Joe Sandbox Cloud Basic Analysis Report
Edit tour

Windows Analysis Report
a3A9pyEx19.exe

Overview

General Information

Sample name:a3A9pyEx19.exe
renamed because original name is a hash value
Original sample name:7183_29949254_f6ec44f025c67ab18170da47c1c610a94a9c84741f3cdfceb20cee565579868a_repmgr.exe
Analysis ID:1355441
MD5:8a87acebc21e2cc5eeb24af602b32b30
SHA1:a5ef9b69d7757049f284b5f3837c095ed1657fde
SHA256:f6ec44f025c67ab18170da47c1c610a94a9c84741f3cdfceb20cee565579868a
Infos:

Detection

Score:16
Range:0 - 100
Whitelisted:false
Confidence:40%

Signatures

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
AV process strings found (often used to terminate AV products)
Creates or modifies windows services
PE file contains sections with non-standard names
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

Analysis Advice

Initial sample is implementing a service and should be registered / started as service
Sample may be VM or Sandbox-aware, try analysis on a native machine
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")

Process Tree

  • System is w10x64
  • a3A9pyEx19.exe (PID: 2672 cmdline: C:\Users\user\Desktop\a3A9pyEx19.exe MD5: 8A87ACEBC21E2CC5EEB24AF602B32B30)
    • conhost.exe (PID: 1600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

  • Cryptography
  • Compliance
  • Networking
  • System Summary
  • Data Obfuscation
  • Boot Survival
  • Malware Analysis System Evasion
  • Language, Device and Operating System Detection
  • Lowering of HIPS / PFW / Operating System Security Settings

