Cuckoo Sandbox

File 9738696ee3c747e7_mscorsvw.exe

Summary
Download Resubmit sample

Size	648.0KB
Type	PE32+ executable (GUI) x86-64, for MS Windows
MD5	`cb27fabad47a84fee8522cc8ed10bb9d`
SHA1	`db2c749cd60c473c7baf8e5f1b9fad3b29e74039`
SHA256	`9738696ee3c747e7cea7172f615f8a98cbab89419cc3d724ff7927f8516c01b7`
SHA512	`da77815006faba5e2ae8afe1c190ea27502ec73b23e616d6398c0ced98b660f6d508d8eac7fe5f53511789daffd8066e78065b401a88dbac304c3c6a336243b7`
CRC32	`4FB178CE`
ssdeep	`None`
PDB Path	mscorsvw.pdb
Yara	anti_dbg - Checks if being debugged win_mutex - Create or check mutex win_registry - Affect system registries

Score

This file is very suspicious, with a score of 9.1 out of 10!

Please notice: The scoring system is currently still in development and should be considered an alpha feature.

Autosubmit

Parent_Task_ID:6433120

Feedback

Expecting different results? Send us this analysis and we will inspect it. Click here

Information on Execution

Analysis

Category	Started	Completed	Duration	Routing	Logs
FILE	May 11, 2025, 4:18 a.m.	May 11, 2025, 4:28 a.m.	589 seconds	internet	Show Analyzer Log Show Cuckoo Log

Analyzer Log

2025-05-05 12:04:07,000 [analyzer] DEBUG: Starting analyzer from: C:\tmpht3fil
2025-05-05 12:04:07,015 [analyzer] DEBUG: Pipe server name: \??\PIPE\LlICffNcekZzoXFoNTZDxMTYfNkoi
2025-05-05 12:04:07,015 [analyzer] DEBUG: Log pipe server name: \??\PIPE\SYIQOYFuDrvUUqqovr
2025-05-05 12:04:07,015 [analyzer] DEBUG: No analysis package specified, trying to detect it automagically.
2025-05-05 12:04:07,015 [analyzer] INFO: Automatically selected analysis package "exe"
2025-05-05 12:04:07,296 [analyzer] DEBUG: Started auxiliary module Curtain
2025-05-05 12:04:07,296 [analyzer] DEBUG: Started auxiliary module DbgView
2025-05-05 12:04:07,733 [analyzer] DEBUG: Started auxiliary module Disguise
2025-05-05 12:04:07,937 [analyzer] DEBUG: Loaded monitor into process with pid 504
2025-05-05 12:04:07,937 [analyzer] DEBUG: Started auxiliary module DumpTLSMasterSecrets
2025-05-05 12:04:07,937 [analyzer] DEBUG: Started auxiliary module Human
2025-05-05 12:04:07,937 [analyzer] DEBUG: Started auxiliary module InstallCertificate
2025-05-05 12:04:07,937 [analyzer] DEBUG: Started auxiliary module Reboot
2025-05-05 12:04:08,000 [analyzer] DEBUG: Started auxiliary module RecentFiles
2025-05-05 12:04:08,000 [analyzer] DEBUG: Started auxiliary module Screenshots
2025-05-05 12:04:08,000 [analyzer] DEBUG: Started auxiliary module Sysmon
2025-05-05 12:04:08,000 [analyzer] DEBUG: Started auxiliary module LoadZer0m0n
2025-05-05 12:04:08,125 [lib.api.process] INFO: Successfully executed process from path u'C:\\Users\\ADMINI~1\\AppData\\Local\\Temp\\9738696ee3c747e7_mscorsvw.exe' with arguments '' and pid 1960
2025-05-05 12:04:08,328 [analyzer] DEBUG: Loaded monitor into process with pid 1960
2025-05-05 12:07:27,155 [analyzer] INFO: Analysis timeout hit, terminating analysis.
2025-05-05 12:07:28,375 [analyzer] INFO: Terminating remaining processes before shutdown.
2025-05-05 12:07:28,375 [lib.api.process] INFO: Successfully terminated process with pid 1960.
2025-05-05 12:07:28,390 [analyzer] INFO: Analysis completed.

