Source: file.exe |
ReversingLabs: Detection: 45% |
Source: file.exe |
Virustotal: Detection: 56% |
Perma Link |
Source: http://5.42.94.169/customer/368 |
Avira URL Cloud: Label: malware |
Source: http://109.206.241.33/files/Hadi.config.CfgEncFileMZ |
Avira URL Cloud: Label: malware |
Source: http://5.42.94.169 |
Virustotal: Detection: 7% |
Perma Link |
Source: http://5.42.94.169/customer/368 |
Virustotal: Detection: 8% |
Perma Link |
Source: Yara match |
File source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 6988, type: MEMORYSTR |
Source: file.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: |
Binary string: C:\Users\Purala\source\repos\Particle-Filter\obj\x86\Debug\FastSLAM.pdb source: file.exe |
Source: |
Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
Source: |
Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
Source: |
Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, ?????.sys.0.dr |
Source: global traffic |
HTTP traffic detected: GET /customer/368 HTTP/1.1Host: 5.42.94.169Connection: Keep-Alive |
Source: Joe Sandbox View |
IP Address: 5.42.94.169 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 5.42.94.169 |
Source: jsc.exe, 00000002.00000002.492997621.0000000000E50000.00000040.00001000.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.493023944.0000000000E66000.00000040.00001000.00020000.00000000.sdmp |
String found in binary or memory: http://109.206.241.33/files/Hadi.config.CfgEncFileMZ |
Source: file.exe, 00000000.00000002.493841709.000001F6C7685000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://5.42.94.169 |
Source: file.exe, 00000000.00000002.493841709.000001F6C7685000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://5.42.94.169/customer/368 |
Source: file.exe, 00000000.00000002.493841709.000001F6C7685000.00000004.00000800.00020000.00000000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
Source: jsc.exe |
String found in binary or memory: http://www.sysinternals.com |
Source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://www.sysinternals.comopen/?ICONSHELLRUNASAboutUsage/raw/netonlyRunAsInvoker__COMPAT_LAYERcmd |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, ?????.sys.0.dr |
String found in binary or memory: https://www.sysinternals.com0 |
Source: global traffic |
HTTP traffic detected: GET /customer/368 HTTP/1.1Host: 5.42.94.169Connection: Keep-Alive |
Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables containing artifcats associated with disabling Widnows Defender Author: ditekSHen |
Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen |
Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_DisableWinDefender author = ditekSHen, description = Detects executables containing artifcats associated with disabling Widnows Defender |
Source: 0.2.file.exe.1f6c773a2a8.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object |
Source: 00000002.00000002.492960569.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Matched rule: SUSP_XORed_MSDOS_Stub_Message date = 2019-10-28, author = Florian Roth (Nextron Systems), description = Detects suspicious XORed MSDOS stub message, score = , reference = https://yara.readthedocs.io/en/latest/writingrules.html#xor-strings |
Source: C:\Users\user\AppData\Local\Temp\?????.sys, type: DROPPED |
Matched rule: PUA_VULN_Driver_Sysinternalswwwsysinternalscom_procexpsys_ProcessExplorer_HoEP date = 2023-05-19, author = Florian Roth, description = Detects vulnerable driver mentioned in LOLDrivers project using VersionInfo values from the PE header - 97e3a44ec4ae58c8cc38eefc613e950e.bin, score = , reference = https://github.com/magicsword-io/LOLDrivers, hash = 440883cd9d6a76db5e53517d0ec7fe13d5a50d2f6a7f91ecfc863bc3490e4f5c |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FFC9CFAA577 |
0_2_00007FFC9CFAA577 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FFC9CF90E58 |
0_2_00007FFC9CF90E58 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FFC9CFA1208 |
0_2_00007FFC9CFA1208 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FFC9CF96A17 |
0_2_00007FFC9CF96A17 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FFC9CFA3AF5 |
0_2_00007FFC9CFA3AF5 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_00404AF0 |
2_2_00404AF0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_004084B7 |
2_2_004084B7 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_00402050 _memset,_memset,_memset,_memset,_memset,__wcsicmp,__wcsicmp,__wcsicmp,SetEnvironmentVariableW,_memset,_wcscpy_s,_wcscat_s,CreateProcessW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,_wcscpy_s,_memset,_memset,_memset,CreateProcessWithLogonW,GetLastError,EnumWindows,Sleep,Sleep,EnumWindows,CloseHandle,CloseHandle,CloseHandle,LoadIconW,LoadIconW,LoadIconW,LoadCursorW,RegisterClassExW,CreateDialogParamW,GetMessageW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetMessageW,LocalFree, |
2_2_00402050 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FFC9CFA5870 NtLoadDriver, |
0_2_00007FFC9CFA5870 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FFC9CFA5870 NtLoadDriver, |
0_2_00007FFC9CFA5870 |
Source: file.exe |
Static PE information: No import functions for PE file found |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameprocexp.SysB vs file.exe |