Click to jump to signature section

Show All Signature Results
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF742914000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_79d64149-2
Source: a3A9pyEx19.exeStatic PE information: certificate valid
Source: a3A9pyEx19.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_4.0\1292\windows\repmgr\x64\Release\RepMgr.pdb source: a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2122651014.0000026360593000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121592196.0000026360590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://169.254.169.254/latest/api/tokenj
Source: a3A9pyEx19.exeString found in binary or memory: http://169.254.169.254/latest/meta-data/instance-idhttp://169.254.169.254/latest/api/tokenX-aws-ec2-
Source: a3A9pyEx19.exe, 00000000.00000003.2121592196.00000263605A0000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121710456.00000263605A0000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121854846.00000263605A1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-08-01&format=text
Source: a3A9pyEx19.exeString found in binary or memory: http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-08-01&format=texthttp://metad
Source: a3A9pyEx19.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA2.crl0t
Source: a3A9pyEx19.exeString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: a3A9pyEx19.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA2.crt0#
Source: a3A9pyEx19.exeString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: a3A9pyEx19.exeString found in binary or memory: http://json-schema.org/schema#
Source: a3A9pyEx19.exe, 00000000.00000002.2122651014.0000026360593000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121592196.0000026360590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://metadata.google.internal/computeMetadata/v1/instance/idr
Source: a3A9pyEx19.exeString found in binary or memory: http://ocsp.sectigo.com0
Source: a3A9pyEx19.exeString found in binary or memory: http://www.carbonblack.com0/
Source: a3A9pyEx19.exeString found in binary or memory: https://attack.mitre.org/techniques/T1218/010/
Source: a3A9pyEx19.exeString found in binary or memory: https://bugzilla.eng.vmware.com/show_bug.cgi?id=2962550:
Source: a3A9pyEx19.exeString found in binary or memory: https://confluence.eng.vmware.com/pages/viewpage.action?spaceKey=NSBU&title=microIDS
Source: a3A9pyEx19.exeString found in binary or memory: https://curl.se/docs/alt-svc.html
Source: a3A9pyEx19.exeString found in binary or memory: https://curl.se/docs/hsts.html
Source: a3A9pyEx19.exeString found in binary or memory: https://curl.se/docs/http-cookies.html
Source: a3A9pyEx19.exeString found in binary or memory: https://deploymentresearch.com/psscriptpolicytest-script-gets-blocked-by-applocker-in-the-event-log-
Source: a3A9pyEx19.exeString found in binary or memory: https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.md
Source: a3A9pyEx19.exeString found in binary or memory: https://gitlab.bit9.local/cb-defense/analytics/-/blob/develop/src/main/java/com/cb/analytics/java/co
Source: a3A9pyEx19.exeString found in binary or memory: https://gitlab.bit9.local/cb-defense/analytics/-/blob/develop/src/main/java/com/cb/analytics/java/do
Source: a3A9pyEx19.exeString found in binary or memory: https://gitlab.bit9.local/cbprotection/appcontrol-rules/-/merge_requests/4/diffs
Source: a3A9pyEx19.exeString found in binary or memory: https://sectigo.com/CPS0
Source: a3A9pyEx19.exe, 00000000.00000002.2123047817.00000263605E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: version_info["OriginalFilename"] vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2123047817.00000263605E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: version_info["OriginalFilename"]v vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2118372083.00007FF743866000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRepMgr.exeT vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: FileResourceOriginalFilename vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "ExternalModuleCallArguments":"pe.version_info[\"OriginalFilename\"]", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId":"FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "ExternalModuleCallArguments": "pe.version_info[\"OriginalFilename\"]", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId":"FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: { "Actor": "Parent", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: { "Actor": "TargetParent", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: { "Actor": "Target", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "Description": "Tag process as script host based on FileResourceOriginalFilename (yara)", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "Description": "Tag process as PDF readers based on FileResourceOriginalFilename (yara)", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "Description": "Tag process as Lua based on FileResourceOriginalFilename (yara)", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000003.2121512262.00000263605E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: version_info["OriginalFilename"] vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000003.2121512262.00000263605E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: version_info["OriginalFilename"]v vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: FileResourceOriginalFilename vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "ExternalModuleCallArguments":"pe.version_info[\"OriginalFilename\"]", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId":"FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "ExternalModuleCallArguments": "pe.version_info[\"OriginalFilename\"]", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId":"FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: { "Actor": "Parent", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: { "Actor": "TargetParent", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: { "Actor": "Target", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "Description": "Tag process as script host based on FileResourceOriginalFilename (yara)", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "Description": "Tag process as PDF readers based on FileResourceOriginalFilename (yara)", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "Description": "Tag process as Lua based on FileResourceOriginalFilename (yara)", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF742914000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: NtRenameKeyCompanyNameFileDescriptionLegalCopyrightLegalTrademarksOriginalFilenameOLESelfRegister vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF742914000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: version_info["OriginalFilename"] vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF742914000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: version_info["CompanyName"]version_info["ProductName"]version_info["InternalName"]version_info["LegalCopyright"]version_info["LegalTrademarks"]version_info["FileDescription"]version_info["FileVersion"]version_info["Comments"]version_info["OriginalFilename"]version_info["ProductDescription"]version_info["PrivateBuild"]version_info["SpecialBuild"]version_info["ProductVersion"]version_info_lang_idversion_info_charset_idmachine vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000003.2121458066.00000263605D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: version_info["OriginalFilename"] vs a3A9pyEx19.exe
Source: a3A9pyEx19.exe, 00000000.00000003.2121458066.00000263605D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: version_info["OriginalFilename"]v vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: FileResourceOriginalFilename vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "ExternalModuleCallArguments":"pe.version_info[\"OriginalFilename\"]", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "AttributeId":"FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "ExternalModuleCallArguments": "pe.version_info[\"OriginalFilename\"]", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "AttributeId":"FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: { "Actor": "Initiator", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: { "Actor": "Parent", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: { "Actor": "TargetParent", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: { "Actor": "Target", "AttributeId": "FileResourceOriginalFilename" }, vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "Description": "Tag process as script host based on FileResourceOriginalFilename (yara)", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "Description": "Tag process as PDF readers based on FileResourceOriginalFilename (yara)", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "Description": "Tag process as Lua based on FileResourceOriginalFilename (yara)", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: "AttributeId": "FileResourceOriginalFilename", vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: NtRenameKeyCompanyNameFileDescriptionLegalCopyrightLegalTrademarksOriginalFilenameOLESelfRegister vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: version_info["OriginalFilename"] vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: version_info["CompanyName"]version_info["ProductName"]version_info["InternalName"]version_info["LegalCopyright"]version_info["LegalTrademarks"]version_info["FileDescription"]version_info["FileVersion"]version_info["Comments"]version_info["OriginalFilename"]version_info["ProductDescription"]version_info["PrivateBuild"]version_info["SpecialBuild"]version_info["ProductVersion"]version_info_lang_idversion_info_charset_idmachine vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary or memory string: OriginalFilenameRepMgr.exeT vs a3A9pyEx19.exe
Source: a3A9pyEx19.exeBinary string: \device\lanmanredirector\
Source: a3A9pyEx19.exeBinary string: ERROR: CPolicyEng::GetRuleId: rule id for rule %d is not an integer Type[%d]ERROR: CPolicyEng::GetUserGroups: user groups for rule %d is not an array. Type[%d]ERROR: CPolicyEng::GetUserGroups: user group for rule %d is not a string Type[%d]\device\policyTimeStampERROR: CPolicyEng::BuildSensorRuleSet: no policy nameCPolicyEng::BuildSensorRuleSet: new policy name: %lsERROR: CPolicyEng::BuildSensorRuleSet: no policy timestampCPolicyEng::BuildSensorRuleSet: new policy timestamp: %lluERROR: CPolicyEng::GetApplication: application for rule %d is not an object. Type[%d]ERROR: CPolicyEng::GetApplication: application type for rule %d is not an int. Type[%d]ERROR: CPolicyEng::GetApplication: application value for rule %d is not a string. Type[%d]14131210976543ERROR: CPolicyEng::GetApplication: application value for rule %d is not valid: %hs : ERROR: application pattern for rule %d is not valid: %hsERROR: application pattern %hs for rule %d is not valid
Source: a3A9pyEx19.exeBinary string: \device\mup\
Source: a3A9pyEx19.exeBinary string: \device\
Source: a3A9pyEx19.exeBinary string: \\\device\mup\\device\lanmanredirector\\??\unc\\??\SystemRoot\systemrootSystemDrive%swindows\windows%sdocuments and settings\\documents and settings\%sprogram files\program files
Source: a3A9pyEx19.exeBinary string: valid_wfp_pathunexpanded_dre_macro_pathunexpanded_drive_letter_pathunexpanded_dos_device_pathunexpanded_environment_variable_pathonly_basename_pathinvalid_characters_in_pathinvalid_path_formatvalidation_not_done\device\\\?\<>"|?*d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_4.0\1292\common\user_driver_utils\HbfwUtils.cppHbfwFilePathValidator::ValidatePathCharsm_ValidationResult != PATH_VALIDATION_RESULT::VALIDATION_RESULT_UNKNOWNHbfwFilePathValidator::IsPathValidForWFPHbfwFilePathValidator::IsPathValidationErrorFatal.in.out.flg.errFlt.errGetLastError() == ERROR_NO_MORE_FILESd:\JenkinsNew\workspace\CbD_Build_Windows_Agent_4.0\1292\windows\Blade\BladeRunner\InOutFileComms.cppInOutFileComms::FindAllIOFilesProcess Monitoring Rate: %llu ms
Source: a3A9pyEx19.exeBinary string: %ls: Failed to copy file to: %ls, error %u%ls: Failed to find next file, error %uSiUtilRemoveMultiLevelPath: error %d removing directory %ls (level = %d)SiUtilRemoveMultiLevelPath: too few "%ls" in path to remove %d directory levels.SiUtilMkdir\/SiUtilMkdir: ERROR: CreateDirectoryA(%hs): %u\Device\UpperFiltersSYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}SiUtilGetDiskUpperFiltersAsStringListbRet is installed properly. No drivers present in UpperFilters keypartmgr. Repair is needed to prevent crash on next reboot.Key[PartMgr was not found in UpperFilters prior to Partmgr was not found in UpperFilters. Repair is needed to prevent crash on next reboot. Key[ was not found in UpperFilters. Repair is needed to prevent crash on next reboot. Key[SYSTEM\CurrentControlSet\Services\DeleteFlagSiUtilCheckAndRepairDiskUpperFilters: Checking UpperFilters key for corruptionSiUtilCheckAndRepairDiskUpperFilters: NumDiskDriversFound[%u] Bytes[%lu] UpperFilters[%ls] ReadStatus[%lu]SiUtilCheckAndRepairDiskUpperFilters: Detected DSEN-18585 corruption in RegistryKey[%ls]LastKnownGoodSYSTEM\SelectSiUtilCheckAndRepairDiskUpperFilters: Unable to find LastKnownGood control set. Cannot repairSYSTEM\ControlSet%03u\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}SiUtilCheckAndRepairDiskUpperFilters: LastKnownReg[%ls] NumDiskDriversFound[%u] Bytes[%lu] UpperFilters[%ls] ReadStatus[%lu]SiUtilCheckAndRepairDiskUpperFilters: Unable to find LastKnownGood UpperFilters. Cannot repairSiUtilCheckAndRepairDiskUpperFilters: LastKnownGood not valid. Cannot repair. Error[%hs].SiUtilCheckAndRepairDiskUpperFilters: Found deleted service[%ls]. Removing from repair listErrorSiUtilCheckAndRepairDiskUpperFilters: Current[%ls] LastKnownGoodUpperFilters[%ls] RepairedUpperFilters[%ls]SiUtilCheckAndRepairDiskUpperFilters: Unable to convert string list to buffer.SiUtilCheckAndRepairDiskUpperFilters: Unable to write repaired list to registry.SiUtilCheckAndRepairDiskUpperFilters: Repair Successful! UpperFilters Old[%ls]->New[%ls]SiUtilEnablePrivilege: %ls: AdjustTokenPrivileges failed: WinErr (%lu)SiUtilEnablePrivilege: %ls: LookupPrivilegeValueW failed: WinErr (%lu)SiUtilEnablePrivilege: %ls: OpenProcessToken failed: WinErr (%lu)SiUtilGetDataFilesDirc:\ProgramData\CarbonBlack\DataFilesDataFilesSiUtilGetUserDataFilesDirc:\ProgramData\CarbonBlack\UserDataFilesUserDataFilespPathSiUtilGetPscDataFolderSiUtilGetPscDataFolder: SHGetKnownFolderPath failed, HRESULT = %ldCarbonBlackadvapi32.dllSiUtilGetServiceNameFromServiceTag: Failed to get module handle - Module[%ls] WinErr[%lu]I_QueryTagInformationSiUtilGetServiceNameFromServiceTag: Failed to get proc address - Func[%hs] WinErr[%lu]SiUtilGetServiceNameFromServiceTag: %ls: SCM query subprocess tag routine returned NULL buffer for nameSiUtilGetServiceNameFromServiceTag!serviceName.empty()SiUtilGetServiceNameFromServiceTag: ERROR: SCM tag query routine failed, return code %lu, %ls, service tag %luSOFTWARE\Microsoft\Win
Source: classification engineClassification label: clean16.evad.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1600:120:WilError_03
Source: a3A9pyEx19.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\a3A9pyEx19.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF742914000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: a3A9pyEx19.exe, 00000000.00000000.2116077370.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmp, a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF741E2A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: SELECT hash, md5, lfile, volume_id, dob, instances FROM rep_table WHERE id IN (SELECT DISTINCT rep_table_id FROM rep_src_table WHERE (rep & ?));
Source: a3A9pyEx19.exe, 00000000.00000002.2126599982.00007FF742914000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: a3A9pyEx19.exeString found in binary or memory: HashObjectMap::PrimeHashLoadDuration(ms)HashObjectMap::PruneHashObjectsDuration(ms)HashObjectMap::PruneHashObjectsFilesPrunedHashObjectMap::NumHashObjectsHashObjectMap::HashObjectsAllFileNamesCountHashObjectMap::HashObjectsAllFileNamesMemUsageBytesd:\JenkinsNew\workspace\CbD_Build_Windows_Agent_4.0\1292\common\repmgr\HashObjectMap.cppCHashObjectMap::GetOrCreateHashObjectCHashObjectMap::GetOrCreateHashObject: Empty hash for filename[%ls]CHashObjectMap::GetOrCreateHashObject: New hash already in cache for hash[0x%02x%02x%02x%02x] filename[%ls] siErr[%d]CHashObjectMap::GetOrCreateHashObject: unable to alloc new hash object for hash [0x%02x%02x%02x%02x], filename %lsCHashObjectMap::GetOrCreateHashObject: forcing signer details to be queried for hash[0x%02x%02x%02x%02x] filename [%ls].CHashObjectMap::GetOrCreateHashObject: unable to retrieve or create hash object for hash [0x%02x%02x%02x%02x], filename %lspContext != NULLFindPrimingCandidateFindPrimingCandidate: Reached max priming capacity[%u]CHashObjectMap::SaveHashesForPriming: Searching for hashes to mark for priming!AlreadySavedHashesForPriming()CHashObjectMap::SaveHashesForPrimingCHashObjectMap::SaveHashesForPriming: Found %u priming candidatesCHashObjectMap::SaveHashesForPriming: Successfully marked %u hashes for primingCHashObjectMap::SaveHashesForPriming: Failed to mark %u hashes for priming: %uCHashObjectMap::PrimeHashesThread: BeginRepGlobals::s_pHashObjectMap != NULLCHashObjectMap::PrimeHashesThreadhashes.size() <= RepGlobals::s_pHashObjectMap->GetMaxSize()hashes.size() <= RepGlobals::s_Config.GetIniFile().GetMaxHashesToPrime()CHashObjectMap::PrimeHashesThread: No records to primeCHashObjectMap::PrimeHashesThread: Failed to load primed hashes: %uCHashObjectMap::PrimeHashesThread: Primed[%u of %u hashes] AlreadyPrimed[%u] Elapsed[%u ms]CHashObjectMap::PrimeHashesThread: Failed to prime Hash[0x%02x%02x%02x%02x] Error[%u]CHashObjectMap::PrimeHashesThread: Shutdown detectedCHashObjectMap::PrimeHashesThread: Priming Complete Primed[%u of %u hashes] AlreadyPrimed[%u] Result[%u] Duration[%u ms]0 == (apHo->GetInternalFlags() & HO_INTERNAL_FLAGS_IN_MEMORY_CACHE)CHashObjectMap::InsertCHashObjectMap::AddFilenameToHash: Started PruneFilenamesUnsafe() for hash 0x%02x%02x%02x%02x, filename [%ls]CHashObjectMap::AddFilenameToHash: Another thread re-added hash 0x%02x%02x%02x%02x, filename %lsCHashObjectMap::AddFilenameToHashHashObjectOneMinuteTimer: HashObjectMap max size %d, size %d (%u total), inserts %d, deletes %d, purges %dSYSTEM\CurrentControlSet\Services\CbDefenseWSC
