Windows Analysis Report AMSilence.exe

Enables security privileges

Source: C:\Users\user\Desktop\AMSilence.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: String function: 00007FF6B326E9D0 appears 59 times

Sample file is different than original file name gathered from version info

Source: AMSilence.exe, 00000000.00000002.865229613.000001D9E4330000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868879395.000001D9E5090000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcrt.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.866289703.000001D9E46A0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebcryptprimitives.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868593632.000001D9E4FC0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerpcrt4.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: {18A8B5B2-9D2F-4DB2-8307-196B5CC0CE6B}{9DE6F12F-0CB2-45E3-BAF1-FB0978255646}{22624CAC-FE50-451E-9261-E7F22AAB93EC}{5F72496A-514E-45FD-BF6C-21D75296EB78}{63C7DCCD-B53C-4A01-A9E3-30F6C38D793E}{8F5A098F-FE98-46EB-B2F6-859078D5E2F7}{E1236381-9522-4BB0-B0AB-AEF2CAB1205F}{10C4200A-0E69-40EA-8153-5F6ABB003C08}{E6B77E90-C966-4BC5-A29B-3EF9B2ADFFD1}{D2F983A5-5880-4964-B98F-67319C3625C4}{6E71D560-6E08-49E6-BF04-F94C85B54355}{3BE690E1-0665-430A-8F6D-89DDD4857989}{AB0BCAAD-7CC5-4CDA-A544-F858E7FF5B8D}{8AEE3B6E-E9A4-40B1-96EC-042F74EB8DCC}{0E7910B7-47A1-4EA8-AC71-63BD4126BF30}{59723693-A1CD-43FC-B4EC-CB48BDACF030}{73A8CA94-C105-4027-90FE-648F9D7B00ED}{9BD0B321-F521-46FA-9B06-0A5E6B0461C8}{A0B2DCF2-CBA3-4534-8EE2-D12D26ABB17B}{852EA32A-1D7A-49CC-8166-77B9DAEFBF7D}{9E248A91-7917-4105-BD0D-31E4965EC06E}{CCF7A2DD-43C3-4C6F-AB68-AF441163D0A0}{097A5E89-584D-4C58-B374-F31A68CA381D}{F83A0FCD-6D48-4714-8A38-D06D376AA7A0}{CECAF199-3F16-46C9-9F81-2905C16E0042}{8FFCB6B3-B3FF-401A-AD20-A5390AAA62B7}{A9C0CE5E-9A1A-47C9-82B6-538C880FDFF0}{8E412EFC-5B34-4C46-9BB4-71F7290EFE3F}FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyrightAcGenral.dllAcLayers.dllAcRes.dllAcSpecfc.dllAcWinRT.dllacwow64.dllAcXtrnal.dllKeyboardFilterShim.dllMasterShim.dlldepdetctuacdetctluadgmgt.dllluapriv.dllEMET.dllEMET64.dllLogExts.dllLogShim.dllInstallerDetectionSetupLayer.exeDXGUseWarpRenderingEntry.exeContainer32bitCompatModeEntry.exeNTDLL.DLLVERIFIER.DLLETW0 vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868091100.000001D9E4DD0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebcrypt.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.866482949.000001D9E4720000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868760246.000001D9E5040000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadvapi32.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.867484560.000001D9E4B60000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp_win.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.869759728.000001D9E5480000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesechost.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.870048646.000001D9E5550000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecryptbase.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.869946835.000001D9E54F0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865661302.000001D9E44E0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865371563.000001D9E43A0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameApphelpj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.869345089.000001D9E52F0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMBASE.DLLj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.864922036.000001D9E4200000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865939840.000001D9E45B0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOLEAUT32.DLLj% vs AMSilence.exe

Source: classification engine

Classification label: mal48.evad.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B327CF80 memset,GetModuleHandleW,FormatMessageW,memmove,GetLastError,HeapFree,HeapFree,