Source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameShellRunasP vs file.exe |
Source: file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameShellRunasP vs file.exe |
Source: file.exe, 00000000.00000002.495389743.000001F6D7771000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs file.exe |
Source: file.exe, 00000000.00000002.493612039.000001F6C5C50000.00000004.08000000.00040000.00000000.sdmp |
Binary or memory string: OriginalFilenameRunpeX.Stub.Framework.exeL vs file.exe |
Source: file.exe, 00000000.00000002.493115383.000001F6C58BA000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameeroxipe4 vs file.exe |
Source: file.exe, 00000000.00000002.493218018.000001F6C5AF0000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: OriginalFilenameclr.dllT vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilenameeroxipe4 vs file.exe |
Source: C:\Users\user\Desktop\file.exe |
Process token adjusted: Load Driver |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\?????.sys |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Driver loaded: \Registry\Machine\System\CurrentControlSet\Services\TaskKill |
Jump to behavior |
Source: Joe Sandbox View |
Dropped File: C:\Users\user\AppData\Local\Temp\?????.sys 440883CD9D6A76DB5E53517D0EC7FE13D5A50D2F6A7F91ECFC863BC3490E4F5C |
Source: file.exe |
ReversingLabs: Detection: 45% |
Source: file.exe |
Virustotal: Detection: 56% |
Source: file.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: unknown |
Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
|
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FFC9CFA58C4 AdjustTokenPrivileges, |
0_2_00007FFC9CFA58C4 |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\?????.sys |
Jump to behavior |
Source: ?????.sys.0.dr |
Binary string: \DosDevices\PROCEXP152\ObjectTypes\\Device\PROCEXP152PsAcquireProcessExitSynchronizationPsReleaseProcessExitSynchronizationMmGetMaximumNonPagedPoolInBytesObGetObjectTypeMutantIoCreateDeviceSecureIoValidateDeviceIoControlAccessD:P |
Source: classification engine |
Classification label: mal100.troj.expl.evad.winEXE@5/2@0/1 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_004029C0 _memset,_memset,SHGetMalloc,SHGetDesktopFolder,SearchPathW,GetLastError,CoInitialize,CoCreateInstance,#217,#173,CoUninitialize, |
2_2_004029C0 |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll |
Jump to behavior |
Source: file.exe, ????????/?????????.cs |
Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor' |
Source: C:\Users\user\Desktop\file.exe |
File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll |
Jump to behavior |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR |
Source: file.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: file.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: |
Binary string: C:\Users\Purala\source\repos\Particle-Filter\obj\x86\Debug\FastSLAM.pdb source: file.exe |
Source: |
Binary string: c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
Source: |
Binary string: <c:\src\ShellRunas\Release\ShellRunas.pdb source: file.exe, 00000000.00000002.495389743.000001F6D7691000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.493841709.000001F6C77A3000.00000004.00000800.00020000.00000000.sdmp, jsc.exe, 00000002.00000002.492840110.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
Source: |
Binary string: C:\agent\1\s\sys\x64\Release\ProcExpDriver.pdb source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp, ?????.sys.0.dr |
Source: Yara match |
File source: 00000002.00000002.492960569.0000000000E30000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_000001F6C58B8762 push rsp; retn 0009h |
0_2_000001F6C58B8766 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00007FFC9CF967E9 push ebx; retf |
0_2_00007FFC9CF967EA |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_00404ACD push ecx; ret |
2_2_00404AE0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_00402CB0 _memset,_memset,_wcscpy_s,_wcscat_s,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetLastError,LoadLibraryW,GetProcAddress,_wcschr,_wcscpy_s,GetComputerNameW,CredUIParseUserNameW,CoTaskMemFree, |
2_2_00402CB0 |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\?????.sys |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\?????.sys |
Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe |
Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TaskKill |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 6988, type: MEMORYSTR |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: WINE_GET_UNIX_FILE_NAME |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SBIEDLL.DLL |
Source: C:\Users\user\Desktop\file.exe TID: 7068 |
Thread sleep time: -6456360425798339s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe TID: 4672 |
Thread sleep count: 9612 > 30 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess |
Source: C:\Users\user\Desktop\file.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\?????.sys |
Jump to dropped file |
Source: C:\Users\user\Desktop\file.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Window / User API: threadDelayed 9612 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Evaded block: after key decision |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
API coverage: 4.4 % |