Source: a3A9pyEx19.exeString found in binary or memory: "GUID": "56695A16-7F4A-4B32-ADD8-4489C04830BD",
Source: a3A9pyEx19.exeString found in binary or memory: "Description": "Tamper protect against altering sensor related keys under HKLM using restore/replace/load key registry ops",
Source: a3A9pyEx19.exeString found in binary or memory: "GUID": "8163573F-7E1C-4227-ADD8-9C030D2A7CEA",
Source: a3A9pyEx19.exeString found in binary or memory: mType == TypeFileZipItem::GetOnDiskFilepath%hs: Disabling elevated-memory-usage alarming.%hs : Re-enabled elevated-memory-usage alarmingDiagUtil::SetupKernelTracing: Level[%u] Flags[%016llX] MaxFileSizeMb[%u] FilePath[%ls]DiagUtil::SetupKernelTracing: Failed to setup kernel tracing. Level[%u] Flags[%016llX] MaxFileSizeMb[%u] FilePath[%ls]bKernelTraceSetupResultd:\JenkinsNew\workspace\CbD_Build_Windows_Agent_4.0\1292\windows\repmgr\DiagnosticCaptureUtils.cppDiagUtil::StartDefaultKernelTracingDiagUtil::ListDirectories: FindFirstFileW() failed for directory %ls - Error Code 0x%08XDiagUtil::CreateZipList: Including File[%ls] in ziplistDiagUtil::CreateZipList: Unable to locate File[%ls]RepUx.exe.dmpRepWAV.exe.dmp.dmpDiagUtil::CollectDumpFiles: Sensor dump: file detected : [%ls] DiagUtil::CollectDumpFiles: Searching for dump files in SystemProfile[%ls]\scannerBlades\LiveQuery\Blades\LiveQuery\Exts\DiagUtil::CollectDumpFiles: Looking to see if any of the %u dump files found are for any of the %u CB executablesDiagUtil::CollectDumpFiles: Dump file[%ls]Windows\ServiceProfiles\LocalService\AppData\Local\Temp\DiagUtil::CollectDumpFiles: skip %ls, opted out of capturing system dump.DiagUtil::CollectDumpFiles: skip %ls, minimal reportingDiagUtil::CollectDumpFiles: skip %ls, failed to get file size - WinErr[%lu]DiagUtil::CollectDumpFiles: skip %ls, file size exceeds max - size[%u MB] max[%u MB]memory.dmpDiagUtil::CollectAndZipDumpFiles: No memory dumps found.DiagUtil::CollectAndZipDumpFiles: %u crash dump file(s) discovered. Compressing...DiagUtil::CollectAndZipDumpFiles: Created crash dump Zip[%ls] Success[%ls] (%d) Name[%ls] Value[%ls] Default[%ls]Current Usermode ConfigProps:Current Kernel ConfigProps:Unknown Error[%d].backupDiagUtil::CollectSpecifiedLogsDeleteAlways: CopyFileW failed. Error[%d] Src[%ls] Dest[%ls]w+bFile[%ls] OpenError[%d]File[%ls] WriteError[%u-%u]cb-installer*confer-temp.log\Events\psc_minibatch_*psc_eventbatch_*archives\cblr.logconfer.logNetTrace.logPerfStats.logAmsiEvents.logHbfwEvents.logSensorAlarms.logLiveQuery.logCbOsqExt.logLiveResponse.logscanhost.logvhostcomms.logupd.logscanner\scanner.iniReputation.csvWebRequest.logHyperscanGenerator.logmsi.logmsi-FromConferDir.logctifile.etlWebRequest.etlContent\manifestContent\manifestDiagUtil::CollectSensorLogs: could not retrieve content paths, segments will be excluded from capture for file %lsDiagUtil::CollectSensorLogsCbRepWSC.logdb_msg.changeui\db_msg.backupDiagUtil::CollectSensorLogs: Error backing up DB %lsdb_msgBlades\LiveQuery\LiveQueryExtensions.loadLiveQueryExtensions.loaddb_rep.backupdb_repdb_eve.backupdb_evedb_cfg.backupdb_diag.backupdb_diaguser\CbRepWAV.loguser\CbRepWAV.logRepUx.logRepUx.log.backupuser\RepUx.logWindows\ServiceProfiles\LocalService\AppData\Local\Temp\CbRepWAV.logCbRepWAV.log.backupCbDefenseevtxWindowsEventLogs\logonSessions.txtwfpfilters.xmlC:\windows\system32\:\windows\system32\DiagUtil::SaveWfpFilterInfo: Failed gettng system directory, constructed path:[%ls]n
Source: a3A9pyEx19.exeString found in binary or memory: d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_4.0\1292\windows\repmgr\EtwSession.cppCbEtwSession::AllocateTracePropertiesCbEtwSession::AllocateTraceProperties: Min buffer size for session [%ls] is [%lu] bytes. This exceeds expected maximum of [%lu] bytes. Allocating the minimum required.CbEtwSession::CheckIfSessionExists: Session [%ls] is not yet runningCbEtwSession::CheckIfSessionExists: ControlTrace(query) failed with [%lu] on session [%ls]NULL == m_StartSessionHandle && NULL != m_pTracePropertiesCbEtwSession::StartSessionCbEtwSession::StartSession: Started ETW Trace Session[%ls]CbEtwSession::StartSession: Failed to enable providers for Session[%ls]Already existsFailed to startCbEtwSession::StartSession: %ls, Session[%ls], Status[0x%08X]CbEtwSession::StartSession: Failed EventAccessControl for session[%ls], err [%lu]CbEtwSession::StartSession: Failed to get SYSTEM SID while changing security for session[%ls]NULL != m_pTracePropertiesCbEtwSession::StopSessionCbEtwSession::StopSession: Session[%ls] does not exist or is marked as non-stoppableCbEtwSession::StopSession: Failed to disable providers for Session[%ls]Failed to stopCbEtwSession::StopSession: %ls tracing for Session[%ls], Status[0x%08X]m_pSessionDefCbEtwSession::CommonSetupm_pSessionDef->GetProviderDefinitions().Count() != 0CbEtwSession::CompareTo: session definition from PSC document was changed, ETW session [%ls], session GUID [%ls]CbEtwSession::FlushEventBuffers: Unable to flush buffers for Session[%ls] Error[0x%08X]CbEtwSession::DisableProviders: No handle available, unable to disable providers for Session[%ls]CbEtwSession::IsSessionStartedCbEtwSession::IsSessionStarted: Failed QueryTraceW on session [%ls], error [%lu]
Source: a3A9pyEx19.exeString found in binary or memory: Tried to set it to: %lluLiveQuery::LiveQueryLiaison::SendResult: Query %hs will be re-added to the Completed Query Queue (to be sent later).LiveQuery::LiveQueryLiaison::Enqueue: unexpected action value of %d for %hsLiveQuery::LiveQueryLiaison::StartWorkerAndNotify: LQL worker thread has not been started. Launching thread...LiveQuery::LiveQueryLiaison::StartWorkerAndNotify: %lsLiveQuery::LiveQueryLiaison::WorkerLoop: Worker thread start. (mContinueWork == %d)LiveQuery::LiveQueryLiaison::WorkerLoop: Worker thread end. (mContinueWork == %d)LiveQuery::LiveQueryLiaison::GetAndPopFrontCompletedQuery: EmptyLiveQuery::LiveQueryLiaison::GetAndPopFrontCompletedQuery: Wait to resend %hsLiveQuery::LiveQueryLiaison::EnqueueCompletedQuery: discard canceled query (id %hs)LiveQuery::LiveQueryLiaison::ProcessQuery: Processing query (id %hs)LiveQuery::LiveQueryLiaison::ProcessQuery: Query %hs successfully processedwill retrywill not retryLiveQuery::LiveQueryLiaison::ProcessQuery: Query %hs failed - %ls: Error Code %dLiveQuery::LiveQueryLiaison::TryEnqueueForRetry: discard canceled query (id %hs)ExecuteCancelUnknownAction
Source: a3A9pyEx19.exeString found in binary or memory: --install-dir
Source: a3A9pyEx19.exeString found in binary or memory: AVSignatureAvDataIndexavAvatar::AvSignature::InstallSignaturePack: To install the signature from the signature pack..\temp\AvSigDataavAvatar::AvSignature::InstallSignaturePack: Updater is still running, skip\metadata.txtvdfcommonNo VDF version foundavAvatar::AvSignature::InstallSignaturePack: No VDF version foundbuffer is too small to load VDF versionavAvatar::AvSignature::InstallSignaturePack: The buffer is too small to load VDF versionwin64archivesCouldn't find archive listavAvatar::AvSignature::InstallSignaturePack: Couldn't find archive listThe buffer is too small to load archive listavAvatar::AvSignature::InstallSignaturePack: The buffer is too small to load archive listavAvatar::AvSignature::InstallSignaturePack: ==> %dFailed to create directoryavAvatar::AvSignature::InstallSignaturePack: Failed to create directoryavAvatar::AvSignature::InstallSignaturePack: Process %ls The archive's signer is not correct avAvatar::AvSignature::InstallSignaturePack: The archive's signer is not correct, %lsFailed to expand archive avAvatar::AvSignature::InstallSignaturePack: Failed to expand archive %lsavAvatar::AvSignature::IsSignaturePackInstallAllowed: Installing %ls is allowed%hu.%hu.%hu.%huInvalid VDF versionavAvatar::AvSignature::IsSignaturePackInstallAllowed: Invalid VDF version - %lsavAvatar::AvSignature::IsSignaturePackInstallAllowed: New signature (0x%016I64x)vdf.Invalid version stringavAvatar::AvSignature::IsSignaturePackInstallAllowed: Invalid version string - %hs%hu.%hu.%hu.%huavAvatar::AvSignature::IsSignaturePackInstallAllowed: Downgrading is not allowed (0x%016I64x -> 0x%016I64x)avAvatar::AvSignature::IsSignaturePackInstallAllowed: Upgrade (0x%016I64x -> 0x%016I64x)avAvatar::AvSignature::RemoveUnusedDataDir: Clean up unused data [%ls] was not completed, error %luFailed to write data index, error avAvatar::AvSignature::WriteDataIdx: Failed to write data index, error %luAvData_d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_4.0\1292\windows\av\avatar\AvManagerAvatar\AvSignature.cppavAvatar::AvSignature::PrepareDataDirFailed to create data directoryavAvatar::AvSignature::PrepareDataDir: Failed to create data directory of %ls, error %luavAvatar::AvSignature::PrepareDataDirFailed to copy av signature dataavAvatar::AvSignature::PrepareDataDir: Failed to copy the dataFailed to copy part of the av signature dataavAvatar::AvSignature::PrepareDataDir: Failed to copy part of the dataFailed to protect proxy, error avAvatar::AvSignature::EncodeProxyString: Failed to protect proxy, error %uFailed to encode proxy, error avAvatar::AvSignature::EncodeProxyString: Failed to encode proxy, error %u--no-config--quiet--no-dns-resolve--update-modules-list--key-dir/idx/master.idx--master-file/idx/savapi4lib-win64-en.info.gz--product-file--install-dir--proxy-id--internet-srvs!nameValue.first.empty()avAvatar::AvSignature::GetArgumentStringFailed to update, no serveravAvatar::AvSignature::Update: Failed to update, no serveravAvatar::AvSignature::Update: Updater is stil
Source: a3A9pyEx19.exeString found in binary or memory: mpScanner != nullptrd:\JenkinsNew\workspace\CbD_Build_Windows_Agent_4.0\1292\windows\av\avatar\AvManagerAvatar\AvScannerIpcServer.cppavAvatar::AvScannerIpcServer::AvScannerIpcServermhPreStopEvent != NULL && mhMsgEvent != NULLpCtx != nullptravAvatar::AvScannerIpcServer::SocketDataCallbacksocket != NULLpBuffer != nullptrbufferLength > 0Av.Avt.Scanner.Ipc: Stopped, reject new connectionAv.Avt.Scanner.Ipc: Message is too small, reset connectionAv.Avt.Scanner.Ipc: Out bound connect is already created, reject new connectionAv.Avt.Scanner.Ipc: In bound connect is already created, reject new connectionAv.Avt.Scanner.Ipc: Unexpected initial connection request: %lsAv.Avt.Scanner.Ipc: Start listening scanner request from 0x%llxAv.Avt.Scanner.Ipc: Error while waiting for out bound messages. socket 0x%llx error %dAv.Avt.Scanner.Ipc: Stop out bound listening per request. Socket 0x%llxAv.Avt.Scanner.Ipc: Failed to send message on socket 0x%llx, reset out bound connectionAv.Avt.Scanner.Ipc: Start listening scanner response from 0x%llxAv.Avt.Scanner.Ipc: Error while waiting for in bound messages on socket 0x%llx. Timeout[%d]Av.Avt.Scanner.Ipc: Stopped waiting for in bound messages on socket 0x%llx. Timeout[%d]Av.Avt.Scanner.Ipc: Stop in bound listening per request socket 0x%llxMessage Type: avAvatar::AvScannerIpcServer::HandleInBoundSocketProcbug/unexpectedMsgType 0 0Av.Avt.Scanner.Ipc: Failed to cast to generic error message, Error Codes: , Sub Type : runtime, Error Type: Av.Avt.Scanner.Ipc: Scanner reports a generic runtime error, %hs:%hs:%hsAv.Avt.Scanner.Ipc: Clean up outbound queue. New %u, waiting %uAv.Avt.Scanner.Ipc: Got a timeout while waiting on request, type %dAv.Avt.Scanner.Ipc: Have an error while waiting for completion of queued IPC request, type %d, error %uAv.Avt.Scanner.Ipc: Got pre-stop eventmWaitTimeout > 0avAvatar::AvScannerIpcServer::WaitReplyMessageAv.Avt.Scanner.Ipc: Got a timeout while waiting on request (extra pre-stop wait), type %dAv.Avt.Scanner.Ipc: scanner is not ready, discard message, %ls id[%u]avAvatar::AvScannerIpcServer::QueueIpcRequestAndWaitbug/unexpectedMsgType, 0, 0Av.Avt.Scanner.Ipc: Failed to cast to error message for request %ls %hs, Error Type: Av.Avt.Scanner.Ipc: Scanner reports an error for request %ls %hs, error %hs:%hs:%hsAv.Avt.Scanner.Ipc: Got an invalid message type back (%ls, expected %ls) for %hsAv.Avt.Scanner.Ipc: Notify scanner to initinitAv.Avt.Scanner.Ipc: Got an invalid message reply type (%ls, expected %ls) for initAv.Avt.Scanner.Ipc: Notify scanner to shutdownShutdownAv.Avt.Scanner.Ipc: Got an invalid message reply type (%ls, expected %ls) for ShutdownAv.Avt.Scanner.Ipc: Notify scanner to reload userReloaduserAv.Avt.Scanner.Ipc: Got an inavlid message reply type (%ls, expected %ls) for ReloaduserAv.Avt.Scanner.Ipc: Notify scanner to set scan options [%ls]SetScanOptionsAv.Avt.Scanner.Ipc: Got an invalid message reply type (%ls, expected %ls) for SetScanOptionsAv.Avt.Scanner.Ipc: Notify scanner to se
Source: a3A9pyEx19.exeString found in binary or memory: <Address></Address>
Source: a3A9pyEx19.exeString found in binary or memory: <InstallDate></InstallDate>
Source: a3A9pyEx19.exeString found in binary or memory: <InstallDirectory>Default</InstallDirectory>
Source: a3A9pyEx19.exeString found in binary or memory: <InstalledFor></InstalledFor>
Source: a3A9pyEx19.exeString found in binary or memory: <InstalledFor>All-Users</InstalledFor>
Source: a3A9pyEx19.exeString found in binary or memory: </InstallComponents><DiskDrives>
Source: a3A9pyEx19.exeString found in binary or memory: cb-installer-4.0.0.1292.log
Source: a3A9pyEx19.exeString found in binary or memory: cb-installer-4.0.0.1292.logIsServiceProtected: Failed to query service protection status Service[%ls] Error[%d]wscsvcCheckAndStartService: Failed to open service to check status Service[%ls] Error[%d]CheckAndStartService: Failed to query service status Service[%ls]CheckAndStartService: Protected Service[%ls] was stopped. Attempting to startCheckAndStartService: Failed to start Service[%ls] Error[%d]CheckAndStartService: Service[%ls] State[%d] Running[%d]install_utils::CheckIsAdmin: IsProcessRunningElevated(%lu) %ls returned err[%u]install_utils::Registerinstall_utils::Register failed: %lsinstall_utils::Register succeededinstall_utils::GetDialogOptionscompany codeuser codeDecodeRegisterCode: DecodeRegistrationCode as %ls failedinstall_utils::DecodeRegisterCode ERROR: detected old company_code format that is invalid for sensor 3.x and later, please get the new company_code from the backend.DecodeRegisterCode: DecodeRegistrationCode as %ls succeeded
Source: unknownProcess created: C:\Users\user\Desktop\a3A9pyEx19.exe C:\Users\user\Desktop\a3A9pyEx19.exe
Source: C:\Users\user\Desktop\a3A9pyEx19.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: a3A9pyEx19.exeStatic PE information: certificate valid
Source: a3A9pyEx19.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: a3A9pyEx19.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: a3A9pyEx19.exeStatic file information: File size 49946328 > 1048576
Source: a3A9pyEx19.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x15b8e00
Source: a3A9pyEx19.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x10f0800
Source: a3A9pyEx19.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x6bd000
Source: a3A9pyEx19.exeStatic PE information: Raw size of .reloc is bigger than: 0x100000 < 0x108200
Source: a3A9pyEx19.exeStatic PE information: More than 200 imports for KERNEL32.dll
Source: a3A9pyEx19.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: a3A9pyEx19.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: a3A9pyEx19.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: a3A9pyEx19.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: a3A9pyEx19.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: a3A9pyEx19.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: a3A9pyEx19.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: a3A9pyEx19.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: d:\JenkinsNew\workspace\CbD_Build_Windows_Agent_4.0\1292\windows\repmgr\x64\Release\RepMgr.pdb source: a3A9pyEx19.exe
Source: a3A9pyEx19.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: a3A9pyEx19.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: a3A9pyEx19.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: a3A9pyEx19.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: a3A9pyEx19.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: a3A9pyEx19.exeStatic PE information: section name: .detourc
Source: a3A9pyEx19.exeStatic PE information: section name: .detourd
Source: a3A9pyEx19.exeStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\a3A9pyEx19.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\AppId_Catalog\16FCB1A7Jump to behavior

