Edit tour

Windows Analysis Report
https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exe

Overview

General Information

Sample URL:	https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exe
Analysis ID:	1567583
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Yara detected AntiVM3

Accesses Audio hardware information via COM

Found direct / indirect Syscall (likely to bypass EDR)

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (mutex check)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a window with clipboard capturing capabilities

Drops PE files

Enables security privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Stores files to the Windows start menu directory

Classification

Process Tree

System is w10x64_ra

chrome.exe (PID: 3032 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 3672 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1972,i,17956802498294058100,1203489688160339268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

chrome.exe (PID: 6812 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5620 --field-trial-handle=1972,i,17956802498294058100,1203489688160339268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

vmaware64.exe (PID: 6760 cmdline: "C:\Users\user\Downloads\vmaware64.exe" MD5: BF527BF695FAD91AD3C5CBFCA5806EC1)

conhost.exe (PID: 6764 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chrome.exe (PID: 6464 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exe" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)

rundll32.exe (PID: 996 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

cmd.exe (PID: 6156 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2276 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

vmaware64.exe (PID: 6212 cmdline: vmaware64.exe MD5: BF527BF695FAD91AD3C5CBFCA5806EC1)

vmaware64.exe (PID: 1156 cmdline: vmaware64.exe --spoofable MD5: BF527BF695FAD91AD3C5CBFCA5806EC1)

vmaware64.exe (PID: 3412 cmdline: vmaware64.exe MD5: BF527BF695FAD91AD3C5CBFCA5806EC1)

CompMgmtLauncher.exe (PID: 3896 cmdline: "C:\Windows\system32\CompMgmtLauncher.exe" MD5: FF9690925244473ECC4C2E5B535B8599)

mmc.exe (PID: 5524 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)

mmc.exe (PID: 4904 cmdline: "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s MD5: 58C9E5172C3708A6971CA0CBC80FE8B8)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Downloads\Unconfirmed 252076.crdownload	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
C:\Users\user\Downloads\Unconfirmed 252076.crdownload	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000000.1234560200.00007FF6ACD4B000.00000002.00000001.01000000.00000006.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Downloads\Unconfirmed 252076.crdownload

ReversingLabs: Detection: 37%

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.229.162:443 -> 192.168.2.17:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.229.162:443 -> 192.168.2.17:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.158.187:443 -> 192.168.2.17:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.181.0:443 -> 192.168.2.17:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.40.140:443 -> 192.168.2.17:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.123.129.254:443 -> 192.168.2.17:49728 version: TLS 1.2

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.200
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 20.12.23.50
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.13
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162
Source: unknown	TCP traffic detected without corresponding DNS query: 2.16.229.162

Source: global traffic	DNS traffic detected: DNS query: github.com
Source: global traffic	DNS traffic detected: DNS query: objects.githubusercontent.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49680 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49677 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49696
Source: unknown	Network traffic detected: HTTP traffic on port 49696 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49723

Source: unknown	HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.17:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.229.162:443 -> 192.168.2.17:49715 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.229.162:443 -> 192.168.2.17:49716 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.16.158.187:443 -> 192.168.2.17:49717 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 204.79.197.222:443 -> 192.168.2.17:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.109.210.53:443 -> 192.168.2.17:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 20.190.181.0:443 -> 192.168.2.17:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 2.18.40.140:443 -> 192.168.2.17:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.107.5.88:443 -> 192.168.2.17:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 52.123.129.254:443 -> 192.168.2.17:49728 version: TLS 1.2

Source: C:\Windows\System32\mmc.exe

Window created: window name: CLIPBRDWNDCLASS

Source: C:\Windows\System32\mmc.exe

Process token adjusted: Security

Source: classification engine

Classification label: mal76.evad.win@35/10@6/112

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps

Source: C:\Windows\System32\mmc.exe	Mutant created: NULL
Source: C:\Users\user\Downloads\vmaware64.exe	Mutant created: \Sessions\1\BaseNamedObjects\MicrosoftVirtualPC7UserServiceMakeSureWe'reTheOnlyOneMutex
Source: C:\Users\user\Downloads\vmaware64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Frz_State
Source: C:\Users\user\Downloads\vmaware64.exe	Mutant created: \Sessions\1\BaseNamedObjects\Sandboxie_SingleInstanceMutex_Control
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6764:120:WilError_03
Source: C:\Users\user\Downloads\vmaware64.exe	Mutant created: \Sessions\1\BaseNamedObjects\SBIE_BOXED_ServiceInitComplete_Mutex1

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Downloads\vmaware64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized "about:blank"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1972,i,17956802498294058100,1203489688160339268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5620 --field-trial-handle=1972,i,17956802498294058100,1203489688160339268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1972,i,17956802498294058100,1203489688160339268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\vmaware64.exe "C:\Users\user\Downloads\vmaware64.exe"
Source: C:\Users\user\Downloads\vmaware64.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5620 --field-trial-handle=1972,i,17956802498294058100,1203489688160339268,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Users\user\Downloads\vmaware64.exe "C:\Users\user\Downloads\vmaware64.exe"
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\vmaware64.exe vmaware64.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\vmaware64.exe vmaware64.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\vmaware64.exe vmaware64.exe --spoofable
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\vmaware64.exe vmaware64.exe --spoofable
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\vmaware64.exe vmaware64.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\vmaware64.exe vmaware64.exe
Source: unknown	Process created: C:\Windows\System32\CompMgmtLauncher.exe "C:\Windows\system32\CompMgmtLauncher.exe"
Source: C:\Windows\System32\CompMgmtLauncher.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s
Source: C:\Windows\System32\CompMgmtLauncher.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s
Source: C:\Windows\System32\CompMgmtLauncher.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s

Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: mpr.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: drprov.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winsta.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: davclnt.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: quartz.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: devobj.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: ksuser.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: avrt.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: audioses.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: midimap.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: winbrand.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: mpr.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: drprov.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winsta.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: davclnt.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: quartz.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: devobj.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: ksuser.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: avrt.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: audioses.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: midimap.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: mpr.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: networkexplorer.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: propsys.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: nlsdata0000.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: netprojw.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: ghofr.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: fg122.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: drprov.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winsta.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: davclnt.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: quartz.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: devobj.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: ksuser.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: avrt.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: audioses.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: midimap.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: msvcp140.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: mpr.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wevtapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: vcruntime140_1.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: drprov.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winsta.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: davclnt.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: davhlpr.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: amsi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: userenv.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: profapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: quartz.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winmm.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: wldp.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: mmdevapi.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: devobj.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: ksuser.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: avrt.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: audioses.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: powrprof.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: umpdc.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Section loaded: midimap.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: slc.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: twext.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: cscui.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: cscobj.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: workfoldersshell.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: ntshrui.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: version.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: starttiledata.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: usermgrcli.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: usermgrproxy.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\CompMgmtLauncher.exe	Section loaded: sfc_os.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: apphelp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: acgenral.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: duser.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mfc42u.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ninput.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dui70.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmcndmgr.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msxml6.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: els.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: version.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: activeds.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: adsldpc.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: riched32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: riched20.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: usp10.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mycomput.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: filemgmt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mmfutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: localsec.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wdc.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: pdh.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: pdhui.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: odbc32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: credui.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: pla.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: utildll.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: samcli.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: tdh.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dmdskmgr.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dmutil.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dmdskres.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dmdskres2.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: devmgr.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: newdev.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: devrtl.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: riched32.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: riched20.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: usp10.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: msls31.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: textshaping.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: oleacc.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dataexchange.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: d3d11.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dcomp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: dxgi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: atlthunk.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: windowscodecs.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: adsnt.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: cscapi.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: edputil.dll

Source: C:\Users\user\Downloads\vmaware64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Source: C:\Windows\System32\mmc.exe

Window found: window name: msctls_updown32

Source: C:\Windows\System32\mmc.exe

File opened: C:\Windows\system32\riched32.dll

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\mmc.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\Unconfirmed 252076.crdownload			Jump to dropped file
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\Downloads\4996f445-8434-47ad-ba32-94627b390109.tmp			Jump to dropped file

Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Source: C:\Users\user\Downloads\vmaware64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\vmaware64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\vmaware64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Downloads\vmaware64.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\CompMgmtLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\CompMgmtLauncher.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 00000009.00000000.1234560200.00007FF6ACD4B000.00000002.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\Downloads\Unconfirmed 252076.crdownload, type: DROPPED

Accesses Audio hardware information via COM

Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\TreatAs
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler32
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\TreatAs
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocServer32
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler32
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\InprocHandler
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\LocalServer32
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\LocalServer
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\Elevation
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}
Source: C:\Users\user\Downloads\vmaware64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E30629D1-27E5-11CE-875D-00608CB78066}\TreatAs

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Downloads\vmaware64.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Downloads\vmaware64.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Downloads\vmaware64.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Downloads\vmaware64.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (mutex check)

Source: C:\Users\user\Downloads\vmaware64.exe	Mutex created: \Sessions\1\BaseNamedObjects\Sandboxie_SingleInstanceMutex_Control
Source: C:\Users\user\Downloads\vmaware64.exe	Mutex created: \Sessions\1\BaseNamedObjects\Frz_State
Source: C:\Users\user\Downloads\vmaware64.exe	Mutex created: \Sessions\1\BaseNamedObjects\Sandboxie_SingleInstanceMutex_Control
Source: C:\Users\user\Downloads\vmaware64.exe	Mutex created: \Sessions\1\BaseNamedObjects\Frz_State
Source: C:\Users\user\Downloads\vmaware64.exe	Mutex created: \Sessions\1\BaseNamedObjects\Sandboxie_SingleInstanceMutex_Control
Source: C:\Users\user\Downloads\vmaware64.exe	Mutex created: \Sessions\1\BaseNamedObjects\Frz_State
Source: C:\Users\user\Downloads\vmaware64.exe	Mutex created: \Sessions\1\BaseNamedObjects\Sandboxie_SingleInstanceMutex_Control
Source: C:\Users\user\Downloads\vmaware64.exe	Mutex created: \Sessions\1\BaseNamedObjects\Frz_State

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Downloads\vmaware64.exe	File opened: HKEY_LOCAL_MACHINE\HKLM\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Downloads\vmaware64.exe	File opened: HKEY_LOCAL_MACHINE\HKCU\SOFTWARE\Wine
Source: C:\Users\user\Downloads\vmaware64.exe	File opened: HKEY_LOCAL_MACHINE\HKLM\SOFTWARE\Wine

Source: C:\Windows\System32\mmc.exe	Memory allocated: 3CF0000 memory reserve \| memory write watch
Source: C:\Windows\System32\mmc.exe	Memory allocated: 3D70000 memory reserve \| memory write watch

Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: c:\windows\system32\drivers\prl_pv32.sys
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: C:\windows\System32\Drivers\Vmmouse.sys
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: C:\windows\System32\vboxservice.exe
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: c:\windows\system32\drivers\prlvideo.sys
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: C:\windows\System32\Drivers\VBoxVideo.sys
Source: C:\Users\user\Downloads\vmaware64.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\disk\Enum name: 0
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: C:\windows\System32\Drivers\VBoxGuest.sys
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: C:\windows\System32\vboxtray.exe
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: c:\windows\system32\drivers\vpc-s3.sys
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: C:\windows\System32\Drivers\VMToolsHook.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0 name: Identifier
Source: C:\Users\user\Downloads\vmaware64.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\mssmbios\Data name: SMBiosData
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: C:\windows\System32\Drivers\VBoxMouse.sys
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: c:\windows\system32\drivers\prlfs.sys
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: C:\windows\System32\Drivers\VBoxSF.sys
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: c:\windows\system32\drivers\prlmouse.sys
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: C:\windows\System32\vboxhook.dll
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: c:\windows\system32\drivers\vmsrvc.sys
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: c:\windows\system32\drivers\prleth.sys
Source: C:\Users\user\Downloads\vmaware64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Downloads\vmaware64.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: VBoxMiniRdrDN
Source: C:\Users\user\Downloads\vmaware64.exe	File opened / queried: C:\windows\System32\Drivers\vmhgfs.dll
Source: C:\Users\user\Downloads\vmaware64.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Windows\System32\mmc.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 9478
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 368

Source: C:\Windows\System32\mmc.exe TID: 3408	Thread sleep time: -12912720851596678s >= -30000s
Source: C:\Windows\System32\mmc.exe TID: 1300	Thread sleep count: 9478 > 30
Source: C:\Windows\System32\mmc.exe TID: 1300	Thread sleep count: 368 > 30

Source: C:\Users\user\Downloads\vmaware64.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Downloads\vmaware64.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard
Source: C:\Users\user\Downloads\vmaware64.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BaseBoard

Source: C:\Windows\System32\mmc.exe

Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\conhost.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows

Source: C:\Users\user\Downloads\vmaware64.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\mmc.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Downloads\vmaware64.exe

NtCreateFile: Indirect: 0x7FF6ACD2710F

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\vmaware64.exe vmaware64.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\vmaware64.exe vmaware64.exe --spoofable
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Downloads\vmaware64.exe vmaware64.exe
Source: C:\Windows\System32\CompMgmtLauncher.exe	Process created: C:\Windows\System32\mmc.exe "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s

Source: C:\Users\user\Downloads\vmaware64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Users\user\Downloads\vmaware64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Users\user\Downloads\vmaware64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID
Source: C:\Users\user\Downloads\vmaware64.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductID

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\MMCEx.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35\MMCFxCommon.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\Microsoft.ManagementConsole.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\EventViewer\v4.0_10.0.0.0__31bf3856ad364e35\EventViewer.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\MiguiControls\v4.0_1.0.0.0__31bf3856ad364e35\MIGUIControls.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\TaskScheduler\v4.0_10.0.0.0__31bf3856ad364e35\TaskScheduler.dll VolumeInformation

Source: C:\Windows\System32\mmc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Registry Run Keys / Startup Folder	11 Process Injection	1 Masquerading	OS Credential Dumping	41 Security Software Discovery	Remote Services	1 Clipboard Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 Registry Run Keys / Startup Folder	141 Virtualization/Sandbox Evasion	Security Account Manager	141 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Abuse Elevation Control Mechanism	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Rundll32	Cached Domain Credentials	32 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exe	0%	Avira URL Cloud	safe

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Downloads\Unconfirmed 252076.crdownload	38%	ReversingLabs	Win64.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

⊘No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
github.com	20.233.83.145	true	false	high
www.google.com	142.250.181.68	true	false	high
objects.githubusercontent.com	185.199.108.133	true	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
74.125.205.84	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
172.217.17.46	unknown	United States	15169	GOOGLEUS	false
172.217.17.35	unknown	United States	15169	GOOGLEUS	false
185.199.108.133	objects.githubusercontent.com	Netherlands	54113	FASTLYUS	false
142.250.181.68	www.google.com	United States	15169	GOOGLEUS	false
216.58.208.227	unknown	United States	15169	GOOGLEUS	false
20.233.83.145	github.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

Private

IP
192.168.2.17

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1567583
Start date and time:	2024-12-03 16:09:03 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsinteractivecookbook.jbs
Sample URL:	https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exe
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	EGA enabled
Analysis Mode:	stream
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.evad.win@35/10@6/112

Warnings

Exclude process from analysis (whitelisted): TextInputHost.exe
Excluded IPs from analysis (whitelisted): 216.58.208.227, 172.217.17.46, 74.125.205.84
Excluded domains from analysis (whitelisted): clients2.google.com, accounts.google.com, clientservices.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exe

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 14:09:41 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2677
Entropy (8bit):	3.988888535371646
Encrypted:	false
SSDEEP:
MD5:	E244094F299CAAD8C3BAA3B88E5F4C90
SHA1:	A2DF96772E0638081E77FF7415556EAEB2975842
SHA-256:	031A6D18F8F99E01C24E674A9BB77D649C74A77BEB08F94AD56C714C19B3CE71
SHA-512:	90DAEB1D6C6F1B9D7C7B75E5C70B5CE6746949DB09BDB2184BA1DBF5CE42647608BD99919EC7B21E8E58569E3DE9585998C629BA9BB40F195FDC230DBEF5866A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......`.E......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y+y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y4y....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y4y....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y4y...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y5y...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............#K.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 14:09:41 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2679
Entropy (8bit):	4.005668210656435
Encrypted:	false
SSDEEP:
MD5:	E991B7AE2171F756B79BFF3FDB16F1C1
SHA1:	91B0ACCB77251682672F9F2F27FB39BD7C784F5F
SHA-256:	B0D144127D5DEDE0AFCB09CFA2BE774FC78C74F88139AD9318372076EEA176FA
SHA-512:	9189E95E7C88563756F788440D82C6987E568CEACEFB66C963DF95972D2511FAA86FECA72B7A753BA7DFDC45C90154B0BE5657AF1A3F15D5F634C04470ADCF59
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......`.E......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y+y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y4y....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y4y....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y4y...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y5y...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............#K.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Fri Oct 6 08:54:41 2023, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2693
Entropy (8bit):	4.015284231449035
Encrypted:	false
SSDEEP:
MD5:	76AAEF83F2D7D716B8EA17371B7D26E4
SHA1:	B987D445738997C2C7A9E8C95323C072F4613FB7
SHA-256:	9CCCB0266880A57F79455658B249ABB4C4A7DF85B68A157DACB9D274662F53B5
SHA-512:	B8706EE2FE034337A1BB0B3CA7D1FE262769C73430637E432C8E8EF409E403A920A739CD226EE24C6E7BF3573F7C3E99A722D85F6248C1BE7603FB4A8293DC2E
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.....v. ;.......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y+y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y4y....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y4y....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y4y...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.VFW.N...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............#K.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 14:09:41 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	4.004671853000872
Encrypted:	false
SSDEEP:
MD5:	008CC7AB1853FF2B3FD7F16571D91A3D
SHA1:	2E646F0EAC790595318B37C9EE8F066B0AC35AF5
SHA-256:	2B5396D713493D2315971FB518611557EDA6E15440C99CDBFB3A8F35B7C80299
SHA-512:	3A9BB252FD50B7C69A5A85EFD54ADF141753BF7A88F0F11EECB49362CFA05133B1081A506EADB39470EADEED2D8ACEBE8824B78C05BAB4CBC7B3A26BE5831428
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,.......`.E......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y+y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y4y....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y4y....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y4y...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y5y...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............#K.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 14:09:41 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2681
Entropy (8bit):	3.993038609257023
Encrypted:	false
SSDEEP:
MD5:	2B14B7B2EC732645FD14F2152EFB726A
SHA1:	17E8E9C793B497AF67D4B177B504737C112B123D
SHA-256:	0BC5D7D00A65F75D958671FC950A5499A987E701ADDA009585284802BBE674FA
SHA-512:	C5854F912B65E1DF8484B9D3CE5746C8679173383209E42BC23A0F8C915613BB28D7C1804C568DD45BDA2391F9F31F7E5F957A7CBDFB9B47A99AB779B39FA8A6
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,....7..`.E......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y+y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y4y....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y4y....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y4y...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y5y...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............#K.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Tue Oct 3 09:48:42 2023, mtime=Tue Dec 3 14:09:41 2024, atime=Mon Oct 2 20:46:57 2023, length=1210144, window=hide
Category:	dropped
Size (bytes):	2683
Entropy (8bit):	4.001795387243444
Encrypted:	false
SSDEEP:
MD5:	A09311FF53AFC69DD137F380C114107A
SHA1:	0F09E4EDFD36C7C40D9E31844CF7903670D5A46E
SHA-256:	3CB6032CD39D816BC3CA1BE735CDFC9F504F22685B50E7F6B817A78A3CD8FB4A
SHA-512:	5DCB791AA2473EC96E93634A7294AF47566D9ED361B4D3A35B6EFCEA25CE6ACBDBD989289ACB3BD10CE74880B6B6A64C1D06894B7C19BB8AF887D19B08D8063C
Malicious:	false
Reputation:	unknown
Preview:	L..................F.@.. ...$+.,......`.E......y... w......................1....P.O. .:i.....+00.../C:\.....................1.....FWoN..PROGRA~1..t......O.I.Y+y....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....CW.V..Google..>......CW.V.Y4y....L.....................p+j.G.o.o.g.l.e.....T.1.....FW.N..Chrome..>......CW.V.Y4y....M......................W..C.h.r.o.m.e.....`.1.....FW.N..APPLIC~1..H......CW.V.Y4y...........................W..A.p.p.l.i.c.a.t.i.o.n.....n.2. w..BW. .CHROME~1.EXE..R......CW.V.Y5y...........................3.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.......j...............-.......i.............#K.....C:\Program Files\Google\Chrome\Application\chrome_proxy.exe..S.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.\.c.h.r.o.m.e._.p.r.o.x.y...e.x.e.*.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.G.o.o.g.l.e.\.C.h.r.o.m.e.\.A.p.p.l.i.c.a.t.i.o.n.F

C:\Users\user\Downloads\4996f445-8434-47ad-ba32-94627b390109.tmp

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	5.2585107491410295
Encrypted:	false
SSDEEP:
MD5:	CF929B4EC41929C4DD1A2F79378FEF3C
SHA1:	0C88E347EBC2A74299503E8679451B9AB88A8C2E
SHA-256:	27E57C571280C304E0FBB1B42C2CFABC81B62E5BA4428B0189371864D7C53048
SHA-512:	629597096D272CBDDBF8167C95465DCFA6CB4535889B33810DDF5849BC45D78C67C2438B9A056AA8B45A8C4992C70D680C0471D33C0CC8404DC9A6156BACA3FE
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.s.". .". .". .Z. .". ...!.". ...!.". TR.!.". ...!.". ...!.". TR.!.". .". H". ...!.". ..{ .". ...!.". Rich.". ........................PE..d......f.........."....).....T......\|m.........@.............................0............`..................................................................... ............ .......C...............................B..@............................................text............................... ..`.rdata..&!......."..................@..@.data...h...........................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\Downloads\Unconfirmed 252076.crdownload

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	320512
Entropy (8bit):	6.266654798808441
Encrypted:	false
SSDEEP:
MD5:	BF527BF695FAD91AD3C5CBFCA5806EC1
SHA1:	98B72F5B976F571FBD9CB07BC7F83FEA203F9F15
SHA-256:	4B54163C73F14FE60B0A78E68C614AEA525A32DECF94249E14B95F3019560609
SHA-512:	6777909C732BA29AB450D4CC0969C09D6A65B67A6681341BCA1813503A07836234897BAA9C096EA6DF7EA0BD19C510CE9C10CD03A14ADA9CC96257170794A0AB
Malicious:	true
Yara Hits:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Users\user\Downloads\Unconfirmed 252076.crdownload, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: C:\Users\user\Downloads\Unconfirmed 252076.crdownload, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 38%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.s.". .". .". .Z. .". ...!.". ...!.". TR.!.". ...!.". ...!.". TR.!.". .". H". ...!.". ..{ .". ...!.". Rich.". ........................PE..d......f.........."....).....T......\|m.........@.............................0............`..................................................................... ............ .......C...............................B..@............................................text............................... ..`.rdata..&!......."..................@..@.data...h...........................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................

C:\Users\user\Downloads\vmaware64.exe (copy)

Download File

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	0
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:
MD5:	BF527BF695FAD91AD3C5CBFCA5806EC1
SHA1:	98B72F5B976F571FBD9CB07BC7F83FEA203F9F15
SHA-256:	4B54163C73F14FE60B0A78E68C614AEA525A32DECF94249E14B95F3019560609
SHA-512:	6777909C732BA29AB450D4CC0969C09D6A65B67A6681341BCA1813503A07836234897BAA9C096EA6DF7EA0BD19C510CE9C10CD03A14ADA9CC96257170794A0AB
Malicious:	true
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C.s.". .". .". .Z. .". ...!.". ...!.". TR.!.". ...!.". ...!.". TR.!.". .". H". ...!.". ..{ .". ...!.". Rich.". ........................PE..d......f.........."....).....T......\|m.........@.............................0............`..................................................................... ............ .......C...............................B..@............................................text............................... ..`.rdata..&!......."..................@..@.data...h...........................@....pdata.. ...........................@..@.rsrc...............................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Downloads\vmaware64.exe
File Type:	ASCII text, with CRLF line terminators, with escape sequences
Category:	dropped
Size (bytes):	8031
Entropy (8bit):	5.316679198813125
Encrypted:	false
SSDEEP:
MD5:	755E3B34A457133BCE0D94F59BE6986C
SHA1:	DF50AF79E4635940DF7C29D145E7F0331ADEB76C
SHA-256:	25C58AB7639AAF232F4372C82BEBEBF9551EDB31F46100C175D3499AB9038590
SHA-512:	BB8188E60B299F83F3BECDD166156FFC8F2D313F619E73366E4B5791E425A80A4FAFF249C5E7D6CF3E5AF0646B49936680054FC66AE69F1FE7E59AD0BE4AEF18
Malicious:	false
Reputation:	unknown
Preview:	[.[38;2;239;75;75mNOT DETECTED.[0m] Checking VMID.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking CPU brand.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking CPUID hypervisor bit.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking hypervisor str.....[.[38;2;108;108;108m DISABLED .[0m] Skipped RDTSC..[.[38;2;239;75;75mNOT DETECTED.[0m] Checking sidt null byte.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking processor count.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking MAC address.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking temperature.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking systemd virtualisation.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking chassis vendor.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking chassis type.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking Dockerenv.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking dmidecode output.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking dmesg output.....[.[38;2;239;75;75mNOT DETECTED.[0m] Checking hwmon presence.....

Static File Info

⊘No static file info

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

LLM Input / Output

Created / dropped Files

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk

C:\Users\user\Downloads\4996f445-8434-47ad-ba32-94627b390109.tmp

C:\Users\user\Downloads\Unconfirmed 252076.crdownload

C:\Users\user\Downloads\vmaware64.exe (copy)

\Device\ConDrv

Static File Info

Windows Analysis Report
https://github.com/kernelwernel/VMAware/releases/download/v1.9/vmaware64.exe