Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	854945
MD5:	fc6925e4bf5f890a1c62a406693cea77
SHA1:	595e9e5c1736f28acfeb529a695fb3eada2602d4
SHA256:	03f8e0b404e2ff092e515614d63a8dd3a167ce5df128ae3b0406c07708ad3310
Tags:	exe
Infos:

Detection

Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected UAC Bypass using CMSTP

Multi AV Scanner detection for submitted file

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Yara detected Vidar stealer

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

.NET source code contains potential unpacker

.NET source code contains very large array initializations

C2 URLs / IPs found in malware configuration

Queries the volume information (name, serial number etc) of a device

Yara signature match

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

JA3 SSL client fingerprint seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

PE file does not import any functions

Sample file is different than original file name gathered from version info

Compiles C# or VB.Net code

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

file.exe (PID: 6940 cmdline: C:\Users\user\Desktop\file.exe MD5: FC6925E4BF5F890A1C62A406693CEA77)

SMSvcHost.exe (PID: 4544 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe MD5: 7EC8B56348F9298BCCA7A745C7F70E2C)

cvtres.exe (PID: 6392 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)

DataSvcUtil.exe (PID: 3636 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe MD5: CCDF8F3B189FFB839B390F695FAE2A6D)

AppLaunch.exe (PID: 4988 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe MD5: 98A8F518B66BA43DF38821C364C3B791)

MSBuild.exe (PID: 4916 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe MD5: 8B9E68304AF4B81C9AB70CB2220EBA74)

aspnet_regiis.exe (PID: 1304 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe MD5: 061D8C0371566D560C5B15C77A34046F)

aspnet_state.exe (PID: 4516 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe MD5: 9EDC7F9BB19D3F12EB05437BD5687C8A)

aspnet_compiler.exe (PID: 3428 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe MD5: 7809A19AA8DA1A41F36B60B0664C4E20)

ComSvcConfig.exe (PID: 3928 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe MD5: 2778AE0EB674B74FF8028BF4E51F1DF5)

AddInProcess32.exe (PID: 4436 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)

aspnet_regbrowsers.exe (PID: 1092 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe MD5: BF7E443F1E1FA88AD5A2A5EB44F42834)

ngen.exe (PID: 1380 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe MD5: FBA5E8D94C9EADC279BC06B9CF041A9A)

ilasm.exe (PID: 1364 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe MD5: 155758025B42F1804E1429483BA53553)

ngentask.exe (PID: 1248 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe MD5: AA98E294A0210BDA5F79A7288F91B78C)

Microsoft.Workflow.Compiler.exe (PID: 6608 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe MD5: D91462AE31562E241AF5595BA5E1A3C4)

mscorsvw.exe (PID: 4180 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe MD5: B00E9325AC7356A3F4864EAAAD48E13F)

AddInUtil.exe (PID: 6708 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe MD5: 65D30D747EB31E108A36EBC966C1227D)

jsc.exe (PID: 6668 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe MD5: 2B40A449D6034F41771A460DADD53A60)

aspnet_wp.exe (PID: 6736 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe MD5: 3F68BCF536EEAE067038C67022CDF6D8)

InstallUtil.exe (PID: 6660 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe MD5: 6EE3F830099ADD53C26DF5739B44D608)

ServiceModelReg.exe (PID: 3760 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe MD5: 80B018258257C2F78CBFE08198883AC1)

dfsvc.exe (PID: 2240 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe MD5: 48FD4DD682051712E3E7757C525DED71)

RegAsm.exe (PID: 4296 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe MD5: 2B5D765B33C67EBA41E9F47954227BC3)

CasPol.exe (PID: 1008 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe MD5: CB86BA6B2759BF478ADD7A1612C183D5)

RegSvcs.exe (PID: 4980 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe MD5: 59FCE79E9D81AB9E2ED4C3561205F5DF)

EdmGen.exe (PID: 6984 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe MD5: 2B6A31DFD7C9ED8B413DBDAB800F10F3)

csc.exe (PID: 6792 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe MD5: B46100977911A0C9FB1C3E5F16A5017D)

AddInProcess.exe (PID: 6776 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe MD5: 11D8A500C4C0FBAF20EBDB8CDF6EA452)

aspnet_regsql.exe (PID: 6760 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe MD5: F31014EE4DE7FE48E9B7C9BE94CFB45F)

vbc.exe (PID: 6960 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe MD5: AC610BC00AF71E7C5B89F5AC0F65DAFA)

WsatConfig.exe (PID: 6588 cmdline: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe MD5: EDA1875528E99782E9A2C0001BB4C5A9)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://asec.ahnlab.com/en/22932/ https://asec.ahnlab.com/en/30445/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{
  "C2 url": [
    "https://steamcommunity.com/profiles/76561199499188534",
    "https://t.me/nutalse"
  ],
  "Botnet": "d53752acbcbb2dd88ecc4d536f03b032",
  "Version": "3.6"
}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	INDICATOR_EXE_Packed_DotNetReactor	Detects executables packed with unregistered version of .NET Reactor	ditekSHen	0x2085d:$s2: is protected by an unregistered version of .NET Reactor!" );</script>