Malware Analysis System Evasion

barindex
Source: a3A9pyEx19.exe, 00000000.00000002.2122926485.00000263605C6000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121551842.00000263605BF000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121926581.00000263605C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
Source: a3A9pyEx19.exeBinary or memory string: /NOFILTER/MINIMIZED/QUIET/BACKINGFILE/WAITFORIDLE/TERMINATEPROCMON.EXEPROCMON64.EXEPROCMONLOWALT.EXELOGFILE.PMLPSC_PROCMON.PMLPSC_PROCMON-EULAACCEPTEDSOFTWARE\SYSINTERNALS\PROCESS MONITORPROCMONSYSINFO.XMLPSC_STATUS.TXTPSC_PROCESSES.TXTPSC_DEVICES.TXTPSC_VOLUMES.TXTPSC_CANONICAL_POLICY.JSONPSC_PRESENTATION.JSONPSC_CBD_POLICY.TXTPSC_YARA_RULES_CLASSIFICATION_PSC_CMDLINE_YARA_RULES.TXTCB-TEMP\TEMP\PUBLIC_CLOUD_INFO.XMLSGW_CONFIG.JSONDNS_CACHE_LIST.TXT0
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: a3A9pyEx19.exeBinary or memory string: VHostComms-Windows errorVHostComms-vHostComms errorVHostComms-Windows/Fatal errorvHostComms/Fatal errorvHostComms::VHostCommsIpcErrorMsg::GetErrorTypeStrUnknown errorVHCInterfaceLockNot FoundInitializingServer Unavailabled:\JenkinsNew\workspace\CbD_Build_Windows_Agent_4.0\1292\windows\VirtualHostComms\VHostCommsConnector\HostCommsInterface.cppvHostComms::HostInterface::GetConnectionStatusStrVHostComms:DisconnectCountVHostComms:FatalErrorsvHostComms::HostInterface::SendQueryIdentityMessage: VHostManager::SendIpcMsg[%ls] status = %dvHostComms::HostInterface::SendQueryIdentityMessage: Failed to create query identity message, error = %dvHostComms::HostInterface::SendVDiskInfoQuery: VHostManager::SendIpcMsg[%ls] status = %dvHostComms::HostInterface::SendVDiskInfoQuery: Failed to create VDiskInfo message, error = %dvHostComms::HostInterface::ProcessIdentityMessage: Failed to parse received message for identity info, error = %dvHostComms::HostInterface::ProcessIdentityMessage: External identity changed, need to reregistervHostComms::HostInterface::ProcessIdentityMessage: s_bVMReRegTriggeredUsingBIOS is set, not re-registeringvHostComms::HostInterface::ProcessIdentityMessages_bIsVMwareESXiGuest = %u, EnableAutoReregisterForVDIClones = %u, s_bIsVMwareHorizonClone = %uExternal identity updatedvHostComms::HostInterface::ProcessVDiskMessage: Failed to parse received message for vDisk info, error = %d :error code :vHostComms::HostInterface::HandleVHostCommsFatalError: Failed to restart virtual host communication helper processvHostComms::HostInterface::UpdateConnectionCounters: VHostComms connection still not restored after %d attemptsvHostComms::HostInterface::HandleConnectionStatusMsg: VHostComms connection status transition (%ls -> %ls)VHostComms: Cannot process empty IPC messageVHostComms: Failed to process message received over vhostcomms channel, error = %dvHostComms::HostInterface::ProcessRecvdIpcMsgVHostComms: Unsupported IPC message with type[%d] received.
Source: a3A9pyEx19.exeBinary or memory string: CompanyNameVMware, Inc.t&
Source: a3A9pyEx19.exeBinary or memory string: DefenseEventNewFileDuration(ms)DefenseEventNewFileReportAndInfoGatheringDuration(ms)DefenseEventScriptNameDuration(ms)DefenseEventBlockedFileAccessDuration(ms)DefenseEventDataFileAccessDuration(ms)DefenseEventAVActionDuration(ms)DefenseEventAPICallDuration(ms)DefenseEventConsoleAPICallDuration(ms)DefenseEventNetFlowFromKernelDuration(ms)DefenseEventNetFlowFromAPIReportDuration(ms)DefenseEventProcessCreateDuration(ms)DefenseEventHashExecuteDuration(ms)DefenseEventRegistryDuration(ms)DefenseEventPolicyActionFileBlock(ms)DefenseEventPolicyActionProcessTerminated(ms)DefenseEventCSRFileUploadStatusDuration(ms)DefenseEventQueueDuration(ms)DefenseEventNewFileReportsDroppedDefenseEventNewFileReportsAttributedToRepmgrDefenseEventSuppressedDefenseEventNetworkEventsDroppedDefenseEventAddedDefenseEventPrunedUnsentEventsDefenseEventTotalPrunedEventsDefenseEventPruneDuration(ms)DefenseEventRecheckRepDuration(ms)DefenseEventAddThreatDuration(ms)DefenseReport:CollectFileDetailsDurationDefenseReport:CollectResourcesDurationDefenseReport:CollectSignatureDurationDefenseReport:CollectFileDetailsNonAccessibleFilesDefenseReport:SignatureInfoFoundInCacheDefenseReport:ResourceInfoFoundInCacheDefenseReport:CollectProcessInfoDurationDefenseReport:ReportsWithMissingProcessInfoDefenseReport:SignatureInfoRequeries: days HashObjectCache[%u entries, %u bytes/entry] Total[%u bytes]ProcessTable[%u entries, %u bytes/entry] Total[%u bytes}ResubmitQueue[%u entries, %u bytes/entry] Total[%u bytes}ExpediteQueue[%u entries, %u bytes/entry] Total[%u bytes}lvl >= LOG_LEVEL_LOWEST && lvl <= LOG_LEVEL_HIGHESTd:\JenkinsNew\workspace\CbD_Build_Windows_Agent_4.0\1292\common\repmgr\RepGlobals.cppRepGlobals::ResolveLogLevelCblrKillRepGlobals::WriteCblrKillToConfigDb: CfgSetValue(%hs) failed with SiErr[%d]Global\SI_SERVICE_UPRepGlobals::Initialize: Failed to open svc up event - WinErr[%lu]InstallTimeCB Defense Service running for the first time.InstallBootTimeinstallBootTime != 0RepGlobals::InitializeRepGlobals::Initialize: Set InstallBootTime[%llu]SensorDeployTimeCB Defense Unable to obtain SensorDeployTime.RepGlobals::Initialize: Failed to initialize CertLibRepGlobals::Initialize: initialize guestinfo failed, error [%lu]RepGlobals::Initialize: init guestinfo devIdStatus: %d, regIdStatus: %d, versionStatus: %dRepGlobals::Initialize: no need to init guestinfo variables. vmType: %dRepGlobals::s_ResubmitRequestQueue.IsEmpty()RepGlobals::Finalizeconfer.logHORIZONRepGlobals::IsVMwareHorizonClone: s_bIsVMwareESXiGuest = %u, EnableAutoReregisterForVDIClones = %u, bIsVmwareHorizonClone = %u, vdiProvider = %ls
Source: a3A9pyEx19.exeBinary or memory string: "Equals": "<ProgramFiles>\\vmware\\vmware view\\agent\\bin\\wsnm.exe",
Source: a3A9pyEx19.exeBinary or memory string: d:\jenkinsNew\workspace\CbShared_Build_Windows_2019\Das\Common\LibVmciSocket\Socket.cpp
Source: a3A9pyEx19.exeBinary or memory string: "Description": "Priority allow VMWare signed dlls to load into Repux/RepCli/VHostComms",
Source: a3A9pyEx19.exeBinary or memory string: IsVirtualMachineVirtualizationProviderExternallyAssignedDeviceIdDeviceManagementIdVdiProviderAzureVmIdInfrastructureProvider
Source: a3A9pyEx19.exeBinary or memory string: EncryptDatabaseWithKeyDecryptDatabaseWithKeySetNewAgentDBKeyVMwareVMwareMicrosoft Hvmachine.id.getCb.DeviceIdCb.RegIdCb.SensorVersionCb.Sensor.policyCb.Sensor.bypassCb.BackgroundScan.stateCb.BackgroundScan.statusCb.Av.SigVerCb.Av.LastUpdateitreplica^vdi.broker.brokers=(.*)( ?)Panic: Unrecoverable memory allocation failure
Source: a3A9pyEx19.exeBinary or memory string: "Comment": "DSEN-11529: allowing vmwsci.dll that is vmware signed to load into repcli.exe on horizon vms",
Source: a3A9pyEx19.exeBinary or memory string: "$comment": "https://confluence.eng.vmware.com/pages/viewpage.action?spaceKey=NSBU&title=microIDS+signature+syntax"
Source: a3A9pyEx19.exeBinary or memory string: VMwareESXiGuest[VMwareHorizonClone[Public Cloud[Infrastructure Provider[Virtualization Provider[Public Cloud Instance Id[Alarms: {none}
Source: a3A9pyEx19.exeBinary or memory string: Evaluates to true if sensor is running on VMWare Horizon Cloud
Source: a3A9pyEx19.exeBinary or memory string: VMwareHorizonClone[
Source: a3A9pyEx19.exe, 00000000.00000003.2121592196.0000026360590000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -be33-91b2f05e9306}\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b
Source: a3A9pyEx19.exeBinary or memory string: "$comment": "https://confluence.eng.vmware.com/pages/viewpage.action?spaceKey=NSBU&title=microIDS+signature+syntax"
Source: a3A9pyEx19.exeBinary or memory string: "Equals": "<ProgramFilesCommonx86>\\VMware\\**",
Source: a3A9pyEx19.exeBinary or memory string: LegalCopyrightCopyright (C) 2011-2023 VMware, Inc. All Rights Reserved.
Source: a3A9pyEx19.exeBinary or memory string: CIniFileBaseSoftware\VMware, Inc.\ViewComposer\ga\AgentIntegrationCustomizationStartedpsc:segment_type:sensor:av:updates_ziphttp://169.254.169.254/latest/meta-data/instance-idhttp://169.254.169.254/latest/api/tokenX-aws-ec2-metadata-token-ttl-seconds: 300http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-08-01&format=texthttp://metadata.google.internal/computeMetadata/v1/instance/id/services/registration//services/vdiregistration//services/registrationcode//services/deregister//services/status//services/reputation//services/policyV2//services/configuration//services/bulkbehaviorV2//services/bulkreputationV2//services/asyncrepreq//services/hello//services/healthCheck//services/malwareremoved//services/upload//services/uploadconferfile//services/hashlistrefreshV2//services/gethashuploadlist//services/uploadhash//services/getsoftwareupgrade//services/getsoftwarepatch//services/getipblocklist//services/defense/v1/hashdelete/list//services/defense/v1/hashdelete/report//services/getSensorActions//services/zipcontainer//services/cblr//services/uninstallcode//services/metadata//services/psc/v1/threathunter/events//services/ubs/v1/file/existence//services/ubs/v2/file/upload//services/psc/v1/livequery/requests//services/psc/v1/livequery//content_pacing/v1/manifestSoftware\Microsoft\Windows\CurrentVersion\RunOnce
Source: a3A9pyEx19.exeBinary or memory string: send() returned 0 bytesd:\jenkinsNew\workspace\CbShared_Build_Windows_2019\Das\Common\LibVmciSocket\Socket.cppSockets::Socket::SendSockets::Socket::SendAll : Failed to send %d bytes, error = %d
Source: a3A9pyEx19.exeBinary or memory string: IsVirtualMachine
