Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Analysis ID:1427173
MD5:921557c2b17618359e49a321117a5917
SHA1:a2ae5fb4d614f3fca87a42f1fc15800a22d36504
SHA256:b06beeb0116f23b271122767f0be842dd5c5082b1e585e79ded01985a8fe0036
Tags:exe
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Allocates memory with a write watch (potentially for evading sandboxes)
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe (PID: 4128 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe" MD5: 921557C2B17618359E49A321117A5917)
    • conhost.exe (PID: 2952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeVirustotal: Detection: 7%Perma Link
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdbSHA256 source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: http://.css
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: http://.jpg
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: http://html4/loose.dtd
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/GlobalizationInvariantMode
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/binaryformatter
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet-illink/com
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet-illink/com)
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet-illink/nativehost
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet-warnings/
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failedRequired:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet/download
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet/download%s%sInstall
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet/info
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet/sdk-not-found
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/nativeaot-compatibility
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jar
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://dl.google.com/android/repository/platform-tools-latest-windows.zip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/7za.exe9Extract
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/Balatro-APK-Pat
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/balatro-base.ip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://github.com/dotnet/runtime
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://github.com/love2d/love-android/releases/download/11.5a/love-11.5-android-embed.apk7love-11.5
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://github.com/patrickfav/uber-apk-signer/releases/download/v1.3.0/uber-apk-signer-1.3.0.jar
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3292163811.000002E7C1D10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4%j
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3292163811.000002E7C1D10000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe)python-installer.exe)Installing
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilename vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3296042280.00007FF735425000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamemscordaccore.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3296042280.00007FF735425000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamebalatro-mobile-maker.dllJ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291561128.000002A72CE20000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291561128.000002A72CE20000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291561128.000002A72CE20000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.Console.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291805414.000002A72CF40000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291805414.000002A72CF40000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291805414.000002A72CF40000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291805414.000002A72CF40000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291805414.000002A72CF40000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291491514.000002A72CDF0000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291491514.000002A72CDF0000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291986537.000002E7C1AC0000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3291468145.000002A72CDD0000.00000002.00000001.00040000.00000003.sdmpBinary or memory string: OriginalFilenamebalatro-mobile-maker.dllJ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenamemscordaccore.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenamebalatro-mobile-maker.dllJ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameMicrosoft.Win32.Registry.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Collections.Concurrent.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Collections.Immutable.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Collections.NonGeneric.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Collections.Specialized.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Collections.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.ComponentModel.Primitives.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.ComponentModel.TypeConverter.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Console.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Diagnostics.DiagnosticSource.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Diagnostics.Process.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Diagnostics.StackTrace.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Formats.Asn1.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.IO.Compression.Brotli.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.IO.Compression.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.IO.MemoryMappedFiles.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Net.Http.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Net.NameResolution.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Net.NetworkInformation.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Net.Primitives.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Net.Quic.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Net.Requests.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Net.Security.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Net.ServicePoint.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Net.Sockets.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Net.WebClient.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Net.WebHeaderCollection.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.ObjectModel.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Private.CoreLib.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Private.Uri.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Reflection.Metadata.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Runtime.Numerics.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Security.Claims.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Security.Cryptography.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Security.Principal.Windows.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.Threading.Channels.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeBinary or memory string: OriginalFilenameSystem.dll@ vs SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: classification engineClassification label: mal48.winEXE@2/1@0/0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:120:WilError_03
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic file information: TRID: Win64 Executable Console Net Framework (206006/5) 46.24%
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeVirustotal: Detection: 7%
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: overflow:hidden;img src="http://addEventListenerresponsible for s.js"></script>
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: Morph - Structs/AddrExp
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: prejitIndirect call transformExpand patchpointsPre-importImportationProfile instrumentationProfile incorporationPost-importProfile instrumentation prepMorph - Add internal blocksAllocate ObjectsMorph - InitMorph - InliningMerge callfinally chainsClone finallyRemove empty tryRemove empty finallyMorph - Structs/AddrExpEarly livenessUpdate finally target flagsUpdate flow graph early passIdentify candidates for implicit byref copy omissionMorph - ByRefsPhysical promotionForward SubstitutionMorph - FinishGS CookieMorph - Promote StructsMorph - GlobalTail mergeMerge throw blocksCompute edge weights (1, false)Create EH funcletsOptimize control flowOptimize layoutInvert loopsPost-morph tail mergeRedundant zero InitsFind loopsCompute blocks reachabilitySet block weightsClear loop infoMorph array opsClone loopsUnroll loopsOptimize boolsFind oper orderHoist loop codeMark local varsSSA: topological sortSSA: Doms1Set block orderBuild SSA representationSSA: insert phisSSA: renameSSA: livenessSSA: DFOptimize index checksOptimize Valnum CSEsEarly Value PropagationDo value numberingRedundant branch optsAssertion propVN based copy propVN based intrinsic expansionUpdate flow graph opt passCompute edge weights (2, false)If conversionVN-based dead store removalExpand static initExpand TLS accessStress gtSplitTreeExpand runtime lookupsRationalize IRDo 'simple' loweringInsert GC PollsDetermine first cold blockPer block local var livenessGlobal local var livenessLocal var livenessLocal var liveness initCalculate stack level slotsLinear scan register allocLowering decompositionLowering nodeinfoLSRA resolvePlace 'align' instructionsLSRA build intervalsLSRA allocateEmit GC+EH tablesPost-EmitGenerate codeEmit code Compiled %d methods.