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
Process Memory Space: file.exe PID: 6940	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: file.exe PID: 6940	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
Process Memory Space: file.exe PID: 6940	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.1ee60b63f10.4.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.1ee60aebac8.2.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.1ee60b63f10.4.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.1ee4ebf0000.0.unpack	INDICATOR_EXE_Packed_DotNetReactor	Detects executables packed with unregistered version of .NET Reactor	ditekSHen	0x2085d:$s2: is protected by an unregistered version of .NET Reactor!" );</script>
0.0.file.exe.1ee4ebf0000.0.unpack	INDICATOR_EXE_Packed_DotNetReactor	Detects executables packed with unregistered version of .NET Reactor	ditekSHen	0x2085d:$s2: is protected by an unregistered version of .NET Reactor!" );</script>
0.2.file.exe.1ee60aebac8.2.raw.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
0.2.file.exe.1ee50d5a508.1.raw.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
0.2.file.exe.1ee50d5a508.1.raw.unpack	INDICATOR_SUSPICIOUS_DisableWinDefender	Detects executables containing artifcats associated with disabling Widnows Defender	ditekSHen	0x9d05:$e1: Microsoft\Windows Defender\Exclusions\Paths 0x9d34:$e2: Add-MpPreference -ExclusionPath
0.2.file.exe.1ee50d5a508.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM	Detects executables embedding command execution via IExecuteCommand COM object	ditekSHen	0x9cd5:$r1: Classes\Folder\shell\open\command 0x9124:$k1: DelegateExecute
Click to see the 4 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

• AV Detection
• Exploits
• Compliance
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199499188534", "https://t.me/nutalse"], "Botnet": "d53752acbcbb2dd88ecc4d536f03b032", "Version": "3.6"}

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 21%

Perma Link

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.file.exe.1ee50d5a508.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6940, type: MEMORYSTR

Source: unknown

HTTPS traffic detected: 23.0.174.120:443 -> 192.168.2.5:49697 version: TLS 1.2

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: N57d.pdb source: file.exe
Source:	Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00007FF9A5BA32D1h		0_2_00007FF9A5BA30A6
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 00007FF9A5BA215Ch		0_2_00007FF9A5BA1F3A

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://steamcommunity.com/profiles/76561199499188534
Source: Malware configuration extractor	URLs: https://t.me/nutalse

Source: Joe Sandbox View

JA3 fingerprint: 10ee8d30a5d01c042afd7b2b205facc4

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown	Network traffic detected: HTTP traffic on port 49697 -> 443

Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120
Source: unknown	TCP traffic detected without corresponding DNS query: 23.0.174.120

Source: file.exe, 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://freebl3.dllmozglue.dllmsvcp140.dllnss3.dllsoftokn3.dllvcruntime140.dll
Source: file.exe, 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199499188534
Source: file.exe, 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://steamcommunity.com/profiles/76561199499188534update.zipopenopen_NULL%s
Source: file.exe, 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/nutalse
Source: file.exe, 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://t.me/nutalsesportbikedatapack.zipMozilla/5.0
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sysinternals.com0

Source: unknown

HTTPS traffic detected: 23.0.174.120:443 -> 192.168.2.5:49697 version: TLS 1.2

System Summary

Malicious sample detected (through community Yara rule)

Source: file.exe, type: SAMPLE	Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
Source: 0.2.file.exe.1ee4ebf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
Source: 0.0.file.exe.1ee4ebf0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
Source: 0.2.file.exe.1ee50d5a508.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen
Source: 0.2.file.exe.1ee50d5a508.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen

.NET source code contains very large array initializations

Source: file.exe, N57d/You6bh.cs

Large array initialization: .cctor: array initializer size 760848

Source: file.exe, type: SAMPLE	Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
Source: 0.2.file.exe.1ee4ebf0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
Source: 0.0.file.exe.1ee4ebf0000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
Source: 0.2.file.exe.1ee50d5a508.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender
Source: 0.2.file.exe.1ee50d5a508.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BAEEBA	0_2_00007FF9A5BAEEBA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BA8698	0_2_00007FF9A5BA8698
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BA8608	0_2_00007FF9A5BA8608
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BADA89	0_2_00007FF9A5BADA89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BB7B3B	0_2_00007FF9A5BB7B3B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BB8B51	0_2_00007FF9A5BB8B51
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BA6DE0	0_2_00007FF9A5BA6DE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BA6198	0_2_00007FF9A5BA6198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BB03A5	0_2_00007FF9A5BB03A5

Source: file.exe

Static PE information: No import functions for PE file found

Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000000.295714406.000001EE4EBF2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSIV.exe. vs file.exe
Source: file.exe, 00000000.00000002.324669994.000001EE4EF3A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs file.exe
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprocexp.SysB vs file.exe
Source: file.exe, 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSIV.exe. vs file.exe

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Virustotal: Detection: 21%

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@63/1@0/0

Source: file.exe	Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\file.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: N57d.pdb source: file.exe
Source:	Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: file.exe, N57d/You6bh.cs

.Net Code: fgxQ03wPW0AjClahVW System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_000001EE4EBF98A5 push rdi; retf	0_2_000001EE4EBF98B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BA90D0 push esi; retn F9A5h	0_2_00007FF9A5BA940A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BA9010 push esp; retn F9A5h	0_2_00007FF9A5BA90CA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BB5AC5 push ebp; retf	0_2_00007FF9A5BB5AC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BA5127 push esp; ret	0_2_00007FF9A5BA5132
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BA5134 push esp; ret	0_2_00007FF9A5BA514C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00007FF9A5BA50EC push esp; ret	0_2_00007FF9A5BA50F4

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe			Jump to behavior

Source: initial sample

Static PE information: section name: .text entropy: 7.805434983404769

Source: file.exe, Loca92ion/Encountb9r.cs	High entropy of concatenated method names: 'Ex5fibit', 'v4dB2dQPs', 'Jm1VjWgOM', 'oB2rXj1AI', 'vlRNa3eNl', '.ctor', 'vtf8VaNfS2Yx2qUyOg', 'd8IdAAmgvejE0UCqXU', 'kvErbu8sfFuShJGrfH', 'KUut4HaO2Gj06AVYnP'
Source: file.exe, N57d/R0avi0aw.cs	High entropy of concatenated method names: 'e9elephone', 'VImjLwg0Y', 'MHSkfxSVT', '.ctor', 'UROqrPQN9lfnNfg8U8', 'QwhBOOlpoN2oQDGeYn', 'O7WGIu24wvlpOITpfl', 'tN3HGFgm56b3JUmt5U', 'Vc4pPyiOsNZ5x8ueBi', 'gUcccpALtvDdV8dMqb'

