302E35 |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE13302E00 lstrcmpA,CryptDecodeObject,CertFreeCertificateContext,LocalAlloc,CertFreeCertificateContext,CryptDecodeObject,CertFreeCertificateContext,CertFreeCertificateContext, | 0_2_00007FFE13302E00 |
Source: Lic.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: clrjit.pdb source: Lic.exe, 00000000.00000002.1725058787.0000024B719D2000.00000004.00000020.00020000.00000000.sdmp |
Source: Lic.exe | String found in binary or memory: https://#/SCClientPing.php#Invalid |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE13301D70 | 0_2_00007FFE13301D70 |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE13303270 | 0_2_00007FFE13303270 |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE133014D0 | 0_2_00007FFE133014D0 |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFD9B7D6C12 | 0_2_00007FFD9B7D6C12 |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFD9B7D5E66 | 0_2_00007FFD9B7D5E66 |
Source: Lic.exe | Binary or memory string: OriginalFilename vs Lic.exe |
Source: Lic.exe, 00000000.00000002.1725852927.00007FFE13313000.00000002.00000001.01000000.00000006.sdmp | Binary or memory string: OriginalFilename vs Lic.exe |
Source: Lic.exe, 00000000.00000002.1724955220.0000024B69201000.00000004.00000800.00020000.00000000.sdmp | Binary or memory string: OriginalFilename vs Lic.exe |
Source: AgileDotNetRT64.dll.0.dr | Static PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: AgileDotNetRT64.dll.0.dr | Static PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
Source: classification engine | Classification label: mal60.evad.winEXE@1/2@0/0 |
Source: C:\Users\user\Desktop\Lic.exe | File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Lic.exe.log | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Mutant created: NULL |
Source: C:\Users\user\Desktop\Lic.exe | Mutant created: \Sessions\1\BaseNamedObjects\{37c18af4-686a-4078-aea2-125b9784b6de} |
Source: C:\Users\user\Desktop\Lic.exe | File created: C:\Users\user\AppData\Local\Temp\9d157fef-9d80-4c40-8e32-b40db35317cb | Jump to behavior |
Source: Lic.exe | Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: Lic.exe | Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80% |
Source: C:\Users\user\Desktop\Lic.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor |
Source: C:\Users\user\Desktop\Lic.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: Lic.exe | ReversingLabs: Detection: 19% |
Source: Lic.exe | Virustotal: Detection: 19% |
Source: Lic.exe | String found in binary or memory: application/xml)/authorize/stops.xml1/authorize/authorize.xml'www.decisionbar.com |
Source: Lic.exe | String found in binary or memory: application/xml)/authorize/stops.xml1/authorize/authorize.xml'www.decisionbar.com |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: mscoree.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: apphelp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: kernel.appcore.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: version.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: vcruntime140_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: ucrtbase_clr0400.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: uxtheme.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: ntmarta.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: wbemcomn.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: amsi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: userenv.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: profapi.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: cryptsp.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: rsaenh.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: cryptbase.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: textshaping.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: textinputframework.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: coreuicomponents.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: coremessaging.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Section loaded: wintypes.dll | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 | Jump to behavior |