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: GC initialization failed with error 0x%08XVirtualAlloc2kernelbase.dllMapViewOfFile3string too longbad array new lengthApplication root path is empty. This shouldn't happenUsing internal fxrUsing internal hostpolicyPath containing probing policy and assemblies to probe for.<path>--additionalprobingpathPath to <application>.runtimeconfig.json file.--runtimeconfigPath to <application>.deps.json file.--depsfile--roll-forwardVersion of the installed Shared Framework to use to run the application.<version>--fx-versionPath to additional deps.json file.--additional-depsRoll forward to framework version (LatestPatch, Minor, LatestMinor, Major, LatestMajor, Disable)<value>sdk<obsolete><n>--roll-forward-on-no-candidate-fxUsing the provided arguments to determine the application to execute. %s %-*s %sFailed to parse supported options or their values:Parsed known arg %s = %sThe application to execute does not exist: '%s'dotnet exec needs a managed .dll or .exe extension. The application specified was '%s'Application '%s' does not exist.Application '%s' is not a managed executable.exec--- Executing in muxer mode...--- Executing in a native executable mode...--- Executing in split/FX mode...
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: %sNot foundhost-options: The path to an application .dll file to execute.path-to-application:Usage: dotnet [host-options] [path-to-application] -h|--help Displays this help.Common Options: --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimesunordered_map/set too longinvalid string positionvector too long --info Display .NET information.invalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_startupinfoInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfoget-native-search-directories.dev.json.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.Ignoring host interpreted additional probing path %s as it does not exist.|arch|/|tfm||arch|\|tfm|Runtime config is cfg=%s dev=%sSpecified runtimeconfig.json from [%s]App runtimeconfig.json from [%s]The specified runtimeconfig.json [%s] does not existIgnoring additional probing path %s as it does not exist..runtimeconfig.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].deps.jsonInvalid runtimeconfig.json [%s] [%s]DOTNET_ADDITIONAL_DEPSIt's invalid to use both '%s' and '%s' command line options.Invalid value for command line argument '%s'The specified deps.json [%s] does not existExecuting as a %s app as per config file [%s]self-containedframework-dependentHOSTFXR_PATH--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: %sNot foundhost-options: The path to an application .dll file to execute.path-to-application:Usage: dotnet [host-options] [path-to-application] -h|--help Displays this help.Common Options: --list-sdks Display the installed SDKs --list-runtimes Display the installed runtimesunordered_map/set too longinvalid string positionvector too long --info Display .NET information.invalid hash bucket count--- Invoked %s [version: %s]hostfxr_main_startupinfoInvalid startup info: host_path, dotnet_root, and app_path should not be null.A fatal error occurred while processing application bundlehostfxr_main_bundle_startupinfoget-native-search-directories.dev.json.jsonHosting components are already initialized. Re-initialization to execute an app is not allowed.Ignoring host interpreted additional probing path %s as it does not exist.|arch|/|tfm||arch|\|tfm|Runtime config is cfg=%s dev=%sSpecified runtimeconfig.json from [%s]App runtimeconfig.json from [%s]The specified runtimeconfig.json [%s] does not existIgnoring additional probing path %s as it does not exist..runtimeconfig.jsonDetecting mode... CoreCLR present in dotnet root [%s] and checking if [%s] file present=[%d].deps.jsonInvalid runtimeconfig.json [%s] [%s]DOTNET_ADDITIONAL_DEPSIt's invalid to use both '%s' and '%s' command line options.Invalid value for command line argument '%s'The specified deps.json [%s] does not existExecuting as a %s app as per config file [%s]self-containedframework-dependentHOSTFXR_PATH--list-runtimes--list-sdksUsing dotnet root path [%s]/?-?--help-hdotnet.dll The command could not be loaded, possibly because:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://aka.ms/dotnet/app-launch-failedRequired:
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4%java-installer.exe%Installing Java...+java-installer.exe /sUJava still not detected! Try to re-launch.Oexplorer https://www.java.com/download/-Checking for Python...-python --version 3>NUL
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4%java-installer.exe%Installing Java...+java-installer.exe /sUJava still not detected! Try to re-launch.Oexplorer https://www.java.com/download/-Checking for Python...-python --version 3>NUL
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe)python-installer.exe)Installing Python...7python-installer.exe /quiet
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: Python still not detected! Try to re-launch, or install Python manually from the Microsoft Store.
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: ccd platform-tools && cd platform-tools && adb push "%AppData%/Balatro/." /data/local/tmp/balatro/files/save/game && adb shell am force-stop com.unofficial.balatro && adb shell run-as com.unofficial.balatro cp -r /data/local/tmp/balatro/files . && adb shell rm -r /data/local/tmp/balatro && adb kill-servermWould you like to pull saves from your Android device?
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: cd platform-tools && cd platform-tools && adb pull /data/local/tmp/balatro/files/. %AppData%/Balatro/eAttempting to pull save files from Android device.7Deleting temporary files...-del java-installer.exe?del love-11.5-android-embed.apk3del Balatro-APK-Patch.zip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: del 7za.exeSdel balatro-aligned-debugSigned.apk.idsig1del balatro-unsigned.apk-del platform-tools.zip1del python-installer.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/7za.exe9Extracting platform-tools...S7za x platform-tools.zip -oplatform-tools
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/Balatro-APK-Patch.zip+Balatro-APK-Patch.zip
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/balatro-base.ipa!balatro-base.ipa;An unexpected error occurred!
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: maxBufferSize!CheckTaskNotNull/LoadIntoBufferAsyncCore%HttpMessageHandlerSend
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: ,!requests-started!Requests Started+requests-started-rate+Requests Started Rate
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: usableCHTTP2 connection no longer usableUCreating new HTTP/1.1 connection for pool.1AddHttp11ConnectionAsyncQCreating new HTTP/2 connection for pool./AddHttp2ConnectionAsync
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeString found in binary or memory: (?)-AddressChangedCallback
Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeSection loaded: kernel.appcore.dllJump to behavior
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic file information: File size 14477139 > 1048576
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x617000
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x17d400
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x147000
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\Corehost.Static\singlefilehost.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdbSHA256 source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: Binary string: C:\Users\blake\OneDrive\Programming\Projects\C#\balatro-mobile-maker\balatro-mobile-maker\obj\Release\net8.0\win-x64\linked\balatro-mobile-maker.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: Binary string: D:\a\_work\1\s\artifacts\obj\coreclr\windows.x64.Release\dlls\mscordac\mscordaccore.pdb source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: section name: .CLR_UEF
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: section name: .didat
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: section name: Section
Source: SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeMemory allocated: 2A72B500000 memory reserve | memory write watchJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exeCode function: 0_2_00007FF7351FAE0C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00007FF7351FAE0C