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file.exe PID: 6940, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\file.exe TID: 6976

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware
Source: file.exe	Binary or memory string: Power OffSServerDatacenterwithoutHyper-VFullEdition080a!Spanish - Mexico045a
Source: file.exe	Binary or memory string: Server Datacenter without Hyper-V Core Edition
Source: file.exe	Binary or memory string: AustriaZulu]Server Datacenter without Hyper-V Core Edition0425
Source: file.exe	Binary or memory string: Comoros041e9ServerStandardwithoutHyper-V
Source: file.exe	Binary or memory string: SudanSServerDatacenterwithoutHyper-VCoreEdition3809'English - Indonesia0465
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: file.exe	Binary or memory string: ServerDatacenterwithoutHyper-VFullEdition
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: file.exe	Binary or memory string: Hyper-V Edition
Source: file.exe	Binary or memory string: Server Standard without Hyper-V Core Edition
Source: file.exe	Binary or memory string: Blocked PID-AMD Opteron(TM) Family082c!Azeri (Cyrillic)?Server Standard without Hyper-V081a
Source: file.exe	Binary or memory string: 290MSaint Helena and also Tristan Da CunhaOServerStandardwithoutHyper-VCoreEdition
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: file.exe	Binary or memory string: Server 2008 without Hyper-V for Windows Essential Server Solutions
Source: file.exe	Binary or memory string: ServerStandardwithoutHyper-VCoreEdition
Source: file.exe	Binary or memory string: Server2008withoutHyper-VforWindowsEssentialServerSolutions
Source: file.exe	Binary or memory string: ServerStandardwithoutHyper-V
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys
Source: file.exe	Binary or memory string: Hyper-VEditionYServer Standard without Hyper-V Core Edition0460#Kashmiri (Arabic)200c!French - Reunion5Server For SB Solutions EM0424
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmware
Source: file.exe	Binary or memory string: ]Server Datacenter without Hyper-V Full Edition
Source: file.exe	Binary or memory string: ServerDatacenterwithoutHyper-VCoreEdition
Source: file.exe	Binary or memory string: Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: file.exe	Binary or memory string: Server Datacenter without Hyper-V Full Edition
Source: file.exe	Binary or memory string: 540a/Spanish - United States!Business EditionIServer Datacenter Evaluation EditionuServer2008withoutHyper-VforWindowsEssentialServerSolutions
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys
Source: file.exe	Binary or memory string: Hyper-V Edition043b
Source: file.exe	Binary or memory string: Hyper-VEdition

Source: C:\Users\user\Desktop\file.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.1ee60b63f10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1ee60aebac8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1ee60b63f10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1ee60aebac8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6940, type: MEMORYSTR

Remote Access Functionality

Yara detected Vidar stealer

Source: Yara match	File source: 0.2.file.exe.1ee60b63f10.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1ee60aebac8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1ee60b63f10.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.1ee60aebac8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6940, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	11 Process Injection	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	12 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	11 Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	21 Virtualization/Sandbox Evasion	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	12 Software Packing	NTDS	12 System Information Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	11 Process Injection	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	System Owner/User Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	21%	Virustotal		Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://www.sysinternals.com0	0%	URL Reputation	safe
https://freebl3.dllmozglue.dllmsvcp140.dllnss3.dllsoftokn3.dllvcruntime140.dll	0%	URL Reputation	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199499188534	false		high
https://t.me/nutalse	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://steamcommunity.com/profiles/76561199499188534update.zipopenopen_NULL%s	file.exe, 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.sysinternals.com0	file.exe, 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t.me/nutalsesportbikedatapack.zipMozilla/5.0	file.exe, 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp	false		high
https://freebl3.dllmozglue.dllmsvcp140.dllnss3.dllsoftokn3.dllvcruntime140.dll	file.exe, 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	854945
Start date and time:	2023-04-27 09:17:09 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 4m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@63/1@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 10.8% (good quality ratio 10.2%) Quality average: 74.2% Quality standard deviation: 28.9%
HCA Information:	Successful, ratio: 94% Number of executed functions: 15 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

⊘No simulations

Joe Sandbox View / Context

IPs

⊘No context

Domains

⊘No context

ASNs

⊘No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
10ee8d30a5d01c042afd7b2b205facc4	MSBuild.exe	Get hash	malicious	Xmrig	Browse	23.0.174.120
	https://www.temu.com/mbs_lucky_draw_download.html?	Get hash	malicious	Unknown	Browse	23.0.174.120
	{DDFD237E-0AA7-47C8-BA75-3059D7415462}-GoogleUpdateSetup.exe	Get hash	malicious	Unknown	Browse	23.0.174.120
	file.exe	Get hash	malicious	FormBook	Browse	23.0.174.120
	INV736103251059.xll	Get hash	malicious	AgentTesla, zgRAT	Browse	23.0.174.120
	file.exe	Get hash	malicious	RedLine	Browse	23.0.174.120
	RFQ190423.exe	Get hash	malicious	Unknown	Browse	23.0.174.120
	Invoice_#INV-000003.xlsm	Get hash	malicious	Unknown	Browse	23.0.174.120
	https://floral-surf-6fd7.51g0jm50281.workers.dev/	Get hash	malicious	Phisher	Browse	23.0.174.120
	immagine_degli_elementi_elencati.exe	Get hash	malicious	AgentTesla	Browse	23.0.174.120
	hxxps://www%5B.%5Donline-managepayees1%5B.%5Dcom/	Get hash	malicious	HTMLPhisher	Browse	23.0.174.120
	PO_6601600170423001.exe	Get hash	malicious	AgentTesla	Browse	23.0.174.120
	cryptor.exe	Get hash	malicious	Unknown	Browse	23.0.174.120
	file.exe	Get hash	malicious	lgoogLoader	Browse	23.0.174.120
	file.exe	Get hash	malicious	AgentTesla	Browse	23.0.174.120
	DO-251244.exe	Get hash	malicious	Snake Keylogger	Browse	23.0.174.120
	cryptor.exe	Get hash	malicious	Unknown	Browse	23.0.174.120
	20231104_1C23TTS_00000246.exe	Get hash	malicious	FormBook	Browse	23.0.174.120
	Remittance_Advice.exe	Get hash	malicious	AgentTesla	Browse	23.0.174.120
	Ship_particular.exe	Get hash	malicious	Snake Keylogger	Browse	23.0.174.120