Source: a3A9pyEx19.exeBinary or memory string: AF_INET == dnsCacheInfo.m_FamilyDebugPortSerialization::DnsCache::SerializeDnsCacheInfoIpv4TTLSeconds%08x-%08xLUIDLinkedLUIDSessionUserNameUserPrincipalNameDomainNameSid(LogonTypeLogonTimeAuthenticationPackageLogonServerDNSDomainNamePasswordLastSetTimeLastLogonTimeLastFailedLogonTimeFailedLogonAttemptsSensorStateSensorStateDetailsQuarantineStateProtectionDelayPolicyNamePolicyTimestampLastManifestContentUpdateCurrentManifestContentErrorsDefenseEnabledCbFirewallRegisteredCbFirewallEnabledKernelFileFilterConnectedDeviceIDLastUserSensorRestartsLastSensorResetVirtualGuestToHostCommsStatusExternalIdentityFIPSModeEnabledVMwareESXiGuestVMwareHorizonCloneXDRSignaturesStatusPublicCloudInfrastructureProviderVirtualizationProviderPublicCloudInstanceIdSensorUpTimeIdleUpdatingContentManagerStatusSensorVersionSVNRevisionLocalScannerProductVersionLocalScanneruserVersionLiveQueryComponentHashLiveQueryProductVersionLiveQueryExtensionsVersionDiskFilterVersionNetFilterVersionPSCPolicyVersionFileAnalysisVersionCbSharedVersionProtobufVersionSqliteVersionMhooklibVersionDisasmlibVersionWscuuidVersionMsgpackVersionDetoursVersionLibcurlVersionHtpVersionMinizipVersionHyperscanRuntimeVersionHyperscanCompilerVersionMicroidsVersion3.0.6MinizipPackageVersion0.5.4MsgpackPackageVersion1.1.0RapidJsonPackageVersion8.4.0LibcurlPackageVersion3.42.0SqlitePackageVersion4.1.3YaraPackageVersionSciterVersionBackgroundScanStateBackgroundScanProgressBackgroundScanCurrentDirectoryBackgroundScanFilesProcessedOnDemandScanStateOnDemandScanProgressOnDemandCurrentDirectoryOnDemandScanFilesProcessedSensorConnectedToCloudProtocolVersionServerAddressUsingProxyForceStaticProxyUseCurrentProxiesDetectedProxiesLastAttemptProxiesStaticProxiesRegisteredReregisterRequiredNextSendWindowSendWindowSizePrivateLoggingMessagesSentMessageSendErrorsMessageTotalBytesSentMessageTotalBytesReceivedElapsedMilliSecondsSinceLastCloudSuccessElapsedMilliSecondsSinceLastCloudFailureLastCurlCodeLastHttpCodeNotConfiguredGatewayStatusResubmitReputationsOutstandingResubmitReputationsTotalQueuedExpeditedReputationsOutstandingExpeditedReputationsTotalQueuedSlowReputationsResubmitStateOutstandingSlowReputationsReadyStateOutstandingSlowReputationsStaleStateOutstandingSlowReputationsDemandStateOutstandingHighPriorityQueueOutstandingHighPriorityQueueProcessedMediumPriorityQueueOutstandingMediumPriorityQueueProcessedLowPriorityQueueOutstandingLowPriorityQueueProcessedLiveQueriesOutstandingLiveQueriesCompletedAPCUploadsOutstandingAnalysisUploadsOutstandingUBSUploadsOutstandingUBSUploadsCompletedPSCAverageUploadRatePerWindowUBSAverageUploadRatePerWindowEventBatchesUploadedTotalEventsUploadedTotalBytesUploadedAverageArchiveCompressionRatioCompressionMethodCompressionLevelAverageArchiveDurationInMillisecondsMaxArchiveTimespanInSecondsMaxArchiveSizeInBytesUploadTimeoutsUploadFailuresAverageUploadRateInBytesPerSecondAverageBytesUploadedPerMinuteMaximumUploadRateInBytesPerSecondPercentageOfDiskQuotaInUsePendingMinibatchCountPendingMinibat
Source: a3A9pyEx19.exeBinary or memory string: HKLM\Software\VMware, Inc.
Source: a3A9pyEx19.exeBinary or memory string: "Comment" : "DSEN-8733: To avoid interop issues with Horizon, we need to allow <ProgramFilesCommon>\\vmware\\remote experience\\vmtoolshook.dll",
Source: a3A9pyEx19.exeBinary or memory string: SystemInformation::InitializeForWindowsUpdateCollection%hs: Failed to initialize COM[0x%08lx]wuapi.dll%hs: Failed to load wuapi[%lu]RegGetValue(%hs): %ldMicrosoft %uWindows 11 Windows 11Windows 10 Windows 10Windows 2022 Server Windows 2022 ServerserverclientWindows 10 Enterprise for Virtual Desktops Windows 2019 Server Windows 2019 ServerWindows 2016 Server Windows 2016 ServerWindows Vista Windows VistaWindows Server 2008 Windows Server 2008Windows 7 Windows 7Windows Server 2008 R2 Windows Server 2008 R2Windows 8 Windows 8Windows Server 2012 Windows Server 2012Windows 8.1 Windows 8.1Windows Server 2012 R2 Windows Server 2012 R2x64 x86 arm64 GetProductInfo EmbeddedWindows Server 2003 R2Windows Storage Server 2003Windows Home ServerWindows XP Professional x64 EditionWindows Server 2003 Datacenter Edition for Itanium-based Systems Enterprise Edition for Itanium-based Systems Datacenter x64 Edition Enterprise x64 Edition Standard x64 Edition Compute Cluster Edition Datacenter Edition Enterprise Edition Web Edition Standard EditionWindows XP Windows XPHome EditionEmbeddedWindows 2000 Windows 2000Windows 2000 ServerDatacenter ServerAdvanced ServerServerFeaturePackVersionSYSTEM\CurrentControlSet\Control\WindowsEmbedded\ProductVersion(%d.%d.%d)Windows NT 4.0 or earlierWindows NT 4.0SOFTWARE\Microsoft\Windows NT\CurrentVersion\Server\ServerLevelsServerCoreServer-Gui-ShellServer Core was detected but OS was not detected as server editionGlobalMemoryStatusEx: %dHARDWARE\DESCRIPTION\System\CentralProcessor\~MHzVendorIdentifierIdentifierProcessorNameStringSystemInformation::GetSystemBootTime%hs: Failed to get QuerySystemInformation function[%lu]%hs: Failed to call QuerySystemInformation[0x%08lx]NtQuerySymbolicLinkObject: Device[%ls] Error[%08X]NtOpenSymbolicLinkObject: Devices[%ls] Error[%08X]NoRootDirRAMDiskA:\ FindFirstVolume: %dSystemInformation::Update%hs: Failed to query SystemBootEnvironmentInformation Error[0x%08lx]%hs: Failed to query SystemSecureBootInformation Error[0x%08lx]%hs: Failed to query SystemCodeIntegrityInformation Error[0x%08lx]BIOSVendorHARDWARE\DESCRIPTION\System\BIOSSystemBiosVersionHARDWARE\DESCRIPTION\SystemBIOSReleaseDateSystemBiosDateVmIdSOFTWARE\Microsoft\Windows AzureSOFTWARE\VMware, Inc.\VMware VDM\AgentVMware, Inc.VMware Virtual PlatformVMW_ESXVMW_WSVMW_OTHERBIOSVersionHyper-VHyperVVBOXVirtualBoxOracle, Inc.RTUALSystemManufacturerinnotek GmbHDeviceClientIdSOFTWARE\Microsoft\Provisioning\OMADM\MDMDeviceIDSystemProductNameamazonhvmgoogleKVMgoogle compute userSYSTEM\CurrentControlSet\Control\SystemInformationxenXenamazon ec2%hs: Failed to convert domain role to string[%u]<Processors>
Source: a3A9pyEx19.exeBinary or memory string: VMwareVMware
Source: a3A9pyEx19.exeBinary or memory string: \systemroot\system32\syswow64\\??\BusinessBusiness NHPC EditionServer Hyper Core VCoreCore NChinaSingle LanguageServer Datacenter (Evaluation)Server DatacenterServer Datacenter (Core)Server Datacenter without Hyper-V (Core)Server Datacenter without Hyper-VEnterpriseEnterprise EEnterprise N (Evaluation)Enterprise NServer Enterprise (Evaluation)Server EnterpriseServer Enterprise (Core)Server Enterprise without Hyper-V (Core)Server Enterprise for Itanium-based SystemsServer Enterprise without Hyper-VWindows Essential Server Solution ManagementWindows Essential Server Solution AdditionalWindows Essential Server Solution Management SVCWindows Essential Server Solution Additional SVCHome BasicHome Basic EHome Basic NHome PremiumHome Premium EHome Premium NWindows Home Server 2011Windows Storage Server 2008 R2 EssentialsMicrosoft Hyper-V ServerWindows Essential Business Server Management ServerWindows Essential Business Server Messaging ServerWindows Essential Business Server Security ServerWindows MultiPoint Server StandardWindows MultiPoint Server PremiumProfessionalProfessional EProfessional NProfessional with Media CenterServer For SB Solutions EMServer For SB SolutionsWindows Server 2008 for Windows Essential Server SolutionsWindows Server 2008 without Hyper-V for Windows Essential Server SolutionsServer FoundationWindows Small Business Server 2011 EssentialsWindows Small Business ServerSmall Business Server PremiumSmall Business Server Premium (Core)Windows MultiPoint ServerServer Standard (Evaluation)Server StandardServer Standard (Core)Server Standard without Hyper-VServer Standard without Hyper-V (Core)Server Solutions PremiumServer Solutions Premium (Core)StarterStarter EStarter NStorage Server EnterpriseStorage Server Enterprise (Core)Storage Server ExpressStorage Server Express (Core)Storage Server Standard (Evaluation)Storage Server StandardStorage Server Standard (Core)Storage Server Workgroup (Evaluation)Storage Server WorkgroupStorage Server Workgroup (Core)UltimateUltimate EUltimate NWeb ServerWeb Server (Core)UnlicensedStandaloneWorkstationMemberWorkstationStandaloneServerMemberServerBackupDomainControllerPrimaryDomainControllerENABLEDTESTSIGNUMCI_ENABLEDUMCI_AUDITMODE_ENABLEDUMCI_EXCLUSIONPATHS_ENABLEDDEBUGMODE_ENABLEDFLIGHTING_ENABLEDHVCI_KMCI_ENABLEDHVCI_KMCI_AUDITMODE_ENABLEDHVCI_KMCI_STRICTMODE_ENABLEDHVCI_IUM_ENABLEDWHQL_ENFORCEMENT_ENABLEDWHQL_AUDITMODE_ENABLEDFatFat32ExFatReFSNoRootRemoteCD-ROMRAMOct 17 2023 08:08:12RecognizerDriverFileSystemDriverKernelDriverInteractiveProcessWin32OwnProcessInteractiveSharedProcessWin32ShareProcessUnknown Service Type[%08X]AutoBootManualLocalPackageLastUsedSourceLastUsedTypeMediaPackagePathDiskPromptInstallDateInstalledProductNameInstallLocationInstallSourcePublisherVersionStringRegCompanyRegOwnerAssignmentTypePackageCodeUpgradeCodeMsiInstallInfo::SetUpgradeCode%S: Failed to Set Upgrade code for [%s]
Source: a3A9pyEx19.exeBinary or memory string: LegalTrademarksVMware is a registered trademark or trademark of VMware, Inc. in the United States and other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.>
Source: a3A9pyEx19.exeBinary or memory string: "Equals": ["VMWare, Inc."]
Source: a3A9pyEx19.exeBinary or memory string: VMwareESXiGuest[
Source: a3A9pyEx19.exeBinary or memory string: "Equals": "<ProgramFilesCommon>\\VMware\\**",
Source: a3A9pyEx19.exeBinary or memory string: "Comment":"https://bugzilla.eng.vmware.com/show_bug.cgi?id=2962550: Denying csrss access causes issues for smart card logons",
Source: a3A9pyEx19.exe, 00000000.00000002.2122498803.0000026360569000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Software\VMware, Inc.\ViewComposer\ga\AgentIntegration
Source: C:\Users\user\Desktop\a3A9pyEx19.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: a3A9pyEx19.exe, 00000000.00000002.2122926485.00000263605C6000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121551842.00000263605BF000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121926581.00000263605C5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpactResource DevelopmentReconnaissance
Valid Accounts2
Command and Scripting Interpreter		1
Windows Service		1
Windows Service		1
Virtualization/Sandbox Evasion		OS Credential Dumping111
Security Software Discovery		Remote Services1
Archive Collected Data		Exfiltration Over Other Network MediumData ObfuscationExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationAbuse Accessibility FeaturesAcquire InfrastructureGather Victim Identity Information
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Process Injection		1
Process Injection		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataSIM Card SwapObtain Device Cloud BackupsNetwork Denial of ServiceDomainsCredentials
Domain AccountsAtLogon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account Manager2
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyData Encrypted for ImpactDNS ServerEmail Addresses