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter		1
DLL Side-Loading		1
Process Injection		1
Virtualization/Sandbox Evasion		OS Credential Dumping1
System Time Discovery		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading		1
Disable or Modify Tools		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)1
Process Injection		Security Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe7%VirustotalBrowse
SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe5%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://html4/loose.dtdSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
    		low
    https://github.com/love2d/love-android/releases/download/11.5a/love-11.5-android-embed.apk7love-11.5SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
      		high
      https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/Balatro-APK-PatSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
        		high
        https://aka.ms/dotnet/infoSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
          		high
          https://aka.ms/dotnet/download%s%sInstallSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
            		high
            https://dl.google.com/android/repository/platform-tools-latest-windows.zipSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
              		high
              https://aka.ms/dotnet-illink/comSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                		high
                https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4%jSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                  		high
                  https://aka.ms/dotnet/app-launch-failedSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                    		high
                    https://javadl.oracle.com/webapps/download/AutoDL?BundleId=249553_4d245f941845490c91360409ecffb3b4SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3292163811.000002E7C1D10000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://github.com/patrickfav/uber-apk-signer/releases/download/v1.3.0/uber-apk-signer-1.3.0.jarSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                        		high
                        http://.cssSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                          		low
                          https://aka.ms/dotnet/app-launch-failedRequired:SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                            		high
                            https://aka.ms/dotnet-core-applaunch?SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                              		high
                              https://aka.ms/dotnet-illink/com)SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                		high
                                https://github.com/dotnet/runtimeSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                  		high
                                  https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/7za.exe9ExtractSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                      		high
                                      https://aka.ms/dotnet-warnings/SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                        		high
                                        https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe)python-installer.exe)InstallingSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                          		high
                                          https://github.com/blake502/balatro-apk-maker/releases/download/Additional-Tools-1.0/balatro-base.ipSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                            		high
                                            https://aka.ms/nativeaot-compatibilitySecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                              		high
                                              https://aka.ms/dotnet/sdk-not-foundSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                                		high
                                                https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exeSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe, 00000000.00000002.3292163811.000002E7C1D10000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://aka.ms/binaryformatterSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                                    		high
                                                    https://aka.ms/GlobalizationInvariantModeSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                                        		high
                                                        http://.jpgSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                                          		low
                                                          https://bitbucket.org/iBotPeaches/apktool/downloads/apktool_2.9.3.jarSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                                            		high
                                                            https://aka.ms/dotnet-illink/nativehostSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                                              		high
                                                              https://aka.ms/dotnet/downloadSecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exefalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                No contacted IP infos