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.351599573976469
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTxAIOKbbDLI4MWuPOKN08JOKhav:ML9E4KrgKDE4KGKN08AKhk
MD5:	BEBB66F4CB83D5C34857FE75DE3A8610
SHA1:	66FB475AADAE0D4542125C8E272D9D6BBFA555BB
SHA-256:	C1A8084313E66497C9F53D0F65E85AC2D4A840AF7FEBCCCFB3924F54BCF1BADC
SHA-512:	45181B8B60B7F0FD0D841F50592B9E83F7BADF1FFED040DFCAF5779BF5F653633D78B28E5AFA92A53E9DA965113E4A8E7A16456AE3A8FDF786B7DF6B3FEE5CE8
Malicious:	true
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\4e05e2e48b8a6dd267a8c9e25ef129a7\System.Core.ni.dll",0..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.7197667813368165
TrID:	Win64 Executable GUI Net Framework (217006/5) 49.88% Win64 Executable GUI (202006/5) 46.43% Win64 Executable (generic) (12005/4) 2.76% Generic Win/DOS Executable (2004/3) 0.46% DOS Executable Generic (2002/1) 0.46%
File name:	file.exe
File size:	1024000
MD5:	fc6925e4bf5f890a1c62a406693cea77
SHA1:	595e9e5c1736f28acfeb529a695fb3eada2602d4
SHA256:	03f8e0b404e2ff092e515614d63a8dd3a167ce5df128ae3b0406c07708ad3310
SHA512:	f31b220e745430460a3839a5a646d5db0660457bfe1abb7ebfbbc7150dbf3073992590efb2cfe08dc4d50a66226d5d93eb487ba99bf9f5d82dec5e9911f6926f
SSDEEP:	12288:Mp+tJodRhl6EEDiXnx6rjxI+JXFxN+rsH4ctY6rJQyz45dHdsVCzMtgBRWQ:HojWIUvJXFoy+dHdmCU
TLSH:	F0258E382BA6CE08FFE281F0D5E50212209DB7B4C525E745CA361D35C9B2E857FA27D6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.....Gd..............0.................. ....@...... ....................................`...@......@............... .....

File Icon


Icon Hash:	ccf2c0d4d0c0f6c0

Static PE Info

General

Entrypoint:	0x400000
Entrypoint Section:
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6447CEF7 [Tue Apr 25 13:00:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:

Entrypoint Preview

Instruction
dec ebp
pop edx
nop
add byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xe0000	0x1c228	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0xdf7e4	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2000	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xdd830	0xdda00	False	0.8131543464467005	data	7.805434983404769	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0xe0000	0x1c228	0x1c400	False	0.47810080199115046	data	6.1772659453745025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0xe0190	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216
RT_ICON	0xe2738	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536
RT_ICON	0xf2f60	0x8b44	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
RT_GROUP_ICON	0xfbaa4	0x30	data
RT_VERSION	0xfbad4	0x568	zlib compressed data
RT_MANIFEST	0xfc03c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

Network Behavior

Download Network PCAP: filtered – full

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 27, 2023 09:18:01.183608055 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.183701038 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.183820009 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.184046030 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.184072018 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.259202957 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.259408951 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.266238928 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.266269922 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.266752005 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.266927004 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.267491102 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.267530918 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.267546892 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.267632008 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.267647028 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.267672062 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.267791986 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.267823935 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.267862082 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.268069029 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.268131971 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.432425022 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.432629108 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.432643890 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.432758093 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.433042049 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.433073044 CEST	443	49697	23.0.174.120	192.168.2.5
Apr 27, 2023 09:18:01.433124065 CEST	49697	443	192.168.2.5	23.0.174.120
Apr 27, 2023 09:18:01.433182955 CEST	49697	443	192.168.2.5	23.0.174.120

Statistics

CPU Usage

• file.exe
• SMSvcHost.exe
• cvtres.exe
• DataSvcUtil.exe
• AppLaunch.exe
• MSBuild.exe
• aspnet_regiis.exe
• aspnet_state.exe
• aspnet_compiler.exe
• ComSvcConfig.exe
• AddInProcess32.exe
• aspnet_regbrowsers.exe
• ngen.exe
• ilasm.exe
• ngentask.exe
• Microsoft.Workflow.Compiler.exe
• mscorsvw.exe
• AddInUtil.exe
• jsc.exe
• aspnet_wp.exe
• InstallUtil.exe
• ServiceModelReg.exe
• dfsvc.exe
• RegAsm.exe
• CasPol.exe
• RegSvcs.exe
• EdmGen.exe
• csc.exe
• AddInProcess.exe
• aspnet_regsql.exe
• vbc.exe
• WsatConfig.exe

