Windows Analysis Report
CSh#U0430rk F1 x.exe

Overview

General Information

Sample name: CSh#U0430rk F1 x.exe
renamed because original name is a hash value
Original sample name: CShrk F1 x.exe
Analysis ID: 1532884
MD5: 152025c926edf53603411541f0f259c0
SHA1: 0be7af5fc1c37b723e97846acbea794e31300614
SHA256: e9d09aee08577c911b177231aa238614dc119adb0a1e73ac148f4bac60eab8be
Tags: exeuser-4k95m
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
AI detected suspicious sample
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Queries memory information (via WMI often done to detect virtual machines)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to launch a program with higher privileges
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found large amount of non-executed APIs
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses Microsoft's Enhanced Cryptographic Provider

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: CSh#U0430rk F1 x.exe ReversingLabs: Detection: 36%
Source: CSh#U0430rk F1 x.exe Virustotal: Detection: 43% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 96.2% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C948640 TlsGetValue,BCryptGenRandom,SystemFunction036,TlsGetValue,TlsSetValue,HeapFree,HeapFree,TlsGetValue,TlsSetValue,HeapFree,HeapFree, 0_2_00007FF68C948640
Source: CSh#U0430rk F1 x.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF2F2000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2426415652.000001FEBF2F7000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2431269979.000001FEBF2F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF2F2000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2426415652.000001FEBF2F7000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2431269979.000001FEBF2F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF2F2000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2426415652.000001FEBF2F7000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2431269979.000001FEBF2F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF2F2000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2426415652.000001FEBF2F7000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2431269979.000001FEBF2F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://outlook.com
Contains functionality to call native functions
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9660B0 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,GetLastError,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,HeapFree,HeapFree,HeapFree,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree, 0_2_00007FF68C9660B0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9679F0 NtQueryInformationProcess,GetErrorInfo,NtQueryInformationProcess,HeapFree,HeapFree, 0_2_00007FF68C9679F0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C92C3C7 memcpy,memcmp,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,GetTokenInformation,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceFrequency,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,SetThreadExecutionState, 0_2_00007FF68C92C3C7
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C928CE1 memset,HeapFree,memcpy,memset,HeapFree,memcpy,GetComputerNameExW,GetComputerNameExW,GetLastError,HeapFree,HeapFree,HeapFree,memcpy,SysFreeString,SysFreeString,HeapFree,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetTickCount64,HeapFree,HeapFree,HeapFree,HeapFree,memset,GetErrorInfo,SysFreeString,SysFreeString,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,GetTokenInformation,memcpy,CoInitializeEx,HeapFree,WaitForSingleObject,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceFrequency,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,SetThreadExecutionState,GetLastError,HeapFree,HeapFree,RegCreateKeyExW,HeapFree,RegOpenKeyExW,HeapFree,HeapFree,HeapFree,RegQueryValueExW, 0_2_00007FF68C928CE1
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C961CD0 NtQuerySystemInformation,GetErrorInfo,GetSystemTimePreciseAsFileTime,HeapFree,HeapFree,memcpy,HeapFree,HeapFree,HeapFree,memcpy,memcpy,memcpy,memcpy,HeapFree,HeapFree,RtlFreeHeap, 0_2_00007FF68C961CD0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C928CE1 memset,HeapFree,memcpy,memset,HeapFree,memcpy,GetComputerNameExW,GetComputerNameExW,GetLastError,HeapFree,HeapFree,HeapFree,memcpy,SysFreeString,SysFreeString,HeapFree,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetErrorInfo,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetTickCount64,HeapFree,HeapFree,HeapFree,HeapFree,memset,GetErrorInfo,SysFreeString,SysFreeString,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,GetTokenInformation,memcpy,CoInitializeEx,HeapFree,WaitForSingleObject,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceFrequency,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,SetThreadExecutionState,GetLastError,HeapFree,HeapFree,RegCreateKeyExW,HeapFree,RegOpenKeyExW,HeapFree,HeapFree,HeapFree,RegQueryValueExW, 0_2_00007FF68C928CE1
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C92DC75 HeapFree,HeapFree,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceFrequency,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,SetThreadExecutionState, 0_2_00007FF68C92DC75
Detected potential crypto function
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C94D5E0 0_2_00007FF68C94D5E0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C929E90 0_2_00007FF68C929E90
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C925060 0_2_00007FF68C925060
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9660B0 0_2_00007FF68C9660B0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C962880 0_2_00007FF68C962880
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9519C0 0_2_00007FF68C9519C0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C963170 0_2_00007FF68C963170
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C93293F 0_2_00007FF68C93293F
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C96A140 0_2_00007FF68C96A140
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9681B0 0_2_00007FF68C9681B0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C969AF0 0_2_00007FF68C969AF0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C92C3C7 0_2_00007FF68C92C3C7
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C928CE1 0_2_00007FF68C928CE1
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C961CD0 0_2_00007FF68C961CD0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C94AC60 0_2_00007FF68C94AC60
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C949DEE 0_2_00007FF68C949DEE
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C94C5F0 0_2_00007FF68C94C5F0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C921E2D 0_2_00007FF68C921E2D
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C963E30 0_2_00007FF68C963E30