                                                                General Information

                                                                Joe Sandbox version:40.0.0 Tourmaline
                                                                Analysis ID:1427173
                                                                Start date and time:2024-04-17 07:32:10 +02:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 5m 39s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:5
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:0
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
                                                                Detection:MAL
                                                                Classification:mal48.winEXE@2/1@0/0
                                                                EGA Information:
                                                                • Successful, ratio: 100%
                                                                HCA Information:Failed
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                • Not all processes where analyzed, report is missing behavior information

                                                                Simulations

                                                                Behavior and APIs

                                                                No simulations

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                No context

                                                                Domains

                                                                No context

                                                                ASNs

                                                                No context

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                \Device\ConDrv

                                                                Download File
                                                                Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
                                                                File Type:ASCII text, with CRLF, LF line terminators
                                                                Category:dropped
                                                                Size (bytes):167
                                                                Entropy (8bit):4.865353189802198
                                                                Encrypted:false
                                                                SSDEEP:3:1taqTy1YYvhWcL6BKk6pgX2/A4SSfvMy5cLF3EQsPMGM2vQGgdZtF5n:uMKHeD6pS6HMzsPs2vQVdZtF5n
                                                                MD5:BDABAD0608B70DFDBED2AEAB4FC87446
                                                                SHA1:462073117F8E9F8CC35F771FAE38F3C93C1B887B
                                                                SHA-256:48660E2AD7303B9141BAE53E2B184BE498C804D25B235E0D9DFED2B5EEC6517E
                                                                SHA-512:A4D5734E5E19BA17AC06EDB1569D6C50981279D982ADC8FE2767F82D96AA814972B40F7505C08BD0DEFAC58E16D86986A758F2E99593C8A783A3AFA7BA94450C
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:====Balatro APK Maker====.7-Zip is licensed under the GNU LGPL license. Please visit: www.7-zip.org....Would you like to automatically clean up once complete? (y/n):..

                                                                Static File Info

                                                                General

                                                                File type:PE32+ executable (console) x86-64, for MS Windows
                                                                Entropy (8bit):6.51127526661261
                                                                TrID:
                                                                • Win64 Executable Console Net Framework (206006/5) 46.24%
                                                                • Win64 Executable Console (202006/5) 45.34%
                                                                • Win64 Executable (generic) Net Framework (21505/4) 4.83%
                                                                • Win64 Executable (generic) (12005/4) 2.69%
                                                                • Generic Win/DOS Executable (2004/3) 0.45%
                                                                File name:SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
                                                                File size:14'477'139 bytes
                                                                MD5:921557c2b17618359e49a321117a5917
                                                                SHA1:a2ae5fb4d614f3fca87a42f1fc15800a22d36504
                                                                SHA256:b06beeb0116f23b271122767f0be842dd5c5082b1e585e79ded01985a8fe0036
                                                                SHA512:5767a8fa074d3d8065c01573817ce1942bf3cc394dd59d33db2ce8120eebb4cde9efda9f7e5b8b4f8184390890b96d594cd14991ea67a75f47fbcb8ead7ada29
                                                                SSDEEP:196608:PhCe9IfzJidXDDGSFzaICetJCoabNuOb4:PQeufzJiVWSFXXtJC7G
                                                                TLSH:5EE6AE02E3FC02A9E5BFC278C5665517D7B278151720EBDF165489A92F33BD0AE39322
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........r.)Z..zZ..zZ..zSk|zL..zZ..z[..z...{H..z...{F..z...{...z.k.{R..z.k.{W..zZ..zR..z...{O..z...{...z...{[..z...z[..z...{[..zRichZ..

                                                                File Icon

                                                                Icon Hash:00928e8e8686b000

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x1405caa00
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x140000000
                                                                Subsystem:windows cui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x65F9E99A [Tue Mar 19 19:38:02 2024 UTC]
                                                                TLS Callbacks:0x405c9e90, 0x1, 0x405ca650, 0x1
                                                                CLR (.Net) Version:
                                                                OS Version Major:6
                                                                OS Version Minor:0
                                                                File Version Major:6
                                                                File Version Minor:0
                                                                Subsystem Version Major:6
                                                                Subsystem Version Minor:0
                                                                Import Hash:b819c89ac9b569d0bbb77889674017b2

                                                                Entrypoint Preview

                                                                Instruction
                                                                dec eax
                                                                sub esp, 28h
                                                                call 00007FCD7C7D8B68h
                                                                dec eax
                                                                add esp, 28h
                                                                jmp 00007FCD7C7D85CFh
                                                                int3
                                                                int3
                                                                dec eax
                                                                sub esp, 28h
                                                                call 00007FCD7C4C9538h
                                                                jmp 00007FCD7C7D8764h
                                                                xor eax, eax
                                                                dec eax
                                                                add esp, 28h
                                                                ret
                                                                int3
                                                                int3
                                                                jmp 00007FCD7C7D874Ch
                                                                int3
                                                                int3
                                                                int3
                                                                dec eax
                                                                mov dword ptr [esp+10h], ebx
                                                                dec eax
                                                                mov dword ptr [esp+18h], esi
                                                                push edi
                                                                dec eax
                                                                sub esp, 10h
                                                                xor eax, eax
                                                                xor ecx, ecx
                                                                cpuid
                                                                inc esp
                                                                mov eax, ecx
                                                                inc ebp
                                                                xor ebx, ebx
                                                                inc esp
                                                                mov edx, edx
                                                                inc ecx
                                                                xor eax, 6C65746Eh
                                                                inc ecx
                                                                xor edx, 49656E69h
                                                                inc esp
                                                                mov ecx, ebx
                                                                mov esi, eax
                                                                xor ecx, ecx
                                                                inc ecx
                                                                lea eax, dword ptr [ebx+01h]
                                                                inc ebp
                                                                or edx, eax
                                                                cpuid
                                                                inc ecx
                                                                xor ecx, 756E6547h
                                                                mov dword ptr [esp], eax
                                                                inc ebp
                                                                or edx, ecx
                                                                mov dword ptr [esp+04h], ebx
                                                                mov edi, ecx
                                                                mov dword ptr [esp+08h], ecx
                                                                mov dword ptr [esp+0Ch], edx
                                                                jne 00007FCD7C7D87BDh
                                                                dec eax
                                                                or dword ptr [001CC607h], FFFFFFFFh
                                                                and eax, 0FFF3FF0h
                                                                dec eax
                                                                mov dword ptr [001CC5EFh], 00008000h
                                                                cmp eax, 000106C0h
                                                                je 00007FCD7C7D878Ah
                                                                cmp eax, 00020660h
                                                                je 00007FCD7C7D8783h
                                                                cmp eax, 00020670h
                                                                je 00007FCD7C7D877Ch
                                                                add eax, FFFCF9B0h
                                                                cmp eax, 20h
                                                                jnbe 00007FCD7C7D8786h
                                                                dec eax
                                                                mov ecx, 00010001h
                                                                add dword ptr [eax], eax