Click to jump to process

Memory Usage

• file.exe
• SMSvcHost.exe
• cvtres.exe
• DataSvcUtil.exe
• AppLaunch.exe
• MSBuild.exe
• aspnet_regiis.exe
• aspnet_state.exe
• aspnet_compiler.exe
• ComSvcConfig.exe
• AddInProcess32.exe
• aspnet_regbrowsers.exe
• ngen.exe
• ilasm.exe
• ngentask.exe
• Microsoft.Workflow.Compiler.exe
• mscorsvw.exe
• AddInUtil.exe
• jsc.exe
• aspnet_wp.exe
• InstallUtil.exe
• ServiceModelReg.exe
• dfsvc.exe
• RegAsm.exe
• CasPol.exe
• RegSvcs.exe
• EdmGen.exe
• csc.exe
• AddInProcess.exe
• aspnet_regsql.exe
• vbc.exe
• WsatConfig.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 6940, Parent PID: 3324

Function Logs

General

Target ID:	0
Start time:	09:18:02
Start date:	27/04/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x1ee4ebf0000
File size:	1024000 bytes
MD5 hash:	FC6925E4BF5F890A1C62A406693CEA77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.324891839.000001EE50AC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 00000000.00000002.330382732.000001EE609B7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Written

File Read

File Attributes Queried

Device IO

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Key Value Enumerated

Key Enumerated

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Created

Process Queried

Process Information Set

Process Terminated

Thread Activities

Thread Created

Thread Execution Resumed

Thread Execution Suspended

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

System Information Queried

Show Windows behavior

Timing Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Windows UI Activities

Window UI Enumerated

Process Token Activities

Token Adjusted

Show Windows behavior

LPC Port Activities

There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

Show Windows behavior

Chronological Activities

Analysis Process: SMSvcHost.exePID: 4544, Parent PID: 6940

Function Logs

General

Target ID:	1
Start time:	09:18:09
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
Imagebase:	0x239b29c0000
File size:	136296 bytes
MD5 hash:	7EC8B56348F9298BCCA7A745C7F70E2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: cvtres.exePID: 6392, Parent PID: 6940

Function Logs

General

Target ID:	2
Start time:	09:18:10
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
Imagebase:	0x7ff6de440000
File size:	47280 bytes
MD5 hash:	33BB8BE0B4F547324D93D5D2725CAC3D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: DataSvcUtil.exePID: 3636, Parent PID: 6940

Function Logs

General

Target ID:	3
Start time:	09:18:10
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
Imagebase:	0x1fed2160000
File size:	71776 bytes
MD5 hash:	CCDF8F3B189FFB839B390F695FAE2A6D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: AppLaunch.exePID: 4988, Parent PID: 6940

Function Logs

General

Target ID:	4
Start time:	09:18:10
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
Imagebase:	0x7ff71eec0000
File size:	119904 bytes
MD5 hash:	98A8F518B66BA43DF38821C364C3B791
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Chronological Activities

Analysis Process: MSBuild.exePID: 4916, Parent PID: 6940

Function Logs

General

Target ID:	5
Start time:	09:18:10
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
Imagebase:	0x20986ef0000
File size:	258144 bytes
MD5 hash:	8B9E68304AF4B81C9AB70CB2220EBA74
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_regiis.exePID: 1304, Parent PID: 6940

Function Logs

General

Target ID:	6
Start time:	09:18:10
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
Imagebase:	0x7ff66c790000
File size:	44640 bytes
MD5 hash:	061D8C0371566D560C5B15C77A34046F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_state.exePID: 4516, Parent PID: 6940

Function Logs

General

Target ID:	7
Start time:	09:18:10
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
Imagebase:	0x7ff6ee380000
File size:	52832 bytes
MD5 hash:	9EDC7F9BB19D3F12EB05437BD5687C8A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_compiler.exePID: 3428, Parent PID: 6940

Function Logs

General

Target ID:	8
Start time:	09:18:10
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
Imagebase:	0x1f6a9a60000
File size:	54888 bytes
MD5 hash:	7809A19AA8DA1A41F36B60B0664C4E20
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: ComSvcConfig.exePID: 3928, Parent PID: 6940

Function Logs

General

Target ID:	9
Start time:	09:18:10
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
Imagebase:	0x18224ee0000
File size:	173672 bytes
MD5 hash:	2778AE0EB674B74FF8028BF4E51F1DF5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: AddInProcess32.exePID: 4436, Parent PID: 6940

Function Logs

General

Target ID:	10
Start time:	09:18:10
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
Imagebase:	0x1c0000
File size:	42080 bytes
MD5 hash:	F2A47587431C466535F3C3D3427724BE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_regbrowsers.exePID: 1092, Parent PID: 6940

Function Logs

General

Target ID:	11
Start time:	09:18:11
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
Imagebase:	0x25efd4a0000
File size:	44648 bytes
MD5 hash:	BF7E443F1E1FA88AD5A2A5EB44F42834
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ngen.exePID: 1380, Parent PID: 6940

Function Logs

General

Target ID:	12
Start time:	09:18:11
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
Imagebase:	0x7ff6c3910000
File size:	174184 bytes
MD5 hash:	FBA5E8D94C9EADC279BC06B9CF041A9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ilasm.exePID: 1364, Parent PID: 6940

Function Logs

General

Target ID:	13
Start time:	09:18:11
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
Imagebase:	0x7ff75a2a0000
File size:	365664 bytes
MD5 hash:	155758025B42F1804E1429483BA53553
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ngentask.exePID: 1248, Parent PID: 6940

Function Logs

General

Target ID:	14
Start time:	09:18:11
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
Imagebase:	0x22386810000
File size:	84576 bytes
MD5 hash:	AA98E294A0210BDA5F79A7288F91B78C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Chronological Activities

Analysis Process: Microsoft.Workflow.Compiler.exePID: 6608, Parent PID: 6940

Function Logs

General

Target ID:	15
Start time:	09:18:11
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
Imagebase:	0x1cd1e470000
File size:	32872 bytes
MD5 hash:	D91462AE31562E241AF5595BA5E1A3C4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: mscorsvw.exePID: 4180, Parent PID: 6940