0_2_00007FF6B327CF80

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B325DD20 GetCurrentProcess,OpenProcessToken,memmove,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,HeapFree,memset,GetLastError,HeapFree,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,ProcessPrng,memset,OutputDebugStringW,memset,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,HeapFree,memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,memset,memset,OutputDebugStringW,HeapFree,GetCurrentProcess,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,WriteProcessMemory,HeapFree,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,HeapFree,memset,HeapFree,HeapFree,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memmove,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B3253250 OutputDebugStringW,memset,OutputDebugStringW,GetModuleFileNameW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,CreateToolhelp32Snapshot,GetLastError,HeapFree,memset,ProcessPrng,Module32FirstW,HeapFree,GetLastError,GetLastError,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,Module32NextW,memcmp,memcmp,memset,HeapFree,memset,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,GetModuleHandleW,HeapFree,GetModuleFileNameW,HeapFree,memset,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,GetLastError,HeapFree,OutputDebugStringW,HeapFree,GetErrorInfo,HeapFree,memset,OutputDebugStringW,HeapFree,NtOpenFile,memset,memset,OutputDebugStringW,HeapFree,GetErrorInfo,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,NtCreateSection,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,GetLastError,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,Module32NextW,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,GetCurrentProcess,NtMapViewOfSection,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,CloseHandle,GetLastError,CloseHandle,GetLastError,OutputDebugStringW,HeapFree,HeapFree,memset,HeapFree,memset,OutputDebugStringW,HeapFree,GetCurrentProcess,memset,memset,OutputDebugStringW,HeapFree,GetCurrentProcess,memset,memset,OutputDebugStringW,HeapFree,memmove,memset,OutputDebugStringW,HeapFree,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,NtUnmapViewOfSection,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,memcmp,HeapFree,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,CloseHandle,GetLastError,CloseHandle,GetLastError,GetLastError,HeapFree,CloseHandle,GetLastError,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,GetLastError,CloseHandle,

0_2_00007FF6B3253250

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8524:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8524:120:WilError_03

Source: AMSilence.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AMSilence.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Contains functionality to dynamically determine API calls

Source: unknown	Process created: C:\Users\user\Desktop\AMSilence.exe "C:\Users\user\Desktop\AMSilence.exe"
Source: C:\Users\user\Desktop\AMSilence.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\AMSilence.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: AMSilence.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: AMSilence.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: AMSilence.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kernel32.pdbUGP source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdbGCTL source: AMSilence.exe, 00000000.00000002.868808213.000001D9E5060000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: AMSilence.exe, 00000000.00000002.868465957.000001D9E4F60000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: AMSilence.exe, 00000000.00000002.868040567.000001D9E4D90000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: AMSilence.exe, 00000000.00000002.869622968.000001D9E5420000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: AMSilence.exe, 00000000.00000002.866352920.000001D9E46C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a01\_work\9\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: AMSilence.exe, 00000000.00000002.869833791.000001D9E54B0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: AMSilence.exe, 00000000.00000002.868808213.000001D9E5060000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: AMSilence.exe, 00000000.00000002.864485270.000001D9E40D0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdbUGP source: AMSilence.exe, 00000000.00000002.868465957.000001D9E4F60000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdbUGP source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: AMSilence.exe, 00000000.00000002.866180475.000001D9E4660000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: AMSilence.exe, 00000000.00000002.868648031.000001D9E4FE0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbUGP source: AMSilence.exe, 00000000.00000002.869622968.000001D9E5420000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: AMSilence.pdb source: AMSilence.exe
Source:	Binary string: msvcp_win.pdb source: AMSilence.exe, 00000000.00000002.866727460.000001D9E47C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: AMSilence.exe, 00000000.00000002.866727460.000001D9E47C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: AMSilence.exe, 00000000.00000002.869996844.000001D9E5510000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: AMSilence.exe, 00000000.00000002.868648031.000001D9E4FE0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: AMSilence.exe, 00000000.00000002.865771573.000001D9E4550000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: AMSilence.exe, 00000000.00000002.866180475.000001D9E4660000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: AMSilence.exe, 00000000.00000002.867537828.000001D9E4B80000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: AMSilence.exe, 00000000.00000002.864485270.000001D9E40D0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: AMSilence.exe, 00000000.00000002.865771573.000001D9E4550000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: AMSilence.exe, 00000000.00000002.867537828.000001D9E4B80000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: AMSilence.exe, 00000000.00000002.866352920.000001D9E46C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdbUGP source: AMSilence.exe, 00000000.00000002.869996844.000001D9E5510000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdbUGP source: AMSilence.exe, 00000000.00000002.868040567.000001D9E4D90000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B3292A90 SetLastError,GetCurrentDirectoryW,GetLastError,GetLastError,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlLookupFunctionEntry,WaitForSingleObjectEx,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetCurrentProcess,memset,GetProcAddress,GetCurrentProcess,lstrlenW,GetCurrentProcessId,CreateMutexA,CloseHandle,ReleaseMutex,GetProcAddress,GetCurrentProcess,GetProcAddress,GetCurrentProcess,HeapFree,GetCurrentProcess,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,ReleaseMutex,RtlVirtualUnwind,memset,WideCharToMultiByte,HeapFree,HeapFree,HeapFree,