                                                                Rich Headers

                                                                Programming Language:
                                                                • [IMP] VS2008 SP1 build 30729

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x7933200xc4.rdata
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x7933e40x168.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x8040000x146fc0.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x7b70000x3606c.pdata
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x94b0000x7e40.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x7065700x54.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x7067800x28.rdata
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6205c00x140.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x6190000xec8.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x7930dc0x60.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x616e8c0x61700093ba23585b4c50dc30464f8c2e89a235unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .CLR_UEF0x6180000xdd0x2000f029650c707355fdeca72d623b2f059False0.4140625zlib compressed data3.101176305399617IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x6190000x17d2120x17d4004b5bff4c697d826c3d518f335b849539False0.41810258709016396data5.673676593462084IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0x7970000x1ff340x98007943f826dcb870f5fc5833c91b34c3dfFalse0.197265625DIY-Thermocam raw data (Lepton 2.x), scale -32619-31040, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 512.000000, slope 60934707261039714500608.0000003.3134569536659537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .pdata0x7b70000x3606c0x36200729e39f881ef69204e11a19a8aef23c8False0.5050068562355658data6.479757411344553IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .didat0x7ee0000x380x200fe9ee59259a2bf6e81918437d96b083fFalse0.068359375data0.42693031941489346IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                Section0x7ef0000x80x200bf619eac0cdf3f68d496ea9344137e8bFalse0.02734375data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                _RDATA0x7f00000x134080x136005b0a1a761734007585458397271ec848False0.1876008064516129data5.489522104557175IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .rsrc0x8040000x146fc00x147000925f1490715d461de62ba40377fd1aefFalse0.432190128058104data6.359038635664507IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x94b0000x7e400x80004c1648f746054940bd1c6e8ed64e2f91False0.1563720703125data5.443061218573424IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_RCDATA0x8041900x24data1.2222222222222223
                                                                RT_RCDATA0x8041b40x24data1.2222222222222223
                                                                RT_RCDATA0x8041d80x146820PE32+ executable (DLL) (GUI) x86-64, for MS Windows0.43875598907470703
                                                                RT_VERSION0x94a9f80x38cPGP symmetric key encrypted data - Plaintext or unencrypted data0.40308370044052866
                                                                RT_MANIFEST0x94ad840x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                Imports