Function Logs

General

Target ID:	16
Start time:	09:18:11
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
Imagebase:	0x7ff7330a0000
File size:	128584 bytes
MD5 hash:	B00E9325AC7356A3F4864EAAAD48E13F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: AddInUtil.exePID: 6708, Parent PID: 6940

Function Logs

General

Target ID:	17
Start time:	09:18:11
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
Imagebase:	0x223e3180000
File size:	42600 bytes
MD5 hash:	65D30D747EB31E108A36EBC966C1227D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: jsc.exePID: 6668, Parent PID: 6940

Function Logs

General

Target ID:	18
Start time:	09:18:11
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
Imagebase:	0x60000
File size:	46688 bytes
MD5 hash:	2B40A449D6034F41771A460DADD53A60
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_wp.exePID: 6736, Parent PID: 6940

Function Logs

General

Target ID:	19
Start time:	09:18:11
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
Imagebase:	0x7ff7f0cf0000
File size:	50784 bytes
MD5 hash:	3F68BCF536EEAE067038C67022CDF6D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: InstallUtil.exePID: 6660, Parent PID: 6940

Function Logs

General

Target ID:	20
Start time:	09:18:11
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
Imagebase:	0x24bf9bf0000
File size:	40552 bytes
MD5 hash:	6EE3F830099ADD53C26DF5739B44D608
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: ServiceModelReg.exePID: 3760, Parent PID: 6940

Function Logs

General

Target ID:	21
Start time:	09:18:12
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
Imagebase:	0x7ff6b38e0000
File size:	270440 bytes
MD5 hash:	80B018258257C2F78CBFE08198883AC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: dfsvc.exePID: 2240, Parent PID: 6940

Function Logs

General

Target ID:	22
Start time:	09:18:12
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
Imagebase:	0x189f9cf0000
File size:	24160 bytes
MD5 hash:	48FD4DD682051712E3E7757C525DED71
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: RegAsm.exePID: 4296, Parent PID: 6940

Function Logs

General

Target ID:	23
Start time:	09:18:12
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
Imagebase:	0x22a71a10000
File size:	64096 bytes
MD5 hash:	2B5D765B33C67EBA41E9F47954227BC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 1008, Parent PID: 6940

Function Logs

General

Target ID:	24
Start time:	09:18:12
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
Imagebase:	0x1ced1030000
File size:	107112 bytes
MD5 hash:	CB86BA6B2759BF478ADD7A1612C183D5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: RegSvcs.exePID: 4980, Parent PID: 6940

Function Logs

General

Target ID:	25
Start time:	09:18:12
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
Imagebase:	0x21d93d60000
File size:	44640 bytes
MD5 hash:	59FCE79E9D81AB9E2ED4C3561205F5DF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: EdmGen.exePID: 6984, Parent PID: 6940

Function Logs

General

Target ID:	26
Start time:	09:18:12
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
Imagebase:	0x16bbf4d0000
File size:	96864 bytes
MD5 hash:	2B6A31DFD7C9ED8B413DBDAB800F10F3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: csc.exePID: 6792, Parent PID: 6940

Function Logs

General

Target ID:	27
Start time:	09:18:12
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
Imagebase:	0x7ff790740000
File size:	2739304 bytes
MD5 hash:	B46100977911A0C9FB1C3E5F16A5017D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: AddInProcess.exePID: 6776, Parent PID: 6940

Function Logs

General

Target ID:	28
Start time:	09:18:12
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
Imagebase:	0x1ebbe670000
File size:	42080 bytes
MD5 hash:	11D8A500C4C0FBAF20EBDB8CDF6EA452
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: aspnet_regsql.exePID: 6760, Parent PID: 6940

Function Logs

General

Target ID:	29
Start time:	09:18:13
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
Imagebase:	0x25f43230000
File size:	126560 bytes
MD5 hash:	F31014EE4DE7FE48E9B7C9BE94CFB45F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: vbc.exePID: 6960, Parent PID: 6940

Function Logs

General

Target ID:	30
Start time:	09:18:13
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
Imagebase:	0x7ff627f20000
File size:	3226720 bytes
MD5 hash:	AC610BC00AF71E7C5B89F5AC0F65DAFA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Chronological Activities

Analysis Process: WsatConfig.exePID: 6588, Parent PID: 6940

Function Logs

General

Target ID:	31
Start time:	09:18:13
Start date:	27/04/2023
Path:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
Imagebase:	0x28ff7240000
File size:	152680 bytes
MD5 hash:	EDA1875528E99782E9A2C0001BB4C5A9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Memory Activities

Memory Usage Statistics

Show Windows behavior

Chronological Activities

Disassembly

Analysis Process: file.exePID: 6940, Parent PID: 3324COMMON

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	15.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	16
Total number of Limit Nodes:	1

Show Legend

Hide Nodes/Edges

Executed Functions

Function 00007FF9A5BA6DE0 Relevance: 3.7, Strings: 2, Instructions: 1231COMMON

Download Yara Rule

Strings

_, xrefs: 00007FF9A5BA75FB
D, xrefs: 00007FF9A5BA6FEF

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID:
String ID: D$_
API String ID: 0-2196656589
Opcode ID: cd41fbab329bee5cec290bcd3d2095ae0998a11f3df3dcef99a0defd73db7d25
Instruction ID: 1bd6a9f53a17b637190d2358f184e2e4a27c60949a6cf787884f19600d3f8513
Opcode Fuzzy Hash: cd41fbab329bee5cec290bcd3d2095ae0998a11f3df3dcef99a0defd73db7d25
Instruction Fuzzy Hash: 1BD2D871E0A249EFEB10CBA8CA817DCB7F0EF16711F2445A5E145EB281D678AF14EB05

