Windows Analysis Report
[SOH] CS1.6 Hack v2.exe

Overview

General Information

Sample name:	[SOH] CS1.6 Hack v2.exe (renamed file extension from bat to exe)
Original sample name:	[SOH] CS1.6 Hack v2.bat
Analysis ID:	1655136
MD5:	4eeab4b5b16939a50019e34f53cc8536
SHA1:	1bcf2a73174f1b388646e0c8db2ade63eb03dd24
SHA256:	0977ee8dff943b199d60adc10077f361611e0428cd4781ff5ae556a0192be1a6
Infos:

Detection

Score:	48
Range:	0 - 100
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Creates a process in suspended mode (likely to inject code)

Entry point lies outside standard sections

One or more processes crash

PE file contains an invalid checksum

PE file contains sections with non-standard names

Uses 32bit PE files

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: [SOH] CS1.6 Hack v2.exe	Virustotal: Detection: 59%			Perma Link
Source: [SOH] CS1.6 Hack v2.exe	ReversingLabs: Detection: 63%

Uses 32bit PE files

Source: [SOH] CS1.6 Hack v2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Source: Amcache.hve.6.dr

String found in binary or memory: http://upx.sf.net

One or more processes crash

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 576

Uses 32bit PE files

Source: [SOH] CS1.6 Hack v2.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: [SOH] CS1.6 Hack v2.exe

Static PE information: Section: .MPRESS1 ZLIB complexity 1.0000960553278688

Source: classification engine

Classification label: mal48.winEXE@5/6@0/0

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7528

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\633fd883-c53b-4916-8bf1-4be09e9aaeed

Jump to behavior

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: [SOH] CS1.6 Hack v2.exe	Virustotal: Detection: 59%
Source: [SOH] CS1.6 Hack v2.exe	ReversingLabs: Detection: 63%

Source: unknown	Process created: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe "C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe"
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c color F8
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7528 -s 576
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c color F8	Jump to behavior

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9625_none_508ef7e4bcbbe589\MSVCR90.dll

Jump to behavior

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

PE file contains an invalid checksum

Source: [SOH] CS1.6 Hack v2.exe

Static PE information: real checksum: 0x20397 should be: 0x20410

PE file contains sections with non-standard names

Source: [SOH] CS1.6 Hack v2.exe	Static PE information: section name: .MPRESS1
Source: [SOH] CS1.6 Hack v2.exe	Static PE information: section name: .MPRESS2

Source: [SOH] CS1.6 Hack v2.exe

Static PE information: section name: .MPRESS1 entropy: 7.996976368895077

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: Amcache.hve.6.dr	Binary or memory string: VMware
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.6.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.6.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.6.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.6.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.6.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.6.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.6.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.6.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.6.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.6.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.6.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.6.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.6.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.6.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.6.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.6.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.6.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

Process queried: DebugPort

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\[SOH] CS1.6 Hack v2.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c color F8

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.6.dr	Binary or memory string: MsMpEng.exe

Screenshots

Behavior

Click here to start
Slideshow Behavior Animation

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1655136
Product:	CloudBasic
Start time:	00:52:57
Start date:	03.04.2025
Sample:	[SOH] CS1.6 Hack v2.bat
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	4eeab4b5b16939a50019e34f53cc8536
SHA1:	1bcf2a73174f1b388646e0c8db2ade63eb03dd24
SHA256:	0977ee8dff943b199d60adc10077f361611e0428cd4781ff5ae556a0192be1a6
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_[SOH] CS1.6 Hack_d2e752d27c733e64b9b05b113fbd9cc43686c5a_8a141c15_7e724db4-cbf0-4afa-ace4-829a750062d0\Report.wer	Unicode text, UTF-16, little-endian text, with CRLF line terminators	C08751FEB3292953B268C4C7FB81849D	40430448810F5386927C8B5ACFD04C26997CCBC0	0297545A0FB8DDE7DC2B2E869D9FC42B82842ABDB6060F1A5B65D61392D68D80
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3266.tmp.dmp	Mini DuMP crash report, 15 streams, Wed Apr 2 22:53:54 2025, 0x1205a4 type	D3ABA2F14862E62DFBBBC3622A29E3BB	8A4A496A9E3D18690DE01EB896E19755BD5156B8	8E110F6803E5D10560990886CA3F2B93E6E44F9D28DB6EB60A3356F803F12A96
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3312.tmp.WERInternalMetadata.xml	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators	CFC60879473BCBE1235CBABDE86601F7	AF52AD6F24638BC00F29D3A565050E38916C5085	4F44B9A625BD4F577E9BCE191F941AE6060BA2112D338A1FE89AA41F7A00B4F3
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3352.tmp.xml	XML 1.0 document, ASCII text, with CRLF line terminators	A34F16B32EE0DACF237A457A9E0EF59B	70B5094A8AB180B2B80A0C8218973DE63589079A	60BBFFF2B9BF6982A169E1D8685ADA635B600BE0F1E86C24ADC818DA32D7A284
C:\Windows\appcompat\Programs\Amcache.hve	MS Windows registry file, NT/2000 or above	B7978DBB7EFE6D537461852783A49763	F382CD76506FA6CA38CF6BBDB2354CF69225EB64	8BE670DD2F5C99121D5CFC26025343BCBC2E11465F1A9D86D17126AFA058FB06
\Device\ConDrv	ASCII text, with CRLF line terminators	2F64267CB717CEE85054093DA85FD90A	143C26032E49EDE7EB60483F92104855AC658995	8B1E909395FA237DD09D038F5A27F6B43E381F29AB50ACD2653B2DE9411EC88D

Windows Analysis Report
[SOH] CS1.6 Hack v2.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report [SOH] CS1.6 Hack v2.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Lowering of HIPS / PFW / Operating System Security Settings

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
[SOH] CS1.6 Hack v2.exe