Click to jump to signature section
Source: AutoInstall.exe | Virustotal: Detection: 36% | Perma Link |
Source: AutoInstall.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
Source: | Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: AutoInstall.exe, 00000001.00000002.372821359.000000000010E000.00000004.00000010.00020000.00000000.sdmp, AutoInstall.exe, 00000001.00000003.372170576.00000000024B2000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.640288132.0000000000402000.00000020.00000400.00020000.00000000.sdmp |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | DNS query: name: ip-api.com |
Source: global traffic | HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: Joe Sandbox View | IP Address: 208.95.112.1 208.95.112.1 |
Source: AutoInstall.exe | String found in binary or memory: http://aia.entrust.net/ts1-chain256.cer01 |
Source: AutoInstall.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0 |
Source: AutoInstall.exe | String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0 |
Source: AutoInstall.exe | String found in binary or memory: http://crl.entrust.net/2048ca.crl0 |
Source: AutoInstall.exe | String found in binary or memory: http://crl.entrust.net/ts1ca.crl0 |
Source: AutoInstall.exe | String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O |
Source: AutoInstall.exe | String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05 |
Source: AutoInstall.exe | String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0: |
Source: AutoInstall.exe | String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K |
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.641051378.0000000007127000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ip-api.com |
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ip-api.com/line/?fields=hosting |
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://ip-api.com4 |
Source: AutoInstall.exe | String found in binary or memory: http://ocsp.digicert.com0C |
Source: AutoInstall.exe | String found in binary or memory: http://ocsp.digicert.com0N |
Source: AutoInstall.exe | String found in binary or memory: http://ocsp.entrust.net02 |
Source: AutoInstall.exe | String found in binary or memory: http://ocsp.entrust.net03 |
Source: AppLaunch.exe, 00000003.00000002.641034119.0000000007116000.00000004.00000800.00020000.00000000.sdmp | String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: AppLaunch.exe, 00000003.00000002.640288132.0000000000402000.00000020.00000400.00020000.00000000.sdmp | String found in binary or memory: http://www.codeplex.com/DotNetZip |
Source: AutoInstall.exe | String found in binary or memory: http://www.digicert.com/CPS0 |
Source: AutoInstall.exe | String found in binary or memory: http://www.entrust.net/rpa0 |
Source: AutoInstall.exe | String found in binary or memory: http://www.entrust.net/rpa03 |
Source: AutoInstall.exe | String found in binary or memory: https://www.digicert.com/CPS0 |
Source: unknown | DNS traffic detected: queries for: ip-api.com |
Source: global traffic | HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive |
Source: AutoInstall.exe, 00000001.00000002.379164276.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp | Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> | |
Source: AutoInstall.exe | Static PE information: section name: .pyX$d |
Source: AutoInstall.exe | Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED |
Source: AutoInstall.exe, 00000001.00000002.372821359.000000000010E000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameDotNetZip.dll@ vs AutoInstall.exe |
Source: AutoInstall.exe, 00000001.00000002.372821359.000000000010E000.00000004.00000010.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamePennyWise.exe4 vs AutoInstall.exe |
Source: AutoInstall.exe, 00000001.00000003.372170576.00000000024B2000.00000040.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenameDotNetZip.dll@ vs AutoInstall.exe |
Source: AutoInstall.exe, 00000001.00000003.372170576.00000000024B2000.00000040.00001000.00020000.00000000.sdmp | Binary or memory string: OriginalFilenamePennyWise.exe4 vs AutoInstall.exe |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055D1478 | 3_2_055D1478 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055D1DA0 | 3_2_055D1DA0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055DBF80 | 3_2_055DBF80 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055DDEE0 | 3_2_055DDEE0 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055DC850 | 3_2_055DC850 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055D0860 | 3_2_055D0860 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055D0B40 | 3_2_055D0B40 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055D156F | 3_2_055D156F |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055D20D8 | 3_2_055D20D8 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055DBC38 | 3_2_055DBC38 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055D1E51 | 3_2_055D1E51 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055D0B7A | 3_2_055D0B7A |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055D0B30 | 3_2_055D0B30 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_09D76E50 | 3_2_09D76E50 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_09D76E40 | 3_2_09D76E40 |
Source: AutoInstall.exe | Static PE information: invalid certificate |
Source: AutoInstall.exe | Virustotal: Detection: 36% |
Source: C:\Users\user\Desktop\AutoInstall.exe | Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll | Jump to behavior |
Source: unknown | Process created: C:\Users\user\Desktop\AutoInstall.exe "C:\Users\user\Desktop\AutoInstall.exe" | |
Source: C:\Users\user\Desktop\AutoInstall.exe | Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 | |
Source: C:\Users\user\Desktop\AutoInstall.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | |
Source: C:\Users\user\Desktop\AutoInstall.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32 | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Mutant created: \Sessions\1\BaseNamedObjects\9D16FBEF0D8A8F87529DE06A1C43C737 |
Source: C:\Windows\System32\conhost.exe | Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4876:120:WilError_01 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | File created: C:\Users\user\AppData\Local\8d96007aa6619f065c7ec2509ce5f96d | Jump to behavior |
Source: classification engine | Classification label: mal76.troj.evad.winEXE@4/0@1/1 |
Source: 1.3.AutoInstall.exe.24b0000.0.unpack, u000fu2001.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: 3.2.AppLaunch.exe.400000.0.unpack, u000fu2001.cs | Cryptographic APIs: 'CreateDecryptor' |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: AutoInstall.exe | Static file information: File size 4344320 > 1048576 |
Source: AutoInstall.exe | Static PE information: Raw size of .iXgHkK is bigger than: 0x100000 < 0x3eae00 |
Source: | Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: AutoInstall.exe, 00000001.00000002.372821359.000000000010E000.00000004.00000010.00020000.00000000.sdmp, AutoInstall.exe, 00000001.00000003.372170576.00000000024B2000.00000040.00001000.00020000.00000000.sdmp, AppLaunch.exe, 00000003.00000002.640288132.0000000000402000.00000020.00000400.00020000.00000000.sdmp |
Source: 1.3.AutoInstall.exe.24b0000.0.unpack, u0003u2001.cs | .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: 3.2.AppLaunch.exe.400000.0.unpack, u0003u2001.cs | .Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Code function: 3_2_055D63F2 push D800035Eh; ret | 3_2_055D6421 |
Source: AutoInstall.exe | Static PE information: section name: .iXgHkK |
Source: AutoInstall.exe | Static PE information: section name: .pyX$d |
Source: initial sample | Static PE information: section name: .pyX$d entropy: 7.40228735958 |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Registry key monitored for changes: HKEY_CURRENT_USER_Classes | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Process token adjusted: Debug | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Memory allocated: page read and write | page guard | Jump to behavior |
Source: C:\Users\user\Desktop\AutoInstall.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 | Jump to behavior |
Source: C:\Users\user\Desktop\AutoInstall.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: F65008 | Jump to behavior |
Source: C:\Users\user\Desktop\AutoInstall.exe | Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 protect: page execute and read and write | Jump to behavior |
Source: C:\Users\user\Desktop\AutoInstall.exe | Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe base: 400000 value starts with: 4D5A | Jump to behavior |
Source: C:\Users\user\Desktop\AutoInstall.exe | Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation | Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |
Source: C:\Users\user\Desktop\AutoInstall.exe | Code function: 1_2_00409C7C GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, | 1_2_00409C7C |