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BB03A5 Relevance: 3.1, Strings: 1, Instructions: 1892COMMON

Download Yara Rule

Strings

6\_H, xrefs: 00007FF9A5BB05AE

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID:
String ID: 6\_H
API String ID: 0-3565561740
Opcode ID: 531ff1dd3006f254bf3099d1c0d7d79f51c94bd3e9ec797d9685ac502830be35
Instruction ID: 8c8cbc4cf1ce65c04994fbe86a73e9ece62814c8ab787fc65cf4fece9be6c1e1
Opcode Fuzzy Hash: 531ff1dd3006f254bf3099d1c0d7d79f51c94bd3e9ec797d9685ac502830be35
Instruction Fuzzy Hash: 1DD25430A0DB494FD319DB2884956B577E1FF86302B1486BEE4CAC72A2DE74F846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BB8B51 Relevance: 2.3, Strings: 1, Instructions: 1043
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N6^L, xrefs: 00007FF9A5BB8C4C

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID:
String ID: N6^L
API String ID: 0-557519953
Opcode ID: ec586b8355ba782149702babc44ab5e7f36a45600f9e7d3df719125495120e02
Instruction ID: d998a28f61cfb900f3791cea0c491abf948ade7f5792ea04f8aa1fe513ba325c
Opcode Fuzzy Hash: ec586b8355ba782149702babc44ab5e7f36a45600f9e7d3df719125495120e02
Instruction Fuzzy Hash: 26624A70A0DB498FEB58EB28C4596B977E1FF56701F0405BEE08AC72A2DE74B846C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BADA89 Relevance: 1.7, Strings: 1, Instructions: 493
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

_\_H, xrefs: 00007FF9A5BADCAD

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID:
String ID: _\_H
API String ID: 0-2460524293
Opcode ID: 3471197fefec2fb817ab429c78ce824ba400a3c0fe0a08fb18fe4336578a6d28
Instruction ID: a18599d4f9488cd5d908e42fa4f4498479145e2220a1ddb314529ef256ebe3e8
Opcode Fuzzy Hash: 3471197fefec2fb817ab429c78ce824ba400a3c0fe0a08fb18fe4336578a6d28
Instruction Fuzzy Hash: 85E1AB31A0DB864FE31DDB2884952B577E2FF92702B5446BED4CAC7292DE74B842C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BB7B3B Relevance: 1.1, Instructions: 1116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a6f9d4c9fa04efc0877e6568c69e81d475ec1e2bf8418e5c0862f359b3eeb8
Instruction ID: b36dc8b1cf1158b8bbd9d13ac48229bff660e2b04f25db6381c1c01b3252f81f
Opcode Fuzzy Hash: f8a6f9d4c9fa04efc0877e6568c69e81d475ec1e2bf8418e5c0862f359b3eeb8
Instruction Fuzzy Hash: 4772CA31A0EA4A4FE359DB28C4996B577E1FF96302B1005BEE0CEC7192DE65F846C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BA8698 Relevance: .9, Instructions: 906COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08493e7a3a0a8cb77df03515b5131385948fa212c6f81c0bc01fd0d3feb26678
Instruction ID: 15f8998c4f3d231bd691cd9e004047397020c4b719c6354b3de3bd36c607bfe2
Opcode Fuzzy Hash: 08493e7a3a0a8cb77df03515b5131385948fa212c6f81c0bc01fd0d3feb26678
Instruction Fuzzy Hash: 20620030A19A098FE319EF28C488AB673A1FF95705F60067DD48BC7696DAB5FC42C740

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BA8608 Relevance: .9, Instructions: 880COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a230ad07dfacb6bd7172cd2daeee092a55928be9fa6c2d4cf0d887b12d90214
Instruction ID: 8ef45d4f24253a591d62c8f7a27a047d74aba38a8763a061b8f931a45e811d53
Opcode Fuzzy Hash: 0a230ad07dfacb6bd7172cd2daeee092a55928be9fa6c2d4cf0d887b12d90214
Instruction Fuzzy Hash: 9B528930A0EB894FE759DB2884996B57BE1EF46701B1505BED0CEC71A3DEA8F806C741

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BAEEBA Relevance: .9, Instructions: 874COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9df22ef16fe1820c8d883d51f0446e8ef5fb785ed52085245ad7a19a07d1ea6a
Instruction ID: dac0bd1a7a0a8a8c81092a3b5f987229a930e8d37db6d03eca78728a289bd397
Opcode Fuzzy Hash: 9df22ef16fe1820c8d883d51f0446e8ef5fb785ed52085245ad7a19a07d1ea6a
Instruction Fuzzy Hash: 7F52D630B0AA094FEB68EB28D4957B977E1EF56701B1441BEE48EC7192DE64FC42C781

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BBAE01 Relevance: 1.8, APIs: 1, Instructions: 344
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FF9A5BBB0A1

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: d30746b786eefa561c3f5b4a31e9c7dca545b6e2f5116aeac8712474bbe88895
Instruction ID: fcce860eeb5b4d19370f57a8aac8c55f216b783d2f1198e298b94caadecd46ad
Opcode Fuzzy Hash: d30746b786eefa561c3f5b4a31e9c7dca545b6e2f5116aeac8712474bbe88895
Instruction Fuzzy Hash: F2B1C470908A5C8FDB98DF18D898BE9BBF1FB69311F1011AED44EE3251DA75A980CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BA29B2 Relevance: 1.8, APIs: 1, Instructions: 336
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE ref: 00007FF9A5BBB0A1