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1355441 Sample: a3A9pyEx19.exe Startdate: 07/12/2023 Architecture: WINDOWS Score: 16 11 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 2->11 6 a3A9pyEx19.exe 12 7 2->6         started        process3 signatures4 13 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 6->13 9 conhost.exe 6->9         started        process5

Screenshots

Download Video

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
a3A9pyEx19.exe0%ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
https://sectigo.com/CPS00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://metadata.google.internal/computeMetadata/v1/instance/idr0%Avira URL Cloudsafe
https://curl.se/docs/hsts.html0%Avira URL Cloudsafe
http://169.254.169.254/latest/api/tokenj0%Avira URL Cloudsafe
https://curl.se/docs/alt-svc.html0%Avira URL Cloudsafe
https://curl.se/docs/http-cookies.html0%Avira URL Cloudsafe
http://169.254.169.254/latest/meta-data/instance-idhttp://169.254.169.254/latest/api/tokenX-aws-ec2-0%Avira URL Cloudsafe
http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-08-01&format=text0%Avira URL Cloudsafe
http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-08-01&format=texthttp://metad0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoRSACodeSigningCA2.crl0t0%Avira URL Cloudsafe
http://www.carbonblack.com0/0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSACodeSigningCA2.crt0#0%Avira URL Cloudsafe
https://gitlab.bit9.local/cbprotection/appcontrol-rules/-/merge_requests/4/diffs0%Avira URL Cloudsafe
https://gitlab.bit9.local/cb-defense/analytics/-/blob/develop/src/main/java/com/cb/analytics/java/do0%Avira URL Cloudsafe
https://gitlab.bit9.local/cb-defense/analytics/-/blob/develop/src/main/java/com/cb/analytics/java/co0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
https://curl.se/docs/hsts.htmla3A9pyEx19.exefalse
  • Avira URL Cloud: safe
unknown
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0ta3A9pyEx19.exefalse
  • URL Reputation: safe
unknown
http://metadata.google.internal/computeMetadata/v1/instance/idra3A9pyEx19.exe, 00000000.00000002.2122651014.0000026360593000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121592196.0000026360590000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://crt.sectigo.com/SectigoRSACodeSigningCA2.crt0#a3A9pyEx19.exefalse
  • Avira URL Cloud: safe
unknown
https://sectigo.com/CPS0a3A9pyEx19.exefalse
  • URL Reputation: safe
unknown
http://ocsp.sectigo.com0a3A9pyEx19.exefalse
  • URL Reputation: safe
unknown
https://curl.se/docs/http-cookies.htmla3A9pyEx19.exefalse
  • Avira URL Cloud: safe
unknown
http://169.254.169.254/latest/api/tokenja3A9pyEx19.exe, 00000000.00000002.2122651014.0000026360593000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121592196.0000026360590000.00000004.00000020.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
http://169.254.169.254/latest/meta-data/instance-idhttp://169.254.169.254/latest/api/tokenX-aws-ec2-a3A9pyEx19.exefalse
  • Avira URL Cloud: safe
unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#a3A9pyEx19.exefalse
  • URL Reputation: safe
unknown
https://gitlab.bit9.local/cbprotection/appcontrol-rules/-/merge_requests/4/diffsa3A9pyEx19.exefalse
  • Avira URL Cloud: safe
unknown
https://attack.mitre.org/techniques/T1218/010/a3A9pyEx19.exefalse
    		high
    http://crl.sectigo.com/SectigoRSACodeSigningCA2.crl0ta3A9pyEx19.exefalse
    • Avira URL Cloud: safe
    		unknown
    https://curl.se/docs/alt-svc.htmla3A9pyEx19.exefalse
    • Avira URL Cloud: safe
    		unknown
    https://deploymentresearch.com/psscriptpolicytest-script-gets-blocked-by-applocker-in-the-event-log-a3A9pyEx19.exefalse
      		high
      https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1170/T1170.mda3A9pyEx19.exefalse
        		high
        https://bugzilla.eng.vmware.com/show_bug.cgi?id=2962550:a3A9pyEx19.exefalse
          		high
          https://gitlab.bit9.local/cb-defense/analytics/-/blob/develop/src/main/java/com/cb/analytics/java/doa3A9pyEx19.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-08-01&format=texthttp://metada3A9pyEx19.exefalse
          • Avira URL Cloud: safe
          		unknown
          http://json-schema.org/schema#a3A9pyEx19.exefalse
            		high
            https://gitlab.bit9.local/cb-defense/analytics/-/blob/develop/src/main/java/com/cb/analytics/java/coa3A9pyEx19.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://www.carbonblack.com0/a3A9pyEx19.exefalse
            • Avira URL Cloud: safe
            		unknown
            http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-08-01&format=texta3A9pyEx19.exe, 00000000.00000003.2121592196.00000263605A0000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121710456.00000263605A0000.00000004.00000020.00020000.00000000.sdmp, a3A9pyEx19.exe, 00000000.00000003.2121854846.00000263605A1000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://confluence.eng.vmware.com/pages/viewpage.action?spaceKey=NSBU&title=microIDSa3A9pyEx19.exefalse
              		high

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:38.0.0 Ammolite
              Analysis ID:1355441
              Start date and time:2023-12-07 15:08:50 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 3m 20s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Run name:Potential for more IOCs and behavior
              Number of analysed new started processes analysed:3
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:a3A9pyEx19.exe
              renamed because original name is a hash value
              Original Sample Name:7183_29949254_f6ec44f025c67ab18170da47c1c610a94a9c84741f3cdfceb20cee565579868a_repmgr.exe
              Detection:CLEAN
              Classification:clean16.evad.winEXE@2/1@0/0
              EGA Information:Failed
              HCA Information:
              • Successful, ratio: 100%
              • Number of executed functions: 0
              • Number of non-executed functions: 0
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Stop behavior analysis, all processes terminated
              • Exclude process from analysis (whitelisted): dllhost.exe
              • Excluded domains from analysis (whitelisted): client.wns.windows.com
              • Not all processes where analyzed, report is missing behavior information
              • VT rate limit hit for: a3A9pyEx19.exe

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\ProgramData\CarbonBlack\Logs\confer.log

              Download File
              Process:C:\Users\user\Desktop\a3A9pyEx19.exe
              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
              Category:dropped
              Size (bytes):5096
              Entropy (8bit):3.600357329732839
              Encrypted:false
              SSDEEP:48:cbMAS99vbRaHpbZZERbbubYtbdHhybCHhybT1Hhybcbqmyw+bQ1/Fbqmyw+bhHhb:MS9aDWKqmygBqmyJphTB
              MD5:24B928D5EDC49A70D07D9F4F49980593
              SHA1:35139A199B299B8EE61E481221232D68C37A21AC
              SHA-256:B871ED5F52007281FEDF05EE4F20159369687ADB44430FBE5AB9A28AAE19FC51
              SHA-512:1686E205D9344CB302C71421F06784AFB1E2E5E5EBDCEF8E112BC62DA0084E608431F34AC44BD3D2893CD86E566BFAEEFEBC87ABF9E2314D10B57419AD625419
              Malicious:false
              Reputation:low
              Preview:..1.2./.0.7./.2.3. .1.6.:.3.6.:.1.1...7.4.3.:. .1.0.5.c. . . . . .E.R.R.O.R. . . . . .R.e.p.M.g.r.:. .c.a.l.l. .t.o. .S.t.a.r.t. .S.e.r.v.i.c.e. .C.o.n.t.r.o.l. .D.i.s.p.a.t.c.h.e.r. .f.a.i.l.e.d.:. .1.0.6.3.....1.2./.0.7./.2.3. .1.6.:.3.6.:.1.1...7.4.4.:. .1.0.5.c. . . . . .I.N.F.O. . . . . . .R.e.p.M.g.r.:. .r.e.t.u.r.n.e.d. .f.r.o.m. .S.v.c.M.a.i.n.....1.2./.0.7./.2.3. .1.6.:.3.6.:.1.1...7.4.5.:. .1.0.5.c. . . . . .S.U.C.C.E.S.S. . . .T.h.e. .C.b.D.e.f.e.n.s.e. .S.e.r.v.i.c.e. .v.e.r.s.i.o.n. .4...0...0...1.2.9.2. .i.s. .s.t.o.p.p.i.n.g.....1.2./.0.7./.2.3. .1.6.:.3.6.:.1.1...7.4.6.:. .1.0.5.c. . . . . .I.N.F.O. . . . . . .W.i.n.d.o.w.s.E.v.e.n.t.A.l.a.r.m.s.:.:.F.i.n.a.l.i.z.e.....1.2./.0.7./.2.3. .1.6.:.3.6.:.1.1...7.4.6.:. .1.0.5.c. . . . . .E.R.R.O.R. . . . . .S.e.r.v.i.c.e.C.r.a.s.h.D.e.t.e.c.t.o.r.:. .O.p.e.n. .r.e.g.i.s.t.r.y. .k.e.y. .f.a.i.l.e.d.,. .e.r.r.o.r.:. .2.....1.2./.0.7./.2.3. .1.6.:.3.6.:.1.1...7.4.7.:. .1.0.5.c. . . . . .E.R.R.O.R. . . . . .D.b.F.i.n.i.:. . .f.a.

              Static File Info

              General

              File type:PE32+ executable (console) x86-64, for MS Windows
              Entropy (8bit):5.62831822800641
              TrID:
              • Win64 Executable Console (202006/5) 92.65%
              • Win64 Executable (generic) (12005/4) 5.51%
              • Generic Win/DOS Executable (2004/3) 0.92%
              • DOS Executable Generic (2002/1) 0.92%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:a3A9pyEx19.exe
              File size:49'946'328 bytes
              MD5:8a87acebc21e2cc5eeb24af602b32b30
              SHA1:a5ef9b69d7757049f284b5f3837c095ed1657fde
              SHA256:f6ec44f025c67ab18170da47c1c610a94a9c84741f3cdfceb20cee565579868a
              SHA512:d590cdc4988f63c896cd29c5d29f0221869b0b1ab64d81bb3a196018dbf0c879efb12afa46dd0638e3e86e875efad7a8c8fb285b707ab26316bb22d0351b94a8
              SSDEEP:393216:2ZkMEaKj09Hu3cHWkJ6U6oQ/IiuyX2LQIheNcV/7Jvo0WwFlArVMKkmn9x6OXQfc:2ZlEZj+eU+CQmhWJ56W/
              TLSH:C9B7E585B6A5AC51F67FC138AC66CD8996F1B6358FA882DB308C431E0F2F7D44A74E50
              File Content Preview:MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$........Y|&.8.u.8.u.8.u.S.t.8.u.S.ta8.u"..u.8.uDH.t.8.uDH.t.8.uDH.t.8.u.d.u.8.u.S.t.8.u.I.t.8.ueL.t.8.u'Q.t.8.u.S.t.8.u.I.t.9.u.S.t.8.