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\AMSilence.exe

Tries to delay execution (extensive OutputDebugStringW loop)

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\AMSilence.exe

Section loaded: OutputDebugStringW count: 1984

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325CBC0 HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,FindFirstFileW,memmove,HeapFree,GetLastError,HeapFree,HeapFree,memmove,memmove,FindClose,memmove,FindClose,memcmp,HeapFree,HeapFree,HeapFree,memmove,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,FindClose,		0_2_00007FF6B325CBC0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3283A70 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,		0_2_00007FF6B3283A70

Source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B325C3B0 OutputDebugStringW,memset,OutputDebugStringW,HeapFree,memset,memset,OutputDebugStringW,LdrLoadDll,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,

0_2_00007FF6B325C3B0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B3297E60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00007FF6B3297E60

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\AMSilence.exe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\AMSilence.exe

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B3292A60 HeapAlloc,GetProcessHeap,HeapAlloc,

0_2_00007FF6B3292A60

Enables debug privileges

Source: C:\Users\user\Desktop\AMSilence.exe

Process token adjusted: Debug

Found direct / indirect Syscall (likely to bypass EDR)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3298004 SetUnhandledExceptionFilter,		0_2_00007FF6B3298004
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3297E60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF6B3297E60

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\AMSilence.exe

NtUnmapViewOfSection: Indirect: 0x7FF6B3257AF9

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpClient.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpOAV.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2107.4-0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0 VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpClient.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Queries volume information: C:\ProgramData\Microsoft\Windows Defender\Platform\4.18.2108.7-0\MpOAV.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B328E740 ProcessPrng,GetCurrentProcessId,ProcessPrng,HeapFree,ProcessPrng,CreateNamedPipeW,GetLastError,HeapFree,HeapFree,HeapFree,CloseHandle,HeapFree,HeapFree,ProcessPrng,HeapFree,

0_2_00007FF6B328E740

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B3297D38 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF6B3297D38

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3273100 BCryptGenRandom,SystemFunction036,BCryptGenRandom,SystemFunction036,		0_2_00007FF6B3273100
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3273220 SystemFunction036,BCryptGenRandom,memcmp,		0_2_00007FF6B3273220

