Windows Analysis Report
PagefileConfig.exe

Overview

General Information

Sample name: PagefileConfig.exe
Analysis ID: 1566859
MD5: df53b06d20092c35a0e594801c5ddf56
SHA1: 93e19fe9e46baecbe6f104735b33b1ff004e8216
SHA256: 390100a6f28c962f3f3db8026b216dbc8409d3467a4c130692ca2f4f4ec970a0
Infos:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected potential crypto function
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Program does not show much activity (idle)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: PagefileConfig.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: PagefileConfig.exe Static PE information: certificate valid
Source: PagefileConfig.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: PagefileConfig.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: PagefileConfig.exe String found in binary or memory: http://www.autoitscript.com/atools/
Source: PagefileConfig.exe, ConDrv.0.dr String found in binary or memory: http://www.autoitscript.com/tools
Source: PagefileConfig.exe String found in binary or memory: http://www.autoitscript.com/tools:
Source: PagefileConfig.exe String found in binary or memory: http://www.autoitscript.com/toolsB
Source: PagefileConfig.exe String found in binary or memory: http://www.autoitscript.com/toolsThis
Detected potential crypto function
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_0079F260 0_2_0079F260
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_00799362 0_2_00799362
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_00799736 0_2_00799736
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_007A27CF 0_2_007A27CF
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_00799B42 0_2_00799B42
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_00798E8D 0_2_00798E8D
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_00799F62 0_2_00799F62
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: String function: 0079FEA0 appears 49 times
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: String function: 0079AF0E appears 37 times
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: String function: 00788591 appears 32 times
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: String function: 0079AEDB appears 182 times
Uses 32bit PE files
Source: PagefileConfig.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: clean5.winEXE@2/1@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2760:120:WilError_03
Source: PagefileConfig.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\PagefileConfig.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\PagefileConfig.exe "C:\Users\user\Desktop\PagefileConfig.exe"
Source: C:\Users\user\Desktop\PagefileConfig.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\PagefileConfig.exe Section loaded: apphelp.dll Jump to behavior
Source: PagefileConfig.exe Static PE information: certificate valid
Source: PagefileConfig.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: PagefileConfig.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: PagefileConfig.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: PagefileConfig.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: PagefileConfig.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: PagefileConfig.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_007A6DF4 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_007A6DF4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_0079FEE5 push ecx; ret 0_2_0079FEF8
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_0079AFB3 push ecx; ret 0_2_0079AFC6
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\Desktop\PagefileConfig.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\Desktop\PagefileConfig.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\PagefileConfig.exe API coverage: 9.7 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PagefileConfig.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_007985B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_007985B2
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_007A6DF4 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 0_2_007A6DF4
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_007985B2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_007985B2
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_007A1742 SetUnhandledExceptionFilter, 0_2_007A1742
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_0079DC7A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0079DC7A
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_00798D15 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00798D15
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_0078BE8D _abort,__NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0078BE8D
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: GetLocaleInfoA, 0_2_0079F038
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 0_2_007A603D
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 0_2_007A6154
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: __crtGetLocaleInfoA_stat, 0_2_007A711B
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 0_2_007A61EC
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 0_2_007A6260
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 0_2_007A52DF
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 0_2_007A1349
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 0_2_0079C3EE
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 0_2_007A6432
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_007A64F3
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 0_2_007A655A
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 0_2_007A6596
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 0_2_007A594D
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: GetLocaleInfoA, 0_2_007A4AAF
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 0_2_007A5BA5
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA, 0_2_007A6FDC
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: GetLocaleInfoW, 0_2_007A6FA8
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: GetLocaleInfoA,___ascii_strnicmp,__tolower_l,__tolower_l, 0_2_007A7F85
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_007A1EBA GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 0_2_007A1EBA
Source: C:\Users\user\Desktop\PagefileConfig.exe Code function: 0_2_007889E5 GetVersionExW, 0_2_007889E5
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1566859 Sample: PagefileConfig.exe Startdate: 02/12/2024 Architecture: WINDOWS Score: 5 5 PagefileConfig.exe 1 2->5         started        process3 7 conhost.exe 5->7         started       
No contacted IP infos