              File Icon

              Icon Hash:0f33d81919d0170e

              Static PE Info

              General

              Entrypoint:0x14104c9f0
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x140000000
              Subsystem:windows cui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
              Time Stamp:0x652EAB50 [Tue Oct 17 15:42:08 2023 UTC]
              TLS Callbacks:0x4104cbb0, 0x1
              CLR (.Net) Version:
              OS Version Major:6
              OS Version Minor:0
              File Version Major:6
              File Version Minor:0
              Subsystem Version Major:6
              Subsystem Version Minor:0
              Import Hash:ad791c90af5402474ea251fbc23eddf8

              Authenticode Signature

              Signature Valid:true
              Signature Issuer:CN=Sectigo RSA Code Signing CA 2, O=Sectigo Limited, C=GB
              Signature Validation Error:The operation completed successfully
              Error Number:0
              Not Before, Not After
              • 22/02/2022 01:00:00 16/02/2025 00:59:59
              Subject Chain
              • CN="Carbon Black, Inc.", O="Carbon Black, Inc.", S=Massachusetts, C=US
              Version:3
              Thumbprint MD5:585AF4D777231A61858742E3E6227B2E
              Thumbprint SHA-1:FCE3566368D917ACF28779B98D996F416FEF1F2B
              Thumbprint SHA-256:4D70B84AA937658EBCF8CD1F361B657620982F88DF3F54FB3D5822E9931F3303
              Serial:328F83AE4A5C2EDA3DA2FFF083904A38
              Instruction
              dec eax
              sub esp, 28h
              call 00007FF9614629E8h
              dec eax
              add esp, 28h
              jmp 00007FF961462203h
              int3
              int3
              dec eax
              mov dword ptr [esp+10h], ebx
              dec eax
              mov dword ptr [esp+18h], esi
              push edi
              dec eax
              sub esp, 10h
              xor eax, eax
              xor ecx, ecx
              cpuid
              inc esp
              mov eax, ecx
              inc ebp
              xor ebx, ebx
              inc esp
              mov ecx, ebx
              inc ecx
              xor eax, 6C65746Eh
              inc ecx
              xor ecx, 756E6547h
              inc esp
              mov edx, edx
              mov esi, eax
              xor ecx, ecx
              inc ecx
              lea eax, dword ptr [ebx+01h]
              inc ebp
              or ecx, eax
              cpuid
              inc ecx
              xor edx, 49656E69h
              mov dword ptr [esp], eax
              inc ebp
              or ecx, edx
              mov dword ptr [esp+04h], ebx
              mov edi, ecx
              mov dword ptr [esp+08h], ecx
              mov dword ptr [esp+0Ch], edx
              jne 00007FF961462452h
              dec eax
              or dword ptr [01CFC3DBh], FFFFFFFFh
              and eax, 0FFF3FF0h
              cmp eax, 000106C0h
              je 00007FF96146242Ah
              cmp eax, 00020660h
              je 00007FF961462423h
              cmp eax, 00020670h
              je 00007FF96146241Ch
              add eax, FFFCF9B0h
              cmp eax, 20h
              jnbe 00007FF961462426h
              dec eax
              mov ecx, 00010001h
              add dword ptr [eax], eax
              add byte ptr [eax], al
              dec eax
              bt ecx, eax
              jnc 00007FF961462416h
              inc esp
              mov eax, dword ptr [01EE3B50h]
              inc ecx
              or eax, 01h
              inc esp
              mov dword ptr [01EE3B45h], eax
              jmp 00007FF961462409h
              inc esp
              mov eax, dword ptr [01EE3B3Ch]
              mov eax, 00000007h
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x26a58780x244.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x2ff70000x4b90.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x2f330000xbeff8.pdata
              IMAGE_DIRECTORY_ENTRY_SECURITY0x2f350000x6ced8.pdata
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2ffc0000x108164.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x24d2a000x70.rdata
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x24d2bb00x28.rdata
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x24d2a700x130.rdata
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x15ba0000x1770.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x15b8cc60x15b8e00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x15ba0000x10f07a40x10f0800unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x26ab0000x887bd80x6bd000unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .pdata0x2f330000xbeff80xbf000False0.5155470283867801data6.9793128043420944IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .detourc0x2ff20000x22300x2400False0.04481336805555555data2.1931574719831537IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .detourd0x2ff50000x180x200False0.037109375data0.11611507530476972IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              _RDATA0x2ff60000x1000x200False0.21484375data2.6345827717595443IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .rsrc0x2ff70000x4b900x4c00False0.1815892269736842data3.438277105195516IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x2ffc0000x1081640x108200False0.04542009287742546data5.4862353940895074IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              NameRVASizeTypeLanguageCountryZLIB Complexity
              WEVT_TEMPLATE0x2ff73200x54adataEnglishUnited States0.4098966026587888
              RT_ICON0x2ff78700x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.2624113475177305
              RT_ICON0x2ff7cd80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.1400093808630394
              RT_ICON0x2ff8d800x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.0946058091286307
              RT_MESSAGETABLE0x2ff72400xe0dataEnglishUnited States0.6785714285714286
              RT_GROUP_ICON0x2ffb3280x30dataEnglishUnited States0.8125
              RT_VERSION0x2ffb3580x514dataEnglishUnited States0.41923076923076924
              RT_MANIFEST0x2ffb8700x31eXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (738), with CRLF line terminatorsEnglishUnited States0.4949874686716792
              DLLImport
              PSAPI.DLLGetDeviceDriverBaseNameW, EnumDeviceDrivers, GetPerformanceInfo, GetDeviceDriverFileNameW, GetProcessMemoryInfo
              FLTLIB.DLLFilterFindClose, FilterSendMessage, FilterLoad, FilterFindFirst, FilterUnload, FilterFindNext, FilterGetMessage, FilterConnectCommunicationPort
              RPCRT4.dllUuidCreate
              Secur32.dllLsaGetLogonSessionData, LsaFreeReturnBuffer, LsaEnumerateLogonSessions, GetComputerObjectNameW
              USERENV.dllGetProfilesDirectoryW, ExpandEnvironmentStringsForUserA, ExpandEnvironmentStringsForUserW
              WS2_32.dllbind, closesocket, getsockopt, WSAWaitForMultipleEvents, ioctlsocket, getsockname, inet_addr, inet_ntoa, listen, recv, setsockopt, WSAEnumNetworkEvents, WSASetEvent, gethostbyname, WSAStartup, WSACleanup, WSAAddressToStringA, WSAStringToAddressA, WSAStringToAddressW, select, WSAEventSelect, gethostname, GetAddrInfoExA, FreeAddrInfoEx, ntohs, ntohl, WSASetLastError, accept, WSAGetLastError, send, WSCSetApplicationCategory, GetNameInfoW, WSAAddressToStringW, InetNtopW, WSAIoctl, __WSAFDIsSet, connect, getaddrinfo, freeaddrinfo, recvfrom, sendto, getpeername, inet_ntop, socket, htonl, WSAResetEvent, shutdown, WSACreateEvent, WSACloseEvent, inet_pton, htons
              ADVAPI32.dllCryptDestroyHash, GetSidSubAuthority, GetSidIdentifierAuthority, CryptGenRandom, CreateServiceW, ChangeServiceConfigW, RegFlushKey, RegQueryInfoKeyW, RegOpenCurrentUser, QueryServiceConfigW, EnumServicesStatusExW, RegGetValueA, DuplicateToken, OpenThreadToken, CryptEncrypt, CryptImportKey, CryptSetKeyParam, RegCloseKey, RegCreateKeyExA, RegOpenKeyExA, RegQueryValueExA, RegSetValueExA, CryptDestroyKey, CreateProcessAsUserW, ImpersonateLoggedOnUser, RevertToSelf, DeregisterEventSource, RegisterEventSourceA, ReportEventA, EventRegister, EventUnregister, EventWrite, ControlService, DeleteService, QueryServiceConfig2W, RegOpenKeyExW, RegSaveKeyExW, QueryServiceStatus, QueryServiceStatusEx, StartServiceW, LsaNtStatusToWinError, RegCreateKeyExW, RegSetValueExW, RegDeleteTreeW, GetLengthSid, IsValidSid, EnableTraceEx2, OpenTraceW, ProcessTrace, CloseTrace, StartTraceW, QueryTraceW, ControlTraceW, EventAccessControl, LookupAccountSidW, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyExW, RegEnumValueW, RegQueryValueExW, ConvertStringSidToSidW, StartServiceCtrlDispatcherA, RegSetKeyValueW, RegisterServiceCtrlHandlerExA, SetServiceStatus, LookupPrivilegeNameA, ChangeServiceConfig2W, CloseServiceHandle, OpenSCManagerW, OpenServiceW, RegGetValueW, SetSecurityInfo, GetSecurityInfo, CheckTokenMembership, SetEntriesInAclW, SetSecurityDescriptorDacl, SetSecurityDescriptorControl, InitializeSecurityDescriptor, GetSecurityDescriptorDacl, GetAce, FreeSid, EqualSid, AllocateAndInitializeSid, RegQueryInfoKeyA, RegDeleteKeyExW, CryptAcquireContextA, RegEnumKeyW, LookupAccountNameW, GetTokenInformation, IsTextUnicode, DuplicateTokenEx, CopySid, OpenProcessToken, ConvertSidToStringSidA, ConvertSidToStringSidW, ReportEventW, RegisterEventSourceW, LookupPrivilegeValueA, CryptHashData, CryptCreateHash, CryptGetHashParam, CryptReleaseContext, CryptAcquireContextW, LookupPrivilegeValueW, AdjustTokenPrivileges
              CRYPT32.dllCertDuplicateCertificateContext, CertGetCertificateContextProperty, CertGetPublicKeyLength, CryptDecodeObject, CryptMsgOpenToDecode, CryptMsgClose, CryptMsgUpdate, CertGetSubjectCertificateFromStore, CertFindCertificateInStore, CertFindAttribute, CryptVerifyMessageSignature, CryptVerifyDetachedMessageSignature, CryptQueryObject, CertFreeCertificateChainEngine, CertDuplicateCertificateChain, CertVerifyCertificateChainPolicy, CertFreeCertificateChain, CertCreateCertificateChainEngine, CryptMsgGetParam, CertGetIssuerCertificateFromStore, CertCompareCertificate, CertGetNameStringW, CertGetCertificateChain, CryptStringToBinaryA, CryptBinaryToStringW, CryptDecodeObjectEx, CertDuplicateCRLContext, CertFreeCRLContext, CertFindCertificateInCRL, CertFindExtension, CertGetEnhancedKeyUsage, CertAddCertificateContextToStore, CertFreeCertificateContext, CertCreateCertificateContext, CertCloseStore, CertOpenStore, CertNameToStrA, CryptProtectMemory, CertGetNameStringA, PFXImportCertStore, CertEnumCertificatesInStore, CryptUnprotectData, CryptProtectData, CryptStringToBinaryW, CryptBinaryToStringA, CryptFindOIDInfo
              bcrypt.dllBCryptHashData, BCryptCreateHash, BCryptCloseAlgorithmProvider, BCryptGetProperty, BCryptFinishHash, BCryptDestroyHash, BCryptGenRandom, BCryptOpenAlgorithmProvider
              wevtapi.dllEvtUpdateBookmark, EvtCreateBookmark
              IPHLPAPI.DLLCancelIPChangeNotify, Icmp6SendEcho2, IcmpSendEcho, IcmpCloseHandle, Icmp6CreateFile, IcmpCreateFile, NotifyUnicastIpAddressChange, GetNetworkParams, GetIpAddrTable, GetExtendedTcpTable, GetAdaptersAddresses, CancelMibChangeNotify2, NotifyIpInterfaceChange, NotifyAddrChange
              ntdll.dllRtlNtStatusToDosError, RtlCompareMemory, RtlUnwind, RtlUnwindEx, RtlPcToFileHeader, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlDowncaseUnicodeString, RtlUpcaseUnicodeString, RtlPrefixUnicodeString, RtlFreeUnicodeString, VerSetConditionMask, RtlCaptureContext, RtlUpcaseUnicodeChar, RtlAppendUnicodeStringToString, RtlCopyUnicodeString, RtlEqualUnicodeString, RtlCompareUnicodeString, RtlAnsiStringToUnicodeString, RtlInitUnicodeString, RtlCaptureStackBackTrace, RtlInitAnsiString
              tdh.dllTdhGetEventMapInformation, TdhGetEventInformation, TdhGetProperty, TdhGetPropertySize
              NETAPI32.dllDsRoleFreeMemory, DsRoleGetPrimaryDomainInformation, NetGetJoinInformation, NetApiBufferFree
              msi.dll
              KERNEL32.dllInitOnceBeginInitialize, SwitchToThread, GetNumaHighestNodeNumber, GetProcessAffinityMask, InitOnceComplete, WaitForMultipleObjectsEx, UnregisterWaitEx, QueryDepthSList, InterlockedFlushSList, InterlockedPushEntrySList, InterlockedPopEntrySList, ReleaseSemaphore, SetProcessAffinityMask, FreeLibraryAndExitThread, GetStringTypeW, GetThreadTimes, GetExitCodeThread, DeleteTimerQueueTimer, ChangeTimerQueueTimer, EncodePointer, GetCPInfo, GetLocaleInfoW, GetModuleHandleExW, SystemTimeToTzSpecificLocalTime, CreateTimerQueueTimer, SetStdHandle, GetLogicalProcessorInformation, SetEnvironmentVariableW, GetFileInformationByHandleEx, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, CreateMutexA, ReleaseMutex, SetThreadErrorMode, GetThreadErrorMode, SleepEx, GetFileType, GetStdHandle, GetSystemDirectoryA, CompareStringW, SetCurrentDirectoryW, GetTempFileNameW, GlobalAlloc, LCMapStringW, lstrcmpW, GetModuleFileNameA, lstrlenA, DebugBreak, GlobalFindAtomW, GlobalAddAtomW, GlobalDeleteAtom, CreateSymbolicLinkW, VerifyVersionInfoW, MoveFileA, SetFileInformationByHandle, GetFileInformationByHandle, GetFileAttributesExA, InitializeCriticalSectionAndSpinCount, VerLanguageNameW, IsBadWritePtr, IsBadReadPtr, lstrcpynW, GetSystemDefaultLocaleName, GetUserDefaultLocaleName, GetConsoleMode, ReadConsoleW, GetConsoleOutputCP, GetCommandLineA, GetCommandLineW, IsValidLocale, EnumSystemLocalesW, SetConsoleCtrlHandler, FindFirstFileExW, IsValidCodePage, GetUserDefaultLCID, GetACP, GetSystemDefaultLCID, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, SetThreadAffinityMask, SignalObjectAndWait, CreateTimerQueue, GetUserGeoID, GetComputerNameW, GetSystemWindowsDirectoryW, IsProcessorFeaturePresent, OpenThread, TryEnterCriticalSection, AreFileApisANSI, HeapCreate, GetDiskFreeSpaceW, LockFile, GetFullPathNameA, GetStartupInfoW, IsDebuggerPresent, SetEndOfFile, UnlockFileEx, GetTempPathW, InitializeSListHead, CreateMutexW, UnhandledExceptionFilter, GetOEMCP, WriteConsoleW, LocalFree, EnterCriticalSection, LeaveCriticalSection, WaitForSingleObject, GetCurrentThreadId, GetLastError, InitializeCriticalSection, DeleteCriticalSection, CreateHardLinkW, CloseHandle, SetEvent, CreateEventA, GetEnvironmentVariableA, DeleteFileW, GetProcessTimes, GetCurrentProcess, GetCurrentProcessId, OpenProcess, MoveFileExW, ReleaseSRWLockExclusive, ReleaseSRWLockShared, AcquireSRWLockExclusive, AcquireSRWLockShared, InitializeSRWLock, ResetEvent, DeleteFileA, CopyFileA, GetTickCount64, UnmapViewOfFile, CreateThread, GetEnvironmentVariableW, Sleep, GetCurrentThread, SetThreadPriority, ProcessIdToSessionId, DuplicateHandle, QueueUserWorkItem, WaitForMultipleObjects, ExitThread, SuspendThread, ResumeThread, GetThreadContext, CreateEventW, OpenEventW, GetSystemTimeAsFileTime, GetFileAttributesW, GetEnvironmentStringsW, FreeEnvironmentStringsW, FindClose, FindFirstFileW, FindNextFileW, GetDiskFreeSpaceExW, GetVolumePathNameW, ReadFile, SetHandleInformation, CreatePipe, PeekNamedPipe, TerminateProcess, GetExitCodeProcess, GetThreadPriority, CreateProcessW, InitializeProcThreadAttributeList, DeleteProcThreadAttributeList, UpdateProcThreadAttribute, GetProcessHandleCount, FreeLibrary, GetModuleHandleExA, GetProcAddress, CreateFileA, GetFileAttributesA, GetFileSize, SetFilePointer, WriteFile, MultiByteToWideChar, CreateDirectoryW, CreateFileW, SetFileAttributesW, GetPrivateProfileStringW, GetVolumePathNamesForVolumeNameW, CopyFileW, MoveFileW, QueryPerformanceCounter, SystemTimeToFileTime, QueryPerformanceFrequency, LoadLibraryW, SetLastError, GetModuleHandleW, GetSystemTimes, GetTickCount, IsWow64Process, VerifyVersionInfoA, GetCurrentDirectoryW, GetLongPathNameA, HeapQueryInformation, GetLogicalDriveStringsA, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, GlobalMemoryStatusEx, GetNativeSystemInfo, FindVolumeClose, CreateRemoteThread, GetProcessId, QueryDosDeviceA, FindFirstVolumeA, FindNextVolumeA, GetVolumePathNamesForVolumeNameA, WideCharToMultiByte, ReadProcessMemory, GetSystemDirectoryW, GetWindowsDirectoryW, LoadLibraryA, GetPhysicallyInstalledSystemMemory, GetModuleHandleA, GetPrivateProfileStringA, SetWaitableTimer, CancelWaitableTimer, CreateWaitableTimerA, GetFileSizeEx, FormatMessageA, DecodePointer, RaiseException, InitializeCriticalSectionEx, GetPrivateProfileIntW, WritePrivateProfileStringW, GetSystemInfo, RegisterWaitForSingleObject, UnregisterWait, OutputDebugStringA, ExitProcess, CreateProcessA, VirtualAllocEx, VirtualProtectEx, VirtualQueryEx, WriteProcessMemory, VirtualProtect, VirtualQuery, LoadLibraryExA, LoadLibraryExW, SetThreadContext, FlushInstructionCache, VirtualAlloc, VirtualFree, GetVersionExW, FileTimeToLocalFileTime, GetFullPathNameW, RemoveDirectoryW, GetLocalTime, FormatMessageW, FileTimeToSystemTime, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, CompareFileTime, SetFilePointerEx, CreateFileMappingW, MapViewOfFile, FindFirstVolumeW, FindNextVolumeW, GetDriveTypeW, GetVolumeInformationW, QueryDosDeviceW, GetVolumeNameForVolumeMountPointW, GetCompressedFileSizeW, HeapDestroy, HeapAlloc, HeapReAlloc, HeapFree, HeapSize, GetProcessHeap, CreateIoCompletionPort, GetQueuedCompletionStatus, OutputDebugStringW, lstrlenW, ExpandEnvironmentStringsW, CreateDirectoryA, GetFileAttributesExW, DeviceIoControl, GetSystemTime, GetComputerNameExW, VirtualFreeEx, GetModuleFileNameW, MoveFileExA, WTSGetActiveConsoleSessionId, GetDateFormatA, GetTimeFormatA, K32EnumProcesses, K32EnumProcessModulesEx, K32GetModuleBaseNameA, K32GetModuleFileNameExW, K32GetProcessImageFileNameW, CreateFileMappingA, GlobalFree, FindFirstFileA, FindNextFileA, LocalAlloc, SetDllDirectoryW, SetUnhandledExceptionFilter, GetProcessIoCounters, K32GetProcessMemoryInfo, GetFileTime, SetFileTime, FlushFileBuffers, LockFileEx, UnlockFile, HeapCompact, WaitForSingleObjectEx, FlushViewOfFile, GetDiskFreeSpaceA, GetTempPathA, HeapValidate
              USER32.dllCharLowerBuffW, MessageBoxA, CharUpperBuffW, GetSystemMetrics, UnregisterClassW, UnregisterClassA
              SHELL32.dllSHGetFolderPathA, SHGetFolderPathW, SHGetKnownFolderPath
              ole32.dllStringFromGUID2, CoSetProxyBlanket, CoInitializeSecurity, IIDFromString, CoTaskMemFree, CoCreateInstance, CoInitializeEx, CoUninitialize
              OLEAUT32.dllVariantChangeType, CreateErrorInfo, SetErrorInfo, SysAllocStringLen, GetErrorInfo, SysStringLen, VariantClear, SysAllocString, VariantTimeToSystemTime, SysFreeString, SafeArrayCreate, VariantInit
              SHLWAPI.dllPathCanonicalizeW, PathIsNetworkPathW, PathIsURLW, PathFileExistsA, UrlUnescapeW, PathFileExistsW, PathIsRelativeW, PathIsNetworkPathA, UrlEscapeW
              VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW
              WINTRUST.dllCryptCATAdminEnumCatalogFromHash, CryptCATAdminReleaseCatalogContext, CryptCATAdminReleaseContext, WTHelperProvDataFromStateData, WinVerifyTrust, CryptCATAdminAcquireContext, CryptCATAdminCalcHashFromFileHandle, WTHelperGetProvSignerFromChain, CryptCATCatalogInfoFromContext
              WINHTTP.dllWinHttpGetDefaultProxyConfiguration, WinHttpOpen, WinHttpGetIEProxyConfigForCurrentUser, WinHttpGetProxyForUrl, WinHttpCloseHandle
              WTSAPI32.dllWTSEnumerateSessionsW, WTSEnumerateProcessesExW, WTSFreeMemoryExW, WTSQuerySessionInformationW, WTSQueryUserToken, WTSFreeMemory
              WLDAP32.dll
              Normaliz.dllIdnToUnicode, IdnToAscii
              SETUPAPI.dllSetupInstallFromInfSectionW, SetupDiDestroyDeviceInfoList, SetupOpenInfFileW, SetupDiEnumDeviceInterfaces, SetupDiGetDeviceInterfaceDetailW, SetupDiGetClassDevsW, SetupInstallServicesFromInfSectionW, CM_Get_Child, CM_Get_Device_IDW, CM_Get_DevNode_Registry_PropertyW, CM_Get_Parent, CM_Get_Sibling, CM_Locate_DevNodeW, SetupDiGetDeviceInstanceIdW, SetupCloseInfFile, SetupDiGetDeviceRegistryPropertyW, SetupDiEnumDeviceInfo

