Windows Analysis Report
HS0ELYUCh9.exe

Overview

General Information

Sample name: HS0ELYUCh9.exe
renamed because original name is a hash value
Original sample name: adb0ab9c1aee963863e5c93bb22eb0f7c53804e1424b7d7ca277940dd0b75722.exe
Analysis ID: 1530949
MD5: bf8a06edd620a210421a8443626803d1
SHA1: 6d30ee1be20b40add15db916c9fc998796237f37
SHA256: adb0ab9c1aee963863e5c93bb22eb0f7c53804e1424b7d7ca277940dd0b75722
Tags: 185-235-241-208exeuser-JAMESWT_MHT
Infos:

Detection

Score: 52
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
One or more processes crash
PE file does not import any functions
Sample file is different than original file name gathered from version info
Uses 32bit PE files

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: HS0ELYUCh9.exe ReversingLabs: Detection: 20%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 98.5% probability
Uses 32bit PE files
Source: HS0ELYUCh9.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: HS0ELYUCh9.exe String found in binary or memory: Run, %exe% "https://www.youtube.com/watch?v=5Da2qVntopk" equals www.youtube.com (Youtube)
Source: HS0ELYUCh9.exe String found in binary or memory: Send, www.linkedin.com/in/JosiahsScott equals www.linkedin.com (Linkedin)
Source: HS0ELYUCh9.exe String found in binary or memory: run https://www.youtube.com/results?search_query=connect+PEX+to+toilet equals www.youtube.com (Youtube)
Source: HS0ELYUCh9.exe String found in binary or memory: vids = "https://www.youtube.com/watch?v=5Da2qVntopk" equals www.youtube.com (Youtube)
Source: HS0ELYUCh9.exe String found in binary or memory: vids = "https://www.youtube.com/watch?v=sgC3JqQcT-8" equals www.youtube.com (Youtube)
Source: HS0ELYUCh9.exe String found in binary or memory: vids = -url="https://www.youtube.com/watch?v=5Da2qVntopk" -url="https://www.youtube.com/watch?v=sgC3JqQcT-8" equals www.youtube.com (Youtube)
Source: HS0ELYUCh9.exe String found in binary or memory: vids = url="https://www.youtube.com/watch?v=5Da2qVntopk" url="https://www.youtube.com/watch?v=sgC3JqQcT-8" equals www.youtube.com (Youtube)
Source: HS0ELYUCh9.exe String found in binary or memory: http://192.168.1.1
Source: HS0ELYUCh9.exe String found in binary or memory: http://turtlecreekstore.weebly.com/
Source: Amcache.hve.3.dr String found in binary or memory: http://upx.sf.net
Source: HS0ELYUCh9.exe String found in binary or memory: http://www.efficiencyhelp.com/ra/
Source: HS0ELYUCh9.exe String found in binary or memory: http://www.godwingreenroofs.com
Source: HS0ELYUCh9.exe String found in binary or memory: http://www.trueconnection.org/64/favicon-red.ico
Source: HS0ELYUCh9.exe String found in binary or memory: http://www.trueconnection.org/64/favicon.ico
Source: HS0ELYUCh9.exe String found in binary or memory: http://www.trueconnection.org/BibleStudies/John-Jacobs-Power-Force.htm
Source: HS0ELYUCh9.exe String found in binary or memory: http://www.trueconnection.org/mPRL
Source: HS0ELYUCh9.exe String found in binary or memory: https://alfred.camera/webapp/
Source: HS0ELYUCh9.exe String found in binary or memory: https://autohotkey.com/logos/
Source: HS0ELYUCh9.exe String found in binary or memory: https://craigslist.org/
Source: HS0ELYUCh9.exe String found in binary or memory: https://d.docs.live.net/8dc2922513253ddd/Phone-Doc-Sync/Ph2PC.rtf
Source: HS0ELYUCh9.exe String found in binary or memory: https://gainesville.craigslist.org/
Source: HS0ELYUCh9.exe String found in binary or memory: https://hello.freeconference.com/conf/call/2540897
Source: HS0ELYUCh9.exe String found in binary or memory: https://talk2righteous.ryver.com/index.html#forums/1094233
Source: HS0ELYUCh9.exe String found in binary or memory: https://theconversation.com/us/technology
Source: HS0ELYUCh9.exe String found in binary or memory: https://www.dropbox.com/history/Scripts/Josiahs-Master-Script.ahk?_subject_uid=233633894&undelete=1
Source: HS0ELYUCh9.exe String found in binary or memory: https://www.dropbox.com/s/1rz25xk5ta1de01/Songs-of-the-Righteous.doc?dl=00
Source: HS0ELYUCh9.exe String found in binary or memory: https://www.dropbox.com/sh/t50csfyj0kcqm9o/AACYbjZ5mPJBQETIuF7DeZVma?dl=0
Source: HS0ELYUCh9.exe String found in binary or memory: https://www.virustotal.com/
Source: HS0ELYUCh9.exe String found in binary or memory: https://www.youtube.com/results?search_query=connect
Source: HS0ELYUCh9.exe String found in binary or memory: https://www.youtube.com/watch?v=5Da2qVntopk
Source: HS0ELYUCh9.exe String found in binary or memory: https://www.youtube.com/watch?v=sgC3JqQcT-8
Source: HS0ELYUCh9.exe String found in binary or memory: https://www2.deloitte.com/insights/us/en/focus/tech-trends/2018/no-collar-workforce.html
One or more processes crash
Source: C:\Users\user\Desktop\HS0ELYUCh9.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 196
PE file does not import any functions
Source: HS0ELYUCh9.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: HS0ELYUCh9.exe, 00000000.00000000.1651070965.00000000005CB000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs HS0ELYUCh9.exe
Source: HS0ELYUCh9.exe Binary or memory string: OriginalFilename vs HS0ELYUCh9.exe
Uses 32bit PE files
Source: HS0ELYUCh9.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal52.winEXE@3/9@0/0
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6632
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\4cdbca0a-ae8b-4139-b2b3-4dfb34e0763e Jump to behavior
Source: HS0ELYUCh9.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HS0ELYUCh9.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: HS0ELYUCh9.exe ReversingLabs: Detection: 20%
Source: HS0ELYUCh9.exe String found in binary or memory: <!--StartFragment-->
Source: HS0ELYUCh9.exe String found in binary or memory: GoSub, GUI-Start
Source: HS0ELYUCh9.exe String found in binary or memory: Gui, Add, Picture, w220 h100 x450 y190 gGet-Help, %EHEFolder%\Get-Help.gif
Source: HS0ELYUCh9.exe String found in binary or memory: Get-Help:
Source: HS0ELYUCh9.exe String found in binary or memory: Gui, Add, Button, gGet-Help-OK, OK
Source: HS0ELYUCh9.exe String found in binary or memory: Get-Help-OK:
Source: HS0ELYUCh9.exe String found in binary or memory: Length := EndNum-StartNum+SizeOfSE
Source: HS0ELYUCh9.exe String found in binary or memory: Run, "C:\Files\ComputerOperation\Scripts\Favicons-ico-Tray-Icons-Shell32--add-1-number-to-get-right-picture.png"
Source: HS0ELYUCh9.exe String found in binary or memory: MINIMIZE-StartUp-App:
Source: HS0ELYUCh9.exe String found in binary or memory: EXPAND-StartUp-App:
Source: HS0ELYUCh9.exe String found in binary or memory: EXPAND-StartUp-App
Source: HS0ELYUCh9.exe String found in binary or memory: MINIMIZE-StartUp-App
Source: HS0ELYUCh9.exe String found in binary or memory: start_fragment := InStr(data, "<!--StartFragment-->") + 20
Source: HS0ELYUCh9.exe String found in binary or memory: label_03 =Paragraphs-Tabs--Add
Source: HS0ELYUCh9.exe String found in binary or memory: label_04 =Paragraphs-4-Spaces--Add
Source: HS0ELYUCh9.exe String found in binary or memory: Paragraphs-Tabs--Add:
Source: HS0ELYUCh9.exe String found in binary or memory: Paragraphs-4-Spaces--Add:
Source: HS0ELYUCh9.exe String found in binary or memory: ClipX--Install:
Source: HS0ELYUCh9.exe String found in binary or memory: GoTo, URL-App--Start
Source: HS0ELYUCh9.exe String found in binary or memory: GoSub, URL-App--Start
Source: HS0ELYUCh9.exe String found in binary or memory: URL-App--Start:
Source: unknown Process created: C:\Users\user\Desktop\HS0ELYUCh9.exe "C:\Users\user\Desktop\HS0ELYUCh9.exe"
Source: C:\Users\user\Desktop\HS0ELYUCh9.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 196
Source: C:\Users\user\Desktop\HS0ELYUCh9.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6632 -s 200
Source: HS0ELYUCh9.exe Static file information: File size 1882624 > 1048576
Source: HS0ELYUCh9.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x104a00
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: Amcache.hve.3.dr Binary or memory string: VMware
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.3.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\HS0ELYUCh9.exe Process queried: DebugPort Jump to behavior
Source: HS0ELYUCh9.exe Binary or memory string: WinGetPos,,, desk_width, desk_height, Program Manager
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.3.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr Binary or memory string: MsMpEng.exe
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1530949 Sample: HS0ELYUCh9.exe Startdate: 10/10/2024 Architecture: WINDOWS Score: 52 17 Multi AV Scanner detection for submitted file 2->17 19 AI detected suspicious sample 2->19 6 HS0ELYUCh9.exe 2->6         started        process3 process4 8 WerFault.exe 19 16 6->8         started        11 WerFault.exe 2 16 6->11         started        file5 13 C:\ProgramData\Microsoft\...\Report.wer, Unicode 8->13 dropped 15 C:\ProgramData\Microsoft\...\Report.wer, Unicode 11->15 dropped
No contacted IP infos