Source: AMSilence.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: kernel32.pdbUGP source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdbGCTL source: AMSilence.exe, 00000000.00000002.868808213.000001D9E5060000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: AMSilence.exe, 00000000.00000002.868465957.000001D9E4F60000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: AMSilence.exe, 00000000.00000002.868040567.000001D9E4D90000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: AMSilence.exe, 00000000.00000002.869622968.000001D9E5420000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: AMSilence.exe, 00000000.00000002.866352920.000001D9E46C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a01\_work\9\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: AMSilence.exe, 00000000.00000002.869833791.000001D9E54B0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: AMSilence.exe, 00000000.00000002.868808213.000001D9E5060000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: AMSilence.exe, 00000000.00000002.864485270.000001D9E40D0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdbUGP source: AMSilence.exe, 00000000.00000002.868465957.000001D9E4F60000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdbUGP source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: AMSilence.exe, 00000000.00000002.866180475.000001D9E4660000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: AMSilence.exe, 00000000.00000002.868648031.000001D9E4FE0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbUGP source: AMSilence.exe, 00000000.00000002.869622968.000001D9E5420000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: AMSilence.pdb source: AMSilence.exe
Source:	Binary string: msvcp_win.pdb source: AMSilence.exe, 00000000.00000002.866727460.000001D9E47C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: AMSilence.exe, 00000000.00000002.866727460.000001D9E47C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: AMSilence.exe, 00000000.00000002.869996844.000001D9E5510000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: AMSilence.exe, 00000000.00000002.868648031.000001D9E4FE0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: AMSilence.exe, 00000000.00000002.865771573.000001D9E4550000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: AMSilence.exe, 00000000.00000002.866180475.000001D9E4660000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: AMSilence.exe, 00000000.00000002.867537828.000001D9E4B80000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: AMSilence.exe, 00000000.00000002.864485270.000001D9E40D0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: AMSilence.exe, 00000000.00000002.865771573.000001D9E4550000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: AMSilence.exe, 00000000.00000002.867537828.000001D9E4B80000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: AMSilence.exe, 00000000.00000002.866352920.000001D9E46C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdbUGP source: AMSilence.exe, 00000000.00000002.869996844.000001D9E5510000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdbUGP source: AMSilence.exe, 00000000.00000002.868040567.000001D9E4D90000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325CBC0 HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,FindFirstFileW,memmove,HeapFree,GetLastError,HeapFree,HeapFree,memmove,memmove,FindClose,memmove,FindClose,memcmp,HeapFree,HeapFree,HeapFree,memmove,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,FindClose,		0_2_00007FF6B325CBC0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3283A70 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,		0_2_00007FF6B3283A70

Source: AMSilence.exe

String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-supportinternal_codedescriptionunknown_codeos_errorUnknow

Creates a DirectInput object (often for capturing keystrokes)

Source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp

Binary or memory string: DirectInput8Create

memstr_9414f9d0-e

Installs a raw input device (often for capturing keystrokes)

Source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_57a49ad2-5

Yara detected Keylogger Generic

Source: Yara match	File source: 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AMSilence.exe PID: 8496, type: MEMORYSTR

Contains functionality to call native functions

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3253250 OutputDebugStringW,memset,OutputDebugStringW,GetModuleFileNameW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,CreateToolhelp32Snapshot,GetLastError,HeapFree,memset,ProcessPrng,Module32FirstW,HeapFree,GetLastError,GetLastError,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,Module32NextW,memcmp,memcmp,memset,HeapFree,memset,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,GetModuleHandleW,HeapFree,GetModuleFileNameW,HeapFree,memset,memset,OutputDebugStringW,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,GetLastError,HeapFree,OutputDebugStringW,HeapFree,GetErrorInfo,HeapFree,memset,OutputDebugStringW,HeapFree,NtOpenFile,memset,memset,OutputDebugStringW,HeapFree,GetErrorInfo,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,NtCreateSection,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,GetLastError,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,Module32NextW,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,GetCurrentProcess,NtMapViewOfSection,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,CloseHandle,GetLastError,CloseHandle,GetLastError,OutputDebugStringW,HeapFree,HeapFree,memset,HeapFree,memset,OutputDebugStringW,HeapFree,GetCurrentProcess,memset,memset,OutputDebugStringW,HeapFree,GetCurrentProcess,memset,memset,OutputDebugStringW,HeapFree,memmove,memset,OutputDebugStringW,HeapFree,memset,memset,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,OutputDebugStringW,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,HeapFree,NtUnmapViewOfSection,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,OutputDebugStringW,HeapFree,memcmp,HeapFree,HeapFree,OutputDebugStringW,HeapFree,CloseHandle,CloseHandle,GetLastError,CloseHandle,GetLastError,GetLastError,HeapFree,CloseHandle,GetLastError,memset,OutputDebugStringW,HeapFree,HeapFree,HeapFree,GetLastError,CloseHandle,		0_2_00007FF6B3253250
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327B520 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,		0_2_00007FF6B327B520