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9555FF 0_2_00007FF68C9555FF
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C923610 0_2_00007FF68C923610
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C92C546 0_2_00007FF68C92C546
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C925710 0_2_00007FF68C925710
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C967F10 0_2_00007FF68C967F10
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C948640 0_2_00007FF68C948640
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9527C0 0_2_00007FF68C9527C0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C924830 0_2_00007FF68C924830
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C958761 0_2_00007FF68C958761
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C93F770 0_2_00007FF68C93F770
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C95B772 0_2_00007FF68C95B772
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C921E2D 0_2_00007FF68C921E2D
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C92E7AA 0_2_00007FF68C92E7AA
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C963FB0 0_2_00007FF68C963FB0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C93D0F0 0_2_00007FF68C93D0F0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C93F130 0_2_00007FF68C93F130
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C956935 0_2_00007FF68C956935
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9230FD 0_2_00007FF68C9230FD
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C968100 0_2_00007FF68C968100
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C953870 0_2_00007FF68C953870
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C935840 0_2_00007FF68C935840
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C92E849 0_2_00007FF68C92E849
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9350B0 0_2_00007FF68C9350B0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C92E849 0_2_00007FF68C92E849
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C924080 0_2_00007FF68C924080
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9611E0 0_2_00007FF68C9611E0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9339F0 0_2_00007FF68C9339F0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9259D0 0_2_00007FF68C9259D0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C944A30 0_2_00007FF68C944A30
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C95DA30 0_2_00007FF68C95DA30
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C93CA00 0_2_00007FF68C93CA00
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C933960 0_2_00007FF68C933960
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9392E0 0_2_00007FF68C9392E0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C926AE0 0_2_00007FF68C926AE0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C931A60 0_2_00007FF68C931A60
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C928A40 0_2_00007FF68C928A40
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C923240 0_2_00007FF68C923240
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C968AB0 0_2_00007FF68C968AB0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C95E290 0_2_00007FF68C95E290
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C931A93 0_2_00007FF68C931A93
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C938BF0 0_2_00007FF68C938BF0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C951C30 0_2_00007FF68C951C30
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C958404 0_2_00007FF68C958404
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C928340 0_2_00007FF68C928340
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C94F340 0_2_00007FF68C94F340
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C958BB3 0_2_00007FF68C958BB3
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C959B86 0_2_00007FF68C959B86
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C928CE1 0_2_00007FF68C928CE1
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C95D4F0 0_2_00007FF68C95D4F0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C935D10 0_2_00007FF68C935D10
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C951460 0_2_00007FF68C951460
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C933C70 0_2_00007FF68C933C70
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C923470 0_2_00007FF68C923470
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C92DC75 0_2_00007FF68C92DC75
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C93FC50 0_2_00007FF68C93FC50
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C958479 0_2_00007FF68C958479
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C943480 0_2_00007FF68C943480
Sample file is different than original file name gathered from version info
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2431851481.000001FEBEFFA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameApplicationFrameHost.exej% vs CSh#U0430rk F1 x.exe
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417878615.000001FEBEFE2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameApplicationFrameHost.exej% vs CSh#U0430rk F1 x.exe
Source: classification engine Classification label: mal72.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C96A140 CoCreateInstance,SysFreeString,CoSetProxyBlanket,GetErrorInfo,GetErrorInfo,SysFreeString,GetErrorInfo, 0_2_00007FF68C96A140
Source: CSh#U0430rk F1 x.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: CSh#U0430rk F1 x.exe ReversingLabs: Detection: 36%
Source: CSh#U0430rk F1 x.exe Virustotal: Detection: 43%
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: perfos.dll Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Section loaded: profapi.dll Jump to behavior
Source: CSh#U0430rk F1 x.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: CSh#U0430rk F1 x.exe Static file information: File size 30524416 > 1048576
Source: CSh#U0430rk F1 x.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1cba200
Source: CSh#U0430rk F1 x.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: CSh#U0430rk F1 x.exe Static PE information: section name: .xdata
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PortConnector
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe API coverage: 5.2 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C94D5E0 HeapFree,HeapFree,HeapFree,GetSystemInfo,HeapFree,memset,memcpy,WakeByAddressAll,WakeByAddressSingle,memcpy,HeapFree,HeapReAlloc,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,WakeByAddressSingle,WakeByAddressSingle,HeapFree, 0_2_00007FF68C94D5E0
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipesd
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF320000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000%
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorc.sys
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus PipesZ