Source: Lic.exe | Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: Lic.exe | Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: | Binary string: clrjit.pdb source: Lic.exe, 00000000.00000002.1725058787.0000024B719D2000.00000004.00000020.00020000.00000000.sdmp |
Source: Lic.exe | Static PE information: 0xE66D18D1 [Thu Jul 3 07:44:17 2092 UTC] |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE13308C00 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetFileVersionInfoSizeExW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree, | 0_2_00007FFE13308C00 |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE13304803 push D84C6147h; ret | 0_2_00007FFE1330480C |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE1331F5C5 push 37ED6F56h; ret | 0_2_00007FFE1331F5CC |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFD9B7D00BD pushad ; iretd | 0_2_00007FFD9B7D00C1 |
Source: C:\Users\user\Desktop\Lic.exe | File created: C:\Users\user\AppData\Local\Temp\9d157fef-9d80-4c40-8e32-b40db35317cb\AgileDotNetRT64.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | RDTSC instruction interceptor: First address: 7FFE13301F0F second address: 7FFE13301F90 instructions: 0x00000000 rdtsc 0x00000002 dec eax 0x00000003 shl edx, 20h 0x00000006 dec eax 0x00000007 or eax, edx 0x00000009 dec eax 0x0000000a mov dword ptr [esp+28h], eax 0x0000000e dec eax 0x0000000f mov eax, dword ptr [esp+30h] 0x00000013 dec eax 0x00000014 mov ecx, dword ptr [esp+28h] 0x00000018 dec eax 0x00000019 sub ecx, eax 0x0000001b dec eax 0x0000001c mov eax, ecx 0x0000001e dec eax 0x0000001f add esp, 48h 0x00000022 ret 0x00000023 dec eax 0x00000024 mov dword ptr [00010326h], eax 0x0000002a mov dword ptr [esp+28h], 00000000h 0x00000032 jmp 00007FBCC0E8733Ch 0x00000034 mov eax, dword ptr [esp+50h] 0x00000038 cmp dword ptr [esp+28h], eax 0x0000003c jnl 00007FBCC0E87374h 0x0000003e rdtsc |
Source: C:\Users\user\Desktop\Lic.exe | Memory allocated: 24B59170000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Memory allocated: 24B71200000 memory reserve | memory write watch | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE13301F40 rdtsc | 0_2_00007FFE13301F40 |
Source: C:\Users\user\Desktop\Lic.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9d157fef-9d80-4c40-8e32-b40db35317cb\AgileDotNetRT64.dll | Jump to dropped file |
Source: C:\Users\user\Desktop\Lic.exe TID: 6168 | Thread sleep time: -922337203685477s >= -30000s | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS |
Source: C:\Users\user\Desktop\Lic.exe | WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_Processor |
Source: C:\Users\user\Desktop\Lic.exe | Thread delayed: delay time: 922337203685477 | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | API call chain: ExitProcess graph end node | graph_0-7283 |
Source: C:\Users\user\Desktop\Lic.exe | API call chain: ExitProcess graph end node | graph_0-7288 |
Source: C:\Users\user\Desktop\Lic.exe | API call chain: ExitProcess graph end node | graph_0-7303 |
Source: C:\Users\user\Desktop\Lic.exe | API call chain: ExitProcess graph end node | graph_0-7294 |
Source: C:\Users\user\Desktop\Lic.exe | API call chain: ExitProcess graph end node | graph_0-7265 |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE13301F40 rdtsc | 0_2_00007FFE13301F40 |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE13308C00 GetCurrentProcess,GetCurrentProcess,GetFileVersionInfoSizeW,GetFileVersionInfoSizeExW,GetProcessHeap,HeapAlloc,GetFileVersionInfoW,VerQueryValueA,LoadLibraryW,GetProcAddress,GetProcessHeap,HeapFree, | 0_2_00007FFE13308C00 |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE133012E0 K32EnumProcessModules,GetProcessHeap,HeapAlloc,EnumProcessModules,K32EnumProcessModules,GetProcessHeap,HeapFree,GetModuleBaseNameA,K32GetModuleBaseNameA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, | 0_2_00007FFE133012E0 |
Source: C:\Users\user\Desktop\Lic.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Queries volume information: C:\Users\user\Desktop\Lic.exe VolumeInformation | Jump to behavior |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE13306880 MessageBoxW,GetSystemTimeAsFileTime,CompareFileTime,MessageBoxW, | 0_2_00007FFE13306880 |
Source: C:\Users\user\Desktop\Lic.exe | Code function: 0_2_00007FFE133010A0 GetVersionExW, | 0_2_00007FFE133010A0 |
Source: C:\Users\user\Desktop\Lic.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |