Windows Analysis Report
relHAD3zcZ.exe

Overview

General Information

Sample name: relHAD3zcZ.exe
renamed because original name is a hash value
Original sample name: 5d7b8fbf7091672744ecb5fd3ff0664032b0463ff332fefaf892105156e71226.exe
Analysis ID: 1579763
MD5: a1907452a6e7e8748f91900a0383a602
SHA1: 5a59e8301a8175a0128b0da0aba8c2d4a9190764
SHA256: 5d7b8fbf7091672744ecb5fd3ff0664032b0463ff332fefaf892105156e71226
Tags: exeuser-NDA0E
Infos:

Detection

BlackMoon
Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected BlackMoon Ransomware
AI detected suspicious sample
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Machine Learning detection for sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Detected potential crypto function
Entry point lies outside standard sections
Found inlined nop instructions (likely shell or obfuscated code)
One or more processes crash
PE file contains sections with non-standard names
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: relHAD3zcZ.exe ReversingLabs: Detection: 36%
Source: relHAD3zcZ.exe Virustotal: Detection: 41% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 93.5% probability
Machine Learning detection for sample
Source: relHAD3zcZ.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: relHAD3zcZ.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: Binary string: C:\dvs\p4\build\sw\rel\gpu_drv\r465\r465_00\drivers\display\lddm\nvpciflt\_out\wddm2_amd64_release\nvpciflt.pdb source: relHAD3zcZ.exe
Source: Binary string: \C++DEMO\Drv0608\x64\Release\Drv.pdb source: relHAD3zcZ.exe
Source: Binary string: E:\driver_project\zqpj\R3Inject\Release\R3Inject.pdb source: relHAD3zcZ.exe
Source: Binary string: E:\driver_project\zqpj\R3Inject\x64\Debug\Test.pdb source: relHAD3zcZ.exe
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041044A
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_0041545B
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_0041D06D
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_0040F0E0
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_00406498
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_004014BD
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_00406544
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_00406544
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_00406D56
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_00406D56
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-14h], esp 0_2_00406D56
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041010C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_004101D1
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_0041B5DC
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_0041B5DC
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_0041D9E7
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_0041D9E7
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_00417580
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_0041B5A6
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041C259
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0040F25E
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_0040EA66
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-20h], esp 0_2_00408D8E
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041DA72
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_00416214
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-5Ch], esp 0_2_00416214
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_00416214
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-5Ch], esp 0_2_00416214
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_00416214
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_00405EC8
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_00405EC9
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041B2DF
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041B2DF
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_004166EE
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_00416287
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-5Ch], esp 0_2_00416287
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_00416287
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-5Ch], esp 0_2_00416287
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-54h], esp 0_2_00416287
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-04h], esp 0_2_0040369A
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0040EAAD
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_0041FB04
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_00403715
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_004043C4
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_004043C4
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-18h], esp 0_2_004043C4
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_0041B3D0
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_0041B3D0
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_0041B3D0
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_00413FD5
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then mov eax, dword ptr [esi] 0_2_00404F92
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then mov eax, dword ptr [esi] 0_2_00404F93
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_0040779C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_0040779C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_0040779C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-10h], esp 0_2_0040779C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_00406BA6
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-08h], esp 0_2_00406BA6
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-0Ch], esp 0_2_004063AC
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 4x nop then cmp dword ptr [ebp-1Ch], esp 0_2_004063AC
Source: relHAD3zcZ.exe String found in binary or memory: http://222.186.172.42:1000/D1.dll
Source: relHAD3zcZ.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: relHAD3zcZ.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: relHAD3zcZ.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: relHAD3zcZ.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: relHAD3zcZ.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: relHAD3zcZ.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: relHAD3zcZ.exe String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: relHAD3zcZ.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: relHAD3zcZ.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: relHAD3zcZ.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: relHAD3zcZ.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: relHAD3zcZ.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: relHAD3zcZ.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: relHAD3zcZ.exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: relHAD3zcZ.exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: relHAD3zcZ.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: relHAD3zcZ.exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: relHAD3zcZ.exe String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: relHAD3zcZ.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: relHAD3zcZ.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: relHAD3zcZ.exe String found in binary or memory: http://ocsp.digicert.com0N
Source: relHAD3zcZ.exe String found in binary or memory: http://ocsp.digicert.com0O
Source: relHAD3zcZ.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: relHAD3zcZ.exe String found in binary or memory: http://ocsp.thawte.com0
Source: relHAD3zcZ.exe String found in binary or memory: http://rb.symcb.com/rb.crl0W
Source: relHAD3zcZ.exe String found in binary or memory: http://rb.symcb.com/rb.crt0
Source: relHAD3zcZ.exe String found in binary or memory: http://rb.symcd.com0&
Source: relHAD3zcZ.exe String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: relHAD3zcZ.exe String found in binary or memory: http://s.symcd.com0
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net
Source: relHAD3zcZ.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: relHAD3zcZ.exe String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: relHAD3zcZ.exe String found in binary or memory: https://d.symcb.com/cps0%
Source: relHAD3zcZ.exe String found in binary or memory: https://d.symcb.com/rpa0
Source: relHAD3zcZ.exe String found in binary or memory: https://d.symcb.com/rpa06
Source: relHAD3zcZ.exe String found in binary or memory: https://www.digicert.com/CPS0

Spam, unwanted Advertisements and Ransom Demands
barindex
Yara detected BlackMoon Ransomware
Source: Yara match File source: relHAD3zcZ.exe, type: SAMPLE
Source: Yara match File source: 0.2.relHAD3zcZ.exe.7339ca.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.relHAD3zcZ.exe.7339ca.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.relHAD3zcZ.exe.7381da.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.relHAD3zcZ.exe.7381da.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: relHAD3zcZ.exe PID: 1124, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: relHAD3zcZ.exe, type: SAMPLE Matched rule: Rule for beacon reflective loader Author: unknown
Source: relHAD3zcZ.exe, type: SAMPLE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.relHAD3zcZ.exe.54db8f.2.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.0.relHAD3zcZ.exe.54db8f.1.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.0.relHAD3zcZ.exe.536def.4.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.relHAD3zcZ.exe.536def.5.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.relHAD3zcZ.exe.7339ca.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.relHAD3zcZ.exe.7339ca.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.relHAD3zcZ.exe.7381da.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.relHAD3zcZ.exe.7381da.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.2.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.2.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 0.0.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Rule for beacon reflective loader Author: unknown
Source: 0.0.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables using BlackMoon RunTime Author: ditekSHen
Source: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Source: 00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Rule for beacon reflective loader Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 0_2_0041C124 0_2_0041C124
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 0_2_0040518C 0_2_0040518C
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 0_2_00404F92 0_2_00404F92
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 0_2_00404F93 0_2_00404F93
One or more processes crash
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 236
PE file does not import any functions
Source: relHAD3zcZ.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: relHAD3zcZ.exe Binary or memory string: OriginalFilename vs relHAD3zcZ.exe
Source: relHAD3zcZ.exe, 00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamenvpciflt.sys vs relHAD3zcZ.exe
Source: relHAD3zcZ.exe Binary or memory string: OriginalFilenamenvpciflt.sys vs relHAD3zcZ.exe
Uses 32bit PE files
Source: relHAD3zcZ.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: relHAD3zcZ.exe, type: SAMPLE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: relHAD3zcZ.exe, type: SAMPLE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.relHAD3zcZ.exe.54db8f.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.0.relHAD3zcZ.exe.54db8f.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.0.relHAD3zcZ.exe.536def.4.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.relHAD3zcZ.exe.536def.5.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.relHAD3zcZ.exe.7339ca.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.relHAD3zcZ.exe.7339ca.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.relHAD3zcZ.exe.7381da.4.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.relHAD3zcZ.exe.7381da.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.2.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.2.relHAD3zcZ.exe.55d806.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 0.0.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 0.0.relHAD3zcZ.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_BlackMoon author = ditekSHen, description = Detects executables using BlackMoon RunTime
Source: 00000000.00000002.2435336357.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: 00000000.00000000.2048345821.0000000000559000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY Matched rule: Windows_Trojan_CobaltStrike_f0b627fc reference_sample = b362951abd9d96d5ec15d281682fa1c8fe8f8e4e2f264ca86f6b061af607f79b, os = windows, severity = x86, description = Rule for beacon reflective loader, creation_date = 2021-10-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.CobaltStrike, fingerprint = fbc94bedd50b5b943553dd438a183a1e763c098a385ac3a4fc9ff24ee30f91e1, id = f0b627fc-97cd-42cb-9eae-1efb0672762d, last_modified = 2022-01-13
Source: relHAD3zcZ.exe Binary string: \device\physicalmemory
Source: relHAD3zcZ.exe Binary string: \Device\^@&%@$#@$@%*@***@$@%*@%@$*@$@%*@**@$@%*@*@&&$@$#&&^@&%@$#@$@%*@***@$@%*@%@$*@$@%*@**@$@%*
Source: relHAD3zcZ.exe Binary string: \Device\\\.\
Source: relHAD3zcZ.exe Binary string: \Device\nvpciflt
Source: relHAD3zcZ.exe Binary string: \Device\
Source: relHAD3zcZ.exe Binary string: \Device\NTPNP_PCI
Source: relHAD3zcZ.exe Binary string: \Device\NvAdminDevice@
Source: classification engine Classification label: mal76.rans.evad.winEXE@2/5@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1124
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\d5207c3a-0486-484a-9d82-a426ac1d9bb1 Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: relHAD3zcZ.exe ReversingLabs: Detection: 36%
Source: relHAD3zcZ.exe Virustotal: Detection: 41%
Source: unknown Process created: C:\Users\user\Desktop\relHAD3zcZ.exe "C:\Users\user\Desktop\relHAD3zcZ.exe"
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 236
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Section loaded: atl.dll Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Section loaded: oledlg.dll Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Section loaded: rasman.dll Jump to behavior
Source: relHAD3zcZ.exe Static file information: File size 3674112 > 1048576
Source: relHAD3zcZ.exe Static PE information: Raw size of L_VhVy is bigger than: 0x100000 < 0x251000
Source: relHAD3zcZ.exe Static PE information: Raw size of L_XwhY is bigger than: 0x100000 < 0x12e000
Source: Binary string: C:\dvs\p4\build\sw\rel\gpu_drv\r465\r465_00\drivers\display\lddm\nvpciflt\_out\wddm2_amd64_release\nvpciflt.pdb source: relHAD3zcZ.exe
Source: Binary string: \C++DEMO\Drv0608\x64\Release\Drv.pdb source: relHAD3zcZ.exe
Source: Binary string: E:\driver_project\zqpj\R3Inject\Release\R3Inject.pdb source: relHAD3zcZ.exe
Source: Binary string: E:\driver_project\zqpj\R3Inject\x64\Debug\Test.pdb source: relHAD3zcZ.exe
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: L_XwhY
PE file contains sections with non-standard names
Source: relHAD3zcZ.exe Static PE information: section name: L_VhVy
Source: relHAD3zcZ.exe Static PE information: section name: L_XwhY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 0_2_004984A0 push eax; ret 0_2_004984CE
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 0_2_0040B6ED push es; iretd 0_2_0040B6EE
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 0_2_0041C124 0_2_0041C124
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 0_2_0041C124 rdtsc 0_2_0041C124
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Process queried: DebugPort Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 0_2_0041C124 rdtsc 0_2_0041C124
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 0_2_004175DB mov eax, dword ptr fs:[00000030h] 0_2_004175DB
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\relHAD3zcZ.exe Code function: 0_2_0041C124 cpuid 0_2_0041C124
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1579763 Sample: relHAD3zcZ.exe Startdate: 23/12/2024 Architecture: WINDOWS Score: 76 14 Malicious sample detected (through community Yara rule) 2->14 16 Multi AV Scanner detection for submitted file 2->16 18 Yara detected BlackMoon Ransomware 2->18 20 2 other signatures 2->20 6 relHAD3zcZ.exe 2->6         started        process3 signatures4 22 Contains functionality to detect hardware virtualization (CPUID execution measurement) 6->22 9 WerFault.exe 19 16 6->9         started        process5 file6 12 C:\ProgramData\Microsoft\...\Report.wer, Unicode 9->12 dropped
No contacted IP infos