                                                                DLLImport
                                                                KERNEL32.dllRaiseException, FreeLibrary, SetErrorMode, RaiseFailFastException, GetExitCodeProcess, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, AddVectoredExceptionHandler, MultiByteToWideChar, GetTickCount, FlushInstructionCache, QueryPerformanceFrequency, QueryPerformanceCounter, RtlLookupFunctionEntry, LocateXStateFeature, RtlDeleteFunctionTable, InterlockedPushEntrySList, InterlockedFlushSList, InitializeSListHead, GetTickCount64, DuplicateHandle, QueueUserAPC, WaitForSingleObjectEx, SetThreadPriority, GetThreadPriority, GetCurrentThreadId, TlsAlloc, GetCurrentThread, GetCurrentProcessId, CreateThread, GetModuleHandleW, WaitForMultipleObjectsEx, SignalObjectAndWait, RtlCaptureContext, SetThreadStackGuarantee, VirtualQuery, WriteFile, GetStdHandle, GetConsoleOutputCP, MapViewOfFileEx, UnmapViewOfFile, GetStringTypeExW, InterlockedPopEntrySList, ExitProcess, Sleep, CreateMemoryResourceNotification, VirtualAlloc, VirtualFree, VirtualProtect, SleepEx, SwitchToThread, SuspendThread, ResumeThread, InitializeContext, SetXStateFeaturesMask, RtlRestoreContext, CloseThreadpoolTimer, CreateThreadpoolTimer, SetThreadpoolTimer, ReadFile, GetFileSize, GetEnvironmentVariableW, SetEnvironmentVariableW, CreateEventW, SetEvent, ResetEvent, GetThreadContext, SetThreadContext, GetEnabledXStateFeatures, CopyContext, WerRegisterRuntimeExceptionModule, RtlInstallFunctionTableCallback, GetSystemDefaultLCID, GetUserDefaultLCID, RtlUnwind, HeapAlloc, HeapFree, GetProcessHeap, HeapCreate, HeapDestroy, GetEnvironmentStringsW, FreeEnvironmentStringsW, FormatMessageW, CreateSemaphoreExW, ReleaseSemaphore, GetACP, LCMapStringEx, LocalFree, VerSetConditionMask, VerifyVersionInfoW, QueryThreadCycleTime, GetLogicalProcessorInformationEx, SetThreadGroupAffinity, GetThreadGroupAffinity, GetProcessGroupAffinity, GetCurrentProcessorNumberEx, GetProcessAffinityMask, QueryInformationJobObject, CloseHandle, GetSystemTimeAsFileTime, GetModuleFileNameW, CreateProcessW, GetCPInfo, GetTempPathW, LoadLibraryExW, CreateFileW, GetFileAttributesExW, GetFullPathNameW, LoadLibraryExA, OutputDebugStringA, OpenEventW, ReleaseMutex, ExitThread, CreateMutexW, HeapReAlloc, CreateNamedPipeA, WaitForMultipleObjects, DisconnectNamedPipe, CreateFileA, CancelIoEx, GetOverlappedResult, ConnectNamedPipe, FlushFileBuffers, SetFilePointer, MapViewOfFile, GetActiveProcessorGroupCount, GetSystemTime, SetConsoleCtrlHandler, GetLocaleInfoEx, GetUserDefaultLocaleName, RtlAddFunctionTable, LoadLibraryW, CreateDirectoryW, RemoveDirectoryW, CreateActCtxW, ActivateActCtx, FindResourceW, GetWindowsDirectoryW, GetFileSizeEx, FindFirstFileExW, FindNextFileW, FindClose, LoadLibraryA, GetCurrentDirectoryW, IsWow64Process, EncodePointer, DecodePointer, CreateFileMappingA, TlsSetValue, TlsGetValue, GetSystemInfo, GetCurrentProcess, OutputDebugStringW, IsDebuggerPresent, LeaveCriticalSection, EnterCriticalSection, DeleteCriticalSection, InitializeCriticalSection, WideCharToMultiByte, GetCommandLineW, GetProcAddress, GetModuleHandleExW, SetThreadErrorMode, FlushProcessWriteBuffers, SetLastError, DebugBreak, WaitForSingleObject, GetNumaHighestNodeNumber, SetThreadAffinityMask, SetThreadIdealProcessorEx, GetThreadIdealProcessorEx, VirtualAllocExNuma, GetNumaProcessorNodeEx, VirtualUnlock, GetLargePageMinimum, IsProcessInJob, K32GetProcessMemoryInfo, GetLogicalProcessorInformation, GlobalMemoryStatusEx, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, RtlVirtualUnwind, IsProcessorFeaturePresent, RtlUnwindEx, InitializeCriticalSectionAndSpinCount, TlsFree, RtlPcToFileHeader, TryAcquireSRWLockExclusive, GetExitCodeThread, GetStringTypeW, InitializeCriticalSectionEx, GetLastError, CreateFileMappingW
                                                                ADVAPI32.dllReportEventW, AdjustTokenPrivileges, RegGetValueW, SetKernelObjectSecurity, GetSidSubAuthorityCount, GetSidSubAuthority, GetTokenInformation, OpenProcessToken, DeregisterEventSource, RegisterEventSourceW, RegQueryValueExW, RegOpenKeyExW, RegCloseKey, EventRegister, SetThreadToken, RevertToSelf, OpenThreadToken, EventWriteTransfer, EventWrite, LookupPrivilegeValueW