Detected potential crypto function

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325DD20	0_2_00007FF6B325DD20
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325C3B0	0_2_00007FF6B325C3B0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32583F0	0_2_00007FF6B32583F0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325CBC0	0_2_00007FF6B325CBC0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3253250	0_2_00007FF6B3253250
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325B9F0	0_2_00007FF6B325B9F0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32521E0	0_2_00007FF6B32521E0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32588B0	0_2_00007FF6B32588B0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3269D70	0_2_00007FF6B3269D70
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B328C450	0_2_00007FF6B328C450
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326E450	0_2_00007FF6B326E450
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32984E0	0_2_00007FF6B32984E0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3281D30	0_2_00007FF6B3281D30
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3270390	0_2_00007FF6B3270390
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327F3F0	0_2_00007FF6B327F3F0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3262C30	0_2_00007FF6B3262C30
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3276C20	0_2_00007FF6B3276C20
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3264A60	0_2_00007FF6B3264A60
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327EAA0	0_2_00007FF6B327EAA0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3292A90	0_2_00007FF6B3292A90
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326B2F0	0_2_00007FF6B326B2F0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32742F0	0_2_00007FF6B32742F0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32972D0	0_2_00007FF6B32972D0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32662C0	0_2_00007FF6B32662C0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3251150	0_2_00007FF6B3251150
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32651A0	0_2_00007FF6B32651A0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B328C190	0_2_00007FF6B328C190
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3273220	0_2_00007FF6B3273220
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326C210	0_2_00007FF6B326C210
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3294060	0_2_00007FF6B3294060
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3266890	0_2_00007FF6B3266890
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3271080	0_2_00007FF6B3271080
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B32678B6	0_2_00007FF6B32678B6
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326D130	0_2_00007FF6B326D130
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327B900	0_2_00007FF6B327B900
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B328E740	0_2_00007FF6B328E740
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327BFA0	0_2_00007FF6B327BFA0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327CF80	0_2_00007FF6B327CF80
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B328DFC0	0_2_00007FF6B328DFC0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3267800	0_2_00007FF6B3267800
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3283EA0	0_2_00007FF6B3283EA0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3264EC0	0_2_00007FF6B3264EC0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B328CF30	0_2_00007FF6B328CF30
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B329A720	0_2_00007FF6B329A720
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327FF10	0_2_00007FF6B327FF10
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3295700	0_2_00007FF6B3295700
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3264D50	0_2_00007FF6B3264D50
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3284D40	0_2_00007FF6B3284D40
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326B5B0	0_2_00007FF6B326B5B0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326C5A0	0_2_00007FF6B326C5A0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B327E5A0	0_2_00007FF6B327E5A0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B326ADE0	0_2_00007FF6B326ADE0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3251620	0_2_00007FF6B3251620

Enables driver privileges

Source: C:\Users\user\Desktop\AMSilence.exe

Process token adjusted: Load Driver

Enables security privileges

Source: C:\Users\user\Desktop\AMSilence.exe

Process token adjusted: Security

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: String function: 00007FF6B326E9D0 appears 59 times