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 6a2307dfe4ad352fcdd6f1e2dfbf7d414b8a291211255e643845dbe6bcbefd6d
Instruction ID: 7cc5309464209ef6d791d0eee9b9940b504f33b70ba4bcecb3890acee9bbaa47
Opcode Fuzzy Hash: 6a2307dfe4ad352fcdd6f1e2dfbf7d414b8a291211255e643845dbe6bcbefd6d
Instruction Fuzzy Hash: F6B1B470908A1D8FDB98DF58D898BE9B7F1FB69311F1011AED44EE3251DAB5A980CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BA2A92 Relevance: 1.8, APIs: 1, Instructions: 307
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MessageBoxA.USER32 ref: 00007FF9A5BBD5BE

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID: Message
String ID:
API String ID: 2030045667-0
Opcode ID: f107ab5281cc01db3ea099926959bab380e9433bd645bca620f8800e95e70ec5
Instruction ID: 140d36ff8de5e6b3e6bfd6c359152de37c9c1605adcd7aea4d53e7c0bfff01db
Opcode Fuzzy Hash: f107ab5281cc01db3ea099926959bab380e9433bd645bca620f8800e95e70ec5
Instruction Fuzzy Hash: F2A14070918A4D8FDBA8DF28C8597E977E1FB59311F10413EE84ECB291DBB4A941CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BA2E21 Relevance: 1.8, APIs: 1, Instructions: 251
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE ref: 00007FF9A5BA2FB2

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2dee287f900f0b4462669db072716d54a23e84889b0a734bf444d31212519d6e
Instruction ID: c8275e013a7e9b595744c84563214774351261128b2f0b0008cff5a562fe9180
Opcode Fuzzy Hash: 2dee287f900f0b4462669db072716d54a23e84889b0a734bf444d31212519d6e
Instruction Fuzzy Hash: 39818670908A8D8FDFA8EF28D8457E97BE1FF59311F00412AE84DC7292DB75A585CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BA337A Relevance: 1.7, APIs: 1, Instructions: 192
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 00007FF9A5BA34BA

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 0771ed81859e1a0e90f2c556a63ab5899f624ed8d53b9d89a3d15701df738270
Instruction ID: 6fbbbb3a79e066fcfdfe2394caeff88286a922f65f11fd2e8abd08ccca960778
Opcode Fuzzy Hash: 0771ed81859e1a0e90f2c556a63ab5899f624ed8d53b9d89a3d15701df738270
Instruction Fuzzy Hash: 47516B7090864D8FDB55DFA8C885BEDBBF1FB66310F1042AAD049E3252DB74A885CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BA29A2 Relevance: 1.7, APIs: 1, Instructions: 177
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAllocEx.KERNELBASE ref: 00007FF9A5BBD2BF

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 622ab3b10386658f67e145827734409c78a4d4933cfabc62d4dd5ec5cc36b7e0
Instruction ID: a0f36e7e6bfa33807b7bc449faf20ff0a3cde38761e2b1dd66a48f158087a765
Opcode Fuzzy Hash: 622ab3b10386658f67e145827734409c78a4d4933cfabc62d4dd5ec5cc36b7e0
Instruction Fuzzy Hash: 0951E470908A1C8FDF98DF58C885BE9BBF1FB6A311F1051AAD04DE3251DA74A985CF44

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5C601D8 Relevance: .4, Instructions: 391COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333602249.00007FF9A5C60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5C60000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5c60000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0089eadc3497a713c5b2f3fdab0866065b0c07a766653e399c29a0470c4a328
Instruction ID: bf4abd1f79801a3eef13280b315ce6826359bd1b4047e315377becc9f87be5b0
Opcode Fuzzy Hash: c0089eadc3497a713c5b2f3fdab0866065b0c07a766653e399c29a0470c4a328
Instruction Fuzzy Hash: 6AB13A7391F7C25FE765D62888462657FF0EF63610F0405BEC0C9EB496E954794AC382

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00007FF9A5BA6198 Relevance: 1.2, Instructions: 1151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c9ac96493995bb4b9bbd62889c4dfb841aa340c55210642b8f7d73137cecaae
Instruction ID: 06a5312ee0278c8cf9011249fe2a449f5423dc37db45723480c93e38bd3cede1
Opcode Fuzzy Hash: 8c9ac96493995bb4b9bbd62889c4dfb841aa340c55210642b8f7d73137cecaae
Instruction Fuzzy Hash: 42825330A1E6868FE759CB2484853B57BE1EF96302F1541BDD4CECB5D3DAA8B846C780

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BA30A6 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f67070a8c4ab8ee5de52ca52130d61c3eeaaeb6f0025a81e83b9d6eca0e418a
Instruction ID: d5c16b7ebd83fbe32c7b52203682f0af8d0c4ef8f65317bd82cb7ead52b8d08d
Opcode Fuzzy Hash: 2f67070a8c4ab8ee5de52ca52130d61c3eeaaeb6f0025a81e83b9d6eca0e418a
Instruction Fuzzy Hash: CA81B630908A8D8FEFA8EF28D8557E97BE0FF1A311F10416AD84DC7292DB74A945CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00007FF9A5BA1F3A Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.333489409.00007FF9A5BA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF9A5BA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7ff9a5ba0000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430af1f83b2fc5ac85fb21c08aa9f8124cde5e7c03f344153b7ee1ececfa746b
Instruction ID: 2d09b7c2fe98152d20ff21f88c8be81b2c942415e72259113a48e9f288c7160b
Opcode Fuzzy Hash: 430af1f83b2fc5ac85fb21c08aa9f8124cde5e7c03f344153b7ee1ececfa746b
Instruction Fuzzy Hash: 9081CA30908A8D8FDBA8EF28D8457E97BE0FF5A311F10416AE94DC7292DB74A545CB81

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Vidar

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Exploits

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Network Behavior

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

Windows Analysis Report
file.exe