Cuckoo Log

2025-05-11 04:18:40,275 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:41,295 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:42,318 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:43,338 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:44,438 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:45,461 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:46,482 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:47,515 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:48,535 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:49,567 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:50,587 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:51,609 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:52,628 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:53,651 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:54,674 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:55,701 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:56,719 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:57,734 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:58,751 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:18:59,771 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:00,813 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:01,848 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:02,867 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:03,891 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:04,908 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:05,926 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:06,944 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:07,992 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:09,028 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:10,065 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:11,086 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:12,104 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:13,142 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:14,163 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:15,183 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:16,208 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:17,225 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:18,249 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:19,281 [cuckoo.core.scheduler] DEBUG: Task #6433748: no machine available yet
2025-05-11 04:19:20,314 [cuckoo.core.scheduler] INFO: Task #6433748: acquired machine win7x6411 (label=win7x6411)
2025-05-11 04:19:20,315 [cuckoo.core.resultserver] DEBUG: Now tracking machine 192.168.168.211 for task #6433748
2025-05-11 04:19:20,552 [cuckoo.auxiliary.sniffer] INFO: Started sniffer with PID 3408986 (interface=vboxnet0, host=192.168.168.211)
2025-05-11 04:19:21,855 [cuckoo.machinery.virtualbox] DEBUG: Starting vm win7x6411
2025-05-11 04:19:22,292 [cuckoo.machinery.virtualbox] DEBUG: Restoring virtual machine win7x6411 to vmcloak
2025-05-11 04:22:13,826 [cuckoo.core.guest] INFO: Starting analysis #6433748 on guest (id=win7x6411, ip=192.168.168.211)
2025-05-11 04:22:14,832 [cuckoo.core.guest] DEBUG: win7x6411: not ready yet
2025-05-11 04:22:19,852 [cuckoo.core.guest] INFO: Guest is running Cuckoo Agent 0.10 (id=win7x6411, ip=192.168.168.211)
2025-05-11 04:22:19,906 [cuckoo.core.guest] DEBUG: Uploading analyzer to guest (id=win7x6411, ip=192.168.168.211, monitor=latest, size=6660546)
2025-05-11 04:22:21,100 [cuckoo.core.resultserver] DEBUG: Task #6433748: live log analysis.log initialized.
2025-05-11 04:22:22,003 [cuckoo.core.resultserver] DEBUG: Task #6433748 is sending a BSON stream
2025-05-11 04:22:22,329 [cuckoo.core.resultserver] DEBUG: Task #6433748 is sending a BSON stream
2025-05-11 04:22:23,219 [cuckoo.core.resultserver] DEBUG: Task #6433748: File upload for 'shots/0001.jpg'
2025-05-11 04:22:23,231 [cuckoo.core.resultserver] DEBUG: Task #6433748 uploaded file length: 137200
2025-05-11 04:22:35,916 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:22:51,234 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:23:06,425 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:23:21,584 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:23:36,895 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:23:52,199 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:24:07,280 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:24:22,466 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:24:37,700 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:24:52,779 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:25:07,891 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:25:22,976 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:25:38,085 [cuckoo.core.guest] DEBUG: win7x6411: analysis #6433748 still processing
2025-05-11 04:25:41,475 [cuckoo.core.resultserver] DEBUG: Task #6433748: File upload for 'curtain/1746439647.34.curtain.log'
2025-05-11 04:25:41,478 [cuckoo.core.resultserver] DEBUG: Task #6433748 uploaded file length: 36
2025-05-11 04:25:42,431 [cuckoo.core.resultserver] DEBUG: Task #6433748: File upload for 'sysmon/1746439648.3.sysmon.xml'
2025-05-11 04:25:42,513 [cuckoo.core.resultserver] DEBUG: Task #6433748 uploaded file length: 13235958
2025-05-11 04:25:42,538 [cuckoo.core.resultserver] DEBUG: Task #6433748 had connection reset for <Context for LOG>
2025-05-11 04:25:44,112 [cuckoo.core.guest] INFO: win7x6411: analysis completed successfully
2025-05-11 04:25:44,123 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Redsocks
2025-05-11 04:25:44,146 [cuckoo.core.plugins] DEBUG: Stopped auxiliary module: Sniffer
2025-05-11 04:25:44,800 [cuckoo.machinery.virtualbox] INFO: Successfully generated memory dump for virtual machine with label win7x6411 to path /srv/cuckoo/cwd/storage/analyses/6433748/memory.dmp
2025-05-11 04:25:44,801 [cuckoo.machinery.virtualbox] DEBUG: Stopping vm win7x6411
2025-05-11 04:28:28,605 [cuckoo.core.resultserver] DEBUG: Stopped tracking machine 192.168.168.211 for task #6433748
2025-05-11 04:28:29,711 [cuckoo.core.scheduler] DEBUG: Released database task #6433748
2025-05-11 04:28:29,739 [cuckoo.core.scheduler] INFO: Task #6433748: analysis procedure completed

Signatures

Yara rules detected for file (3 events)

description	Checks if being debugged	rule	anti_dbg
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry

This executable has a PDB path (1 event)

pdb_path

mscorsvw.pdb

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0008e000', u'virtual_address': u'0x00018000', u'entropy': 7.924159651753885, u'name': u'.rsrc', u'virtual_size': u'0x0008f000'}

entropy

7.92415965175

description

A section with a high entropy has been found

entropy

0.877897990726

description

Overall entropy of this PE file is high

File has been identified by 11 AntiVirus engine on IRMA as malicious (11 events)

G Data Antivirus (Windows)	Virus: Win64.Expiro.Gen.7 (Engine A)
Avast Core Security (Linux)	Win64:Expiro-AJ [Inf]
Trend Micro SProtect (Linux)	Virus.Win64.EXPIRO.SMAJC
WithSecure (Linux)	Malware.W32/Infector.Gen
eScan Antivirus (Linux)	Win64.Expiro.Gen.7(DB)
ESET Security (Windows)	a variant of Win64/Expiro.CY virus
Sophos Anti-Virus (Linux)	W64/Moiva-B
DrWeb Antivirus (Linux)	Win32.Expiro.153
Bitdefender Antivirus (Linux)	Win64.Expiro.Gen.7
Kaspersky Standard (Windows)	Virus.Win64.Moiva.a
Emsisoft Commandline Scanner (Windows)	Win64.Expiro.Gen.7 (B)

Screenshots

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action	VT	Location
No hosts contacted.

Browser recommendation

File 9738696ee3c747e7_mscorsvw.exe

Summary Download Resubmit sample

Score

Autosubmit

Feedback

Information on Execution

Analyzer Log

Cuckoo Log

Signatures

Feedback

Summary
Download Resubmit sample