Sample file is different than original file name gathered from version info

Source: AMSilence.exe, 00000000.00000002.865229613.000001D9E4330000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamekernel32j% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868879395.000001D9E5090000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcrt.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.866289703.000001D9E46A0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebcryptprimitives.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868593632.000001D9E4FC0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamerpcrt4.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: {18A8B5B2-9D2F-4DB2-8307-196B5CC0CE6B}{9DE6F12F-0CB2-45E3-BAF1-FB0978255646}{22624CAC-FE50-451E-9261-E7F22AAB93EC}{5F72496A-514E-45FD-BF6C-21D75296EB78}{63C7DCCD-B53C-4A01-A9E3-30F6C38D793E}{8F5A098F-FE98-46EB-B2F6-859078D5E2F7}{E1236381-9522-4BB0-B0AB-AEF2CAB1205F}{10C4200A-0E69-40EA-8153-5F6ABB003C08}{E6B77E90-C966-4BC5-A29B-3EF9B2ADFFD1}{D2F983A5-5880-4964-B98F-67319C3625C4}{6E71D560-6E08-49E6-BF04-F94C85B54355}{3BE690E1-0665-430A-8F6D-89DDD4857989}{AB0BCAAD-7CC5-4CDA-A544-F858E7FF5B8D}{8AEE3B6E-E9A4-40B1-96EC-042F74EB8DCC}{0E7910B7-47A1-4EA8-AC71-63BD4126BF30}{59723693-A1CD-43FC-B4EC-CB48BDACF030}{73A8CA94-C105-4027-90FE-648F9D7B00ED}{9BD0B321-F521-46FA-9B06-0A5E6B0461C8}{A0B2DCF2-CBA3-4534-8EE2-D12D26ABB17B}{852EA32A-1D7A-49CC-8166-77B9DAEFBF7D}{9E248A91-7917-4105-BD0D-31E4965EC06E}{CCF7A2DD-43C3-4C6F-AB68-AF441163D0A0}{097A5E89-584D-4C58-B374-F31A68CA381D}{F83A0FCD-6D48-4714-8A38-D06D376AA7A0}{CECAF199-3F16-46C9-9F81-2905C16E0042}{8FFCB6B3-B3FF-401A-AD20-A5390AAA62B7}{A9C0CE5E-9A1A-47C9-82B6-538C880FDFF0}{8E412EFC-5B34-4C46-9BB4-71F7290EFE3F}FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyrightAcGenral.dllAcLayers.dllAcRes.dllAcSpecfc.dllAcWinRT.dllacwow64.dllAcXtrnal.dllKeyboardFilterShim.dllMasterShim.dlldepdetctuacdetctluadgmgt.dllluapriv.dllEMET.dllEMET64.dllLogExts.dllLogShim.dllInstallerDetectionSetupLayer.exeDXGUseWarpRenderingEntry.exeContainer32bitCompatModeEntry.exeNTDLL.DLLVERIFIER.DLLETW0 vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868091100.000001D9E4DD0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamebcrypt.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.866482949.000001D9E4720000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameucrtbase.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.868760246.000001D9E5040000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameadvapi32.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.867484560.000001D9E4B60000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemsvcp_win.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.869759728.000001D9E5480000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamesechost.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.870048646.000001D9E5550000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamecryptbase.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.869946835.000001D9E54F0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamevcruntime140.dllT vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: FileVersionProductVersionFileDescriptionCompanyNameProductNameOriginalFilenameInternalNameLegalCopyright vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865661302.000001D9E44E0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865371563.000001D9E43A0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameApphelpj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.869345089.000001D9E52F0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameCOMBASE.DLLj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.864922036.000001D9E4200000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameKernelbase.dllj% vs AMSilence.exe
Source: AMSilence.exe, 00000000.00000002.865939840.000001D9E45B0000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameOLEAUT32.DLLj% vs AMSilence.exe

Source: classification engine

Classification label: mal48.evad.winEXE@2/0@0/0

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B327CF80 memset,GetModuleHandleW,FormatMessageW,memmove,GetLastError,HeapFree,HeapFree,

0_2_00007FF6B327CF80

Source: C:\Users\user\Desktop\AMSilence.exe

Source: C:\Users\user\Desktop\AMSilence.exe

0_2_00007FF6B3253250

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8524:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8524:120:WilError_03

Source: AMSilence.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AMSilence.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Contains functionality to dynamically determine API calls

Source: unknown	Process created: C:\Users\user\Desktop\AMSilence.exe "C:\Users\user\Desktop\AMSilence.exe"
Source: C:\Users\user\Desktop\AMSilence.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\AMSilence.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\AMSilence.exe	Section loaded: cryptbase.dll	Jump to behavior