Source: C:\Users\user\Desktop\file.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Thread delayed: delay time: 922337203685477 |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
API call chain: ExitProcess graph end node |
Source: jsc.exe, 00000002.00000002.492997621.0000000000E50000.00000040.00001000.00020000.00000000.sdmp |
Binary or memory string: VMware |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: C:\WINDOWS\system32\drivers\vmmouse.sys |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: vmware |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\ |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: C:\WINDOWS\system32\drivers\vmhgfs.sys |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools |
Source: jsc.exe, 00000002.00000002.492997621.0000000000E50000.00000040.00001000.00020000.00000000.sdmp |
Binary or memory string: Chrome/HEADIsWow64Processkernel32X:\Windows\SysWOW64\ntdll.dllntdll.dllRtlInitUnicodeStringZwOpenFileZwCreateSectionZwMapViewOfSectionNtUnmapViewOfSectionNtQueryInformationProcess{%08X-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X}RtlRandomExntdll:y--\Driver\Device ParametersEDID(IsActive)(NotActive)BAD EDID!No EDID!--Nm:SYSTEM\ControlSet001\Enum\DISPLAY\\.\PhysicalDrive%d---VMwareVirtualBoxVBoxQEMUDisplay AdapterNon-PnPVMwareVirtualBoxVBoxQEMUWestern Disk HARDDISK(1):(2):text/*Mozilla / 5.0 (SymbianOS / 9.1; U; [en]; SymbianOS / 91 Series60 / 3.0) AppleWebkit / 413 (KHTML, like Gecko) Safari / 413 |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMWARE |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\'C:\WINDOWS\system32\drivers\vmmouse.sys&C:\WINDOWS\system32\drivers\vmhgfs.sys |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: noValueButYesKey)C:\WINDOWS\system32\drivers\VBoxMouse.sys |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: C:\WINDOWS\system32\drivers\VBoxMouse.sys |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum |
Source: file.exe, 00000000.00000002.493841709.000001F6C76CC000.00000004.00000800.00020000.00000000.sdmp |
Binary or memory string: VMware SVGA II |
Source: file.exe, 00000000.00000002.493218018.000001F6C5BD8000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQQ |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_00405700 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_00405700 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_00402CB0 _memset,_memset,_wcscpy_s,_wcscat_s,LoadLibraryW,GetProcAddress,LoadLibraryW,GetProcAddress,GetLastError,LoadLibraryW,GetProcAddress,_wcschr,_wcscpy_s,GetComputerNameW,CredUIParseUserNameW,CoTaskMemFree, |
2_2_00402CB0 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_004039C0 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln, |
2_2_004039C0 |
Source: C:\Users\user\Desktop\file.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process token adjusted: Debug |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory allocated: page read and write | page guard |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_00407219 SetUnhandledExceptionFilter, |
2_2_00407219 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_00405700 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
2_2_00405700 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_0040C52A _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
2_2_0040C52A |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 400000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 401000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 40D000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 413000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 416000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 418000 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: B12008 |
Jump to behavior |
Source: file.exe, ????????/???????????.cs |
Reference to suspicious API methods: ('???????????', 'GetProcAddress@kernel32.dll'), ('????????', 'LoadLibrary@kernel32.dll'), ('?????????', 'VirtualProtect@kernel32.dll'), ('????????????', 'VirtualAlloc@kernel32.dll') |
Source: C:\Users\user\Desktop\file.exe |
Memory written: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe base: 400000 value starts with: 4D5A |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_00402050 _memset,_memset,_memset,_memset,_memset,__wcsicmp,__wcsicmp,__wcsicmp,SetEnvironmentVariableW,_memset,_wcscpy_s,_wcscat_s,CreateProcessW,GetLastError,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,__wcsicmp,_wcscpy_s,_memset,_memset,_memset,CreateProcessWithLogonW,GetLastError,EnumWindows,Sleep,Sleep,EnumWindows,CloseHandle,CloseHandle,CloseHandle,LoadIconW,LoadIconW,LoadIconW,LoadCursorW,RegisterClassExW,CreateDialogParamW,GetMessageW,GetMessageW,IsDialogMessageW,TranslateMessage,DispatchMessageW,GetMessageW,LocalFree, |
2_2_00402050 |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: GetLocaleInfoA, |
2_2_0040B123 |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_0040C66D cpuid |
2_2_0040C66D |
Source: C:\Users\user\Desktop\file.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_00407ACC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, |
2_2_00407ACC |
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe |
Code function: 2_2_004039C0 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln, |
2_2_004039C0 |