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishUnited States

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              0246810s020406080100

              Click to jump to process

              Memory Usage

              0246810s0.00204060MB

              Click to jump to process

              High Level Behavior Distribution

              • File
              • Registry

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:15:09:40
              Start date:07/12/2023
              Path:C:\Users\user\Desktop\a3A9pyEx19.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\Desktop\a3A9pyEx19.exe
              Imagebase:0x7ff740870000
              File size:49'946'328 bytes
              MD5 hash:8A87ACEBC21E2CC5EEB24AF602B32B30
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true
              Show Windows behavior

              File Activities

              Show Windows behavior

              Section Activities

              Show Windows behavior

              Registry Activities

              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              Show Windows behavior

              Process Activities

              Thread Activities

              Show Windows behavior

              Memory Activities

              Show Windows behavior

              System Activities


              General

              Target ID:2
              Start time:15:09:40
              Start date:07/12/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff66e660000
              File size:862'208 bytes
              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true
              Show Windows behavior

              File Activities

              Show Windows behavior

              Section Activities

              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              Show Windows behavior

              Mutex Activities

              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              Show Windows behavior

              Thread Activities

              Show Windows behavior

              Memory Activities

              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
              Show Windows behavior

              Windows UI Activities

              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

              Disassembly

              No disassembly