Source: AMSilence.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: AMSilence.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: AMSilence.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: kernel32.pdbUGP source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdbGCTL source: AMSilence.exe, 00000000.00000002.868808213.000001D9E5060000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdb source: AMSilence.exe, 00000000.00000002.868465957.000001D9E4F60000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdb source: AMSilence.exe, 00000000.00000002.868040567.000001D9E4D90000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdb source: AMSilence.exe, 00000000.00000002.869622968.000001D9E5420000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdb source: AMSilence.exe, 00000000.00000002.866352920.000001D9E46C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: D:\a01\_work\9\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: AMSilence.exe, 00000000.00000002.869833791.000001D9E54B0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcrt.pdb source: AMSilence.exe, 00000000.00000002.868808213.000001D9E5060000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdbUGP source: AMSilence.exe, 00000000.00000002.864485270.000001D9E40D0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: rpcrt4.pdbUGP source: AMSilence.exe, 00000000.00000002.868465957.000001D9E4F60000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdbUGP source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdbUGP source: AMSilence.exe, 00000000.00000002.866180475.000001D9E4660000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdb source: AMSilence.exe, 00000000.00000002.868648031.000001D9E4FE0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: sechost.pdbUGP source: AMSilence.exe, 00000000.00000002.869622968.000001D9E5420000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdbUGP source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: AMSilence.pdb source: AMSilence.exe
Source:	Binary string: msvcp_win.pdb source: AMSilence.exe, 00000000.00000002.866727460.000001D9E47C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: msvcp_win.pdbUGP source: AMSilence.exe, 00000000.00000002.866727460.000001D9E47C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdb source: AMSilence.exe, 00000000.00000002.869996844.000001D9E5510000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: advapi32.pdbUGP source: AMSilence.exe, 00000000.00000002.868648031.000001D9E4FE0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdbUGP source: AMSilence.exe, 00000000.00000002.865771573.000001D9E4550000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcryptprimitives.pdb source: AMSilence.exe, 00000000.00000002.866180475.000001D9E4660000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdb source: AMSilence.exe, 00000000.00000002.867537828.000001D9E4B80000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ntdll.pdb source: AMSilence.exe, 00000000.00000002.864485270.000001D9E40D0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernel32.pdb source: AMSilence.exe, 00000000.00000002.864715336.000001D9E4170000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: oleaut32.pdb source: AMSilence.exe, 00000000.00000002.865771573.000001D9E4550000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: combase.pdbUGP source: AMSilence.exe, 00000000.00000002.867537828.000001D9E4B80000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: apphelp.pdb source: AMSilence.exe, 00000000.00000002.865275547.000001D9E4350000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: ucrtbase.pdbUGP source: AMSilence.exe, 00000000.00000002.866352920.000001D9E46C0000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: cryptbase.pdbUGP source: AMSilence.exe, 00000000.00000002.869996844.000001D9E5510000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: bcrypt.pdbUGP source: AMSilence.exe, 00000000.00000002.868040567.000001D9E4D90000.00000002.00001000.00020000.00000000.sdmp
Source:	Binary string: kernelbase.pdb source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\AMSilence.exe

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\AMSilence.exe

Tries to delay execution (extensive OutputDebugStringW loop)

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\AMSilence.exe

Section loaded: OutputDebugStringW count: 1984

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B325CBC0 HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memset,FindFirstFileW,memmove,HeapFree,GetLastError,HeapFree,HeapFree,memmove,memmove,FindClose,memmove,FindClose,memcmp,HeapFree,HeapFree,HeapFree,memmove,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,FindClose,		0_2_00007FF6B325CBC0
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3283A70 GetFileInformationByHandle,GetFileInformationByHandleEx,GetLastError,CloseHandle,memset,FindFirstFileW,FindClose,HeapFree,		0_2_00007FF6B3283A70

Source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: DisableGuestVmNetworkConnectivity
Source: AMSilence.exe, 00000000.00000002.867065735.000001D9E4940000.00000002.00001000.00020000.00000000.sdmp	Binary or memory string: EnableGuestVmNetworkConnectivity

Source: C:\Users\user\Desktop\AMSilence.exe

0_2_00007FF6B325C3B0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\AMSilence.exe

0_2_00007FF6B3297E60

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\user\Desktop\AMSilence.exe

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\AMSilence.exe

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\AMSilence.exe

Code function: 0_2_00007FF6B3292A60 HeapAlloc,GetProcessHeap,HeapAlloc,

0_2_00007FF6B3292A60

Enables debug privileges

Source: C:\Users\user\Desktop\AMSilence.exe

Process token adjusted: Debug

Found direct / indirect Syscall (likely to bypass EDR)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3298004 SetUnhandledExceptionFilter,		0_2_00007FF6B3298004
Source: C:\Users\user\Desktop\AMSilence.exe	Code function: 0_2_00007FF6B3297E60 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00007FF6B3297E60

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\AMSilence.exe

NtUnmapViewOfSection: Indirect: 0x7FF6B3257AF9