                                                                ole32.dllCreateStreamOnHGlobal, CoRevokeInitializeSpy, CoGetClassObject, CoGetContextToken, CoGetObjectContext, CoUnmarshalInterface, CoMarshalInterface, CoGetMarshalSizeMax, CLSIDFromProgID, CoReleaseMarshalData, CoTaskMemFree, CoTaskMemAlloc, CoCreateGuid, CoInitializeEx, CoRegisterInitializeSpy, CoWaitForMultipleHandles, CoUninitialize, CoCreateFreeThreadedMarshaler
                                                                OLEAUT32.dllCreateErrorInfo, SysFreeString, GetErrorInfo, SetErrorInfo, SysStringLen, SysAllocString, SysAllocStringLen, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayDestroy, QueryPathOfRegTypeLib, LoadTypeLibEx, SafeArrayGetVartype, VariantChangeType, VariantChangeTypeEx, VariantClear, VariantInit, VarCyFromDec, SafeArrayAllocDescriptorEx, GetRecordInfoFromTypeInfo, SafeArraySetRecordInfo, SafeArrayAllocData, SafeArrayGetElemsize, SysStringByteLen, SysAllocStringByteLen, SafeArrayCreateVector, SafeArrayPutElement, LoadRegTypeLib
                                                                USER32.dllLoadStringW, MessageBoxW
                                                                SHELL32.dllShellExecuteW
                                                                api-ms-win-crt-string-l1-1-0.dllstrncat_s, wcsncat_s, strcmp, wcsnlen, wcscat_s, towupper, iswascii, _strdup, strncpy, strnlen, wcstok_s, isdigit, isupper, isalpha, towlower, _wcsdup, iswspace, isspace, islower, strtok_s, _wcsnicmp, strcspn, __strncnt, strlen, wcscpy_s, toupper, wcsncpy_s, strcpy_s, strcat_s, strncpy_s, _strnicmp, tolower, wcsncmp, iswupper, strncmp, _stricmp, _wcsicmp
                                                                api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsscanf, fflush, __acrt_iob_func, __stdio_common_vfprintf, __stdio_common_vswprintf, __stdio_common_vfwprintf, fputws, fputwc, _get_stream_buffer_pointers, _fseeki64, fread, fsetpos, ungetc, fgetpos, fgets, fgetc, fputc, _wfsopen, _wfopen, __p__commode, _set_fmode, __stdio_common_vsnprintf_s, setvbuf, _setmode, _dup, _fileno, ftell, fseek, fputs, __stdio_common_vsnwprintf_s, __stdio_common_vsprintf_s, fwrite, _flushall, fopen, fclose
                                                                api-ms-win-crt-runtime-l1-1-0.dll_crt_atexit, _cexit, _seh_filter_exe, _set_app_type, _register_onexit_function, _configure_wide_argv, _initialize_wide_environment, _get_initial_wide_environment, _initterm, _initterm_e, _exit, _invalid_parameter_noinfo_noreturn, __p___argc, __p___wargv, _c_exit, _register_thread_local_exe_atexit_callback, _initialize_onexit_table, _beginthreadex, terminate, _controlfp_s, _wcserror_s, _invalid_parameter_noinfo, _errno, exit, abort
                                                                api-ms-win-crt-convert-l1-1-0.dll_atoi64, _ltow_s, _wtoi, strtoul, _wcstoui64, atol, _itow_s, strtoull, wcstoul
                                                                api-ms-win-crt-heap-l1-1-0.dllfree, _set_new_mode, calloc, malloc, realloc
                                                                api-ms-win-crt-utility-l1-1-0.dllqsort
                                                                api-ms-win-crt-math-l1-1-0.dllasinhf, atanhf, cbrtf, acoshf, cosh, cbrt, coshf, exp, expf, acosh, atanh, floor, floorf, fma, fmaf, cosf, _fdopen, cos, ceilf, _copysignf, _isnanf, trunc, truncf, ilogb, ilogbf, tanhf, ceil, fmod, fmodf, atanf, frexp, atan2f, atan2, log, log10, log10f, atan, asinf, log2, log2f, logf, pow, powf, sin, sinf, asin, sinh, sinhf, sqrt, sqrtf, tan, tanf, tanh, acosf, _copysign, asinh, _isnan, _finite, modf, modff, acos, __setusermatherr
                                                                api-ms-win-crt-time-l1-1-0.dll_time64, _gmtime64_s, wcsftime
                                                                api-ms-win-crt-environment-l1-1-0.dllgetenv
                                                                api-ms-win-crt-locale-l1-1-0.dll_unlock_locales, setlocale, __pctype_func, ___lc_locale_name_func, _lock_locales, ___lc_codepage_func, ___mb_cur_max_func, _configthreadlocale, localeconv
                                                                api-ms-win-crt-filesystem-l1-1-0.dll_wrename, _unlock_file, _wremove, _lock_file

                                                                Exports

                                                                NameOrdinalAddress
                                                                CLRJitAttachState30x1407abb38
                                                                DotNetRuntimeInfo40x140799590
                                                                MetaDataGetDispenser50x14056bef0
                                                                g_CLREngineMetrics20x140798d98
                                                                g_dacTable60x1406405f0

                                                                Network Behavior

                                                                No network behavior found

                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:07:33:01
                                                                Start date:17/04/2024
                                                                Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.MSIL.Rozena.9214.20581.exe"
                                                                Imagebase:0x7ff734c30000
                                                                File size:14'477'139 bytes
                                                                MD5 hash:921557C2B17618359E49A321117A5917
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:false

                                                                General

                                                                Target ID:1
                                                                Start time:07:33:01
                                                                Start date:17/04/2024
                                                                Path:C:\Windows\System32\conhost.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                Imagebase:0x7ff6d64d0000
                                                                File size:862'208 bytes
                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:false

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:6%
                                                                  Dynamic/Decrypted Code Coverage:73.3%
                                                                  Signature Coverage:20%
                                                                  Total number of Nodes:15
                                                                  Total number of Limit Nodes:0

                                                                  Executed Functions

                                                                  Function 00007FF6D557D341 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 270 7ff6d557d341-7ff6d557d3f1 GetFileType 274 7ff6d557d3f9-7ff6d557d438 270->274 275 7ff6d557d3f3 270->275 275->274
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.3293528485.00007FF6D5570000.00000020.00001000.00040000.00000000.sdmp, Offset: 00007FF6D5570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6d5570000_SecuriteInfo.jbxd
                                                                  Similarity
                                                                  • API ID: FileType
                                                                  • String ID:
                                                                  • API String ID: 3081899298-0
                                                                  • Opcode ID: 84bbc7596b242c1a8b4fe98f28439088e4c5cad837202f0708d385b32d70fcc8
                                                                  • Instruction ID: c0b7e5b03e0845e06c2aff40db2c2ad1d829acc271f1ac2ae9c45865ce9f7a7c
                                                                  • Opcode Fuzzy Hash: 84bbc7596b242c1a8b4fe98f28439088e4c5cad837202f0708d385b32d70fcc8
                                                                  • Instruction Fuzzy Hash: 95317A7090C64C8FEB48EF68D849BADBBF0FF55311F0441AEE049D7292DA749856CB11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6D557BB0D Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 278 7ff6d557bb0d-7ff6d557bbbc GetConsoleOutputCP 280 7ff6d557bbc4-7ff6d557bbf7 278->280 281 7ff6d557bbbe 278->281 281->280
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.3293528485.00007FF6D5570000.00000020.00001000.00040000.00000000.sdmp, Offset: 00007FF6D5570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6d5570000_SecuriteInfo.jbxd
                                                                  Similarity
                                                                  • API ID: ConsoleOutput
                                                                  • String ID:
                                                                  • API String ID: 3985236979-0
                                                                  • Opcode ID: 1021f6bb282dfab8176e71ec3eeb223737cfcbf3a6ce454d4472a61fc9ba0af9
                                                                  • Instruction ID: e9dd702594185f7edeaf268c1c7fef960083799a8cb701c990a215c114273166
                                                                  • Opcode Fuzzy Hash: 1021f6bb282dfab8176e71ec3eeb223737cfcbf3a6ce454d4472a61fc9ba0af9
                                                                  • Instruction Fuzzy Hash: D4316F7090964C8FEB59DB68D819BADBFF0FF16311F0481AFD049D72A2DA749846CB11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6D558041D Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 283 7ff6d558041d-7ff6d55804cc GetConsoleCP 286 7ff6d55804d4-7ff6d5580507 283->286 287 7ff6d55804ce 283->287 287->286
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.3293528485.00007FF6D5570000.00000020.00001000.00040000.00000000.sdmp, Offset: 00007FF6D5570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6d5570000_SecuriteInfo.jbxd
                                                                  Similarity
                                                                  • API ID: Console
                                                                  • String ID:
                                                                  • API String ID: 4190041642-0
                                                                  • Opcode ID: bd3b44669d43a5fd4b59740acfcbd9ac850ecf3c4410898433c5813a32ba78f0
                                                                  • Instruction ID: 510a1112154f0917313d240a28f823a9fee7596de41f0ea9aeabbc4f33bb0bbb
                                                                  • Opcode Fuzzy Hash: bd3b44669d43a5fd4b59740acfcbd9ac850ecf3c4410898433c5813a32ba78f0
                                                                  • Instruction Fuzzy Hash: 61317C7190D64C8FEB59DB68D819BACBFF0EF16311F0841ABD049D72A2DA359846CB11
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Function 00007FF6D557D158 Relevance: 1.6, APIs: 1, Instructions: 54fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 289 7ff6d557d158-7ff6d557d196 WriteFile 290 7ff6d557d198 289->290 291 7ff6d557d19e-7ff6d557d1e3 289->291 290->291
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.3293528485.00007FF6D5570000.00000020.00001000.00040000.00000000.sdmp, Offset: 00007FF6D5570000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff6d5570000_SecuriteInfo.jbxd
                                                                  Similarity
                                                                  • API ID: FileWrite
                                                                  • String ID:
                                                                  • API String ID: 3934441357-0
                                                                  • Opcode ID: 32f4b3a8f211694b81e2d907966a294eb2f481cce5b56b783e4254f8e7576db7
                                                                  • Instruction ID: c2bba97d840dbdbe20e3ae4a6c0b03c1161a59a1911a50aa861844bdeb888efa
                                                                  • Opcode Fuzzy Hash: 32f4b3a8f211694b81e2d907966a294eb2f481cce5b56b783e4254f8e7576db7
                                                                  • Instruction Fuzzy Hash: 2211F575A0871C8FDB88EF98E8497ACB7F0FB59325F00816AD00ED7251DB759946CB41
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%

                                                                  Non-executed Functions

                                                                  Function 00007FF7351FAE0C Relevance: 6.0, APIs: 4, Instructions: 39timethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.3295026153.00007FF734C31000.00000020.00000001.01000000.00000003.sdmp, Offset: 00007FF734C30000, based on PE: true
                                                                  • Associated: 00000000.00000002.3294971717.00007FF734C30000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3295450190.00007FF735249000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3295637660.00007FF7353C7000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3295684320.00007FF7353CC000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3295724252.00007FF7353CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3295724252.00007FF7353D8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3295724252.00007FF7353DB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3295724252.00007FF7353E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3295724252.00007FF7353E5000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3295981731.00007FF7353E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3296042280.00007FF735420000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.3296042280.00007FF735425000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_7ff734c30000_SecuriteInfo.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentTime$CounterFilePerformanceProcessQuerySystemThread
                                                                  • String ID:
                                                                  • API String ID: 2933794660-0
                                                                  • Opcode ID: ba65f6a958aee0d3f0c3a7f6e6efc600877284dab9a37d7090099f024dbf0371
                                                                  • Instruction ID: 89af670111279ef56b04af798dd19f4b9fdb57742d41adebed1c227f49703faa
                                                                  • Opcode Fuzzy Hash: ba65f6a958aee0d3f0c3a7f6e6efc600877284dab9a37d7090099f024dbf0371
                                                                  • Instruction Fuzzy Hash: B3114862B18F129AEB009B61E8552A873B4FB19B58F841E35DE6D827A4DF3CD1948350
                                                                  Uniqueness

                                                                  Uniqueness Score: -1.00%