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2414207059.000001FEBEADB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V jlktlqfkpuggghd Bus Pipes
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partition
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2431269979.000001FEBF309000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2421453971.000001FEBEC13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition@
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor$
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes2
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2409617032.000001FEBEACD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Space Flushes/sec5074Global GVA Range Flushes/sec5076Local Flushed GVA Ranges/sec5078Page Table Evictions/sec5080Page Table Reclamations/sec5082Page Table Re
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partitione0
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service'
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partitionl;
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Serviceg
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor3
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2409580092.000001FEBD2BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ime Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorc.sys
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2409921608.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2410092826.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2408831349.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2408899571.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2410620969.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2408985247.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2410558008.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2409727867.000001FEBEAA3000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2408813948.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2410463963.000001FEBEACB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytesgg
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partition.dll
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2414241239.000001FEBEADA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle C
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF13000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF17000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEEFB000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD1EC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisorr
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000_
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0#{5-
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration ServiceEhN
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF320000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2432803702.000001FEBEF8F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000002.2439037665.000001FEBD268000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2428089691.000001FEBEF93000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2417174900.000001FEBEF78000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V jlktlqfkpuggghd Bus
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C92C3C7 memcpy,memcmp,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,GetCurrentProcess,OpenProcessToken,GetTokenInformation,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceCounter,QueryPerformanceFrequency,QueryPerformanceFrequency,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,SetThreadExecutionState, 0_2_00007FF68C92C3C7
Found API chain indicative of debugger detection
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Debugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleep
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9660B0 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,GetLastError,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,HeapFree,HeapFree,HeapFree,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree, 0_2_00007FF68C9660B0
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9211B9 SetUnhandledExceptionFilter,malloc, 0_2_00007FF68C9211B9
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe NtQueryInformationProcess: Indirect: 0x7FF68C96654C Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe NtQueryInformationProcess: Indirect: 0x7FF68C9666B1 Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe NtQueryInformationProcess: Indirect: 0x7FF68C967A1C Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe NtQueryInformationProcess: Indirect: 0x7FF68C967AB4 Jump to behavior
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe NtQuerySystemInformation: Indirect: 0x7FF68C961D80 Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C94D5E0 HeapFree,HeapFree,HeapFree,GetSystemInfo,HeapFree,memset,memcpy,WakeByAddressAll,WakeByAddressSingle,memcpy,HeapFree,HeapReAlloc,CloseHandle,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,WakeByAddressSingle,WakeByAddressSingle,HeapFree, 0_2_00007FF68C94D5E0
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2417421702.000001FEBF394000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd=
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2430671978.000001FEBF09F000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2425918312.000001FEBEEF6000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2416784373.000001FEBEC18000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: CSh#U0430rk F1 x.exe, 00000000.00000003.2425918312.000001FEBEEF6000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2416784373.000001FEBEC18000.00000004.00000020.00020000.00000000.sdmp, CSh#U0430rk F1 x.exe, 00000000.00000003.2430671978.000001FEBF00C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWndg
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe Code function: 0_2_00007FF68C9660B0 GetProcessTimes,GetLastError,GetSystemTimes,GetLastError,GetProcessIoCounters,OpenProcessToken,GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,GetLastError,GetLastError,CloseHandle,GetLastError,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,GetLastError,memset,GetModuleFileNameExW,K32GetModuleFileNameExW,HeapFree,HeapFree,HeapFree,GetLastError,CloseHandle,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,VirtualQueryEx,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,HeapFree,HeapFree,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,RtlFreeHeap,ReadProcessMemory,HeapFree,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree, 0_2_00007FF68C9660B0
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\CSh#U0430rk F1 x.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532884 Sample: CSh#U0430rk F1 x.exe Startdate: 14/10/2024 Architecture: WINDOWS Score: 72 8 Multi AV Scanner detection for submitted file 2->8 10 Found API chain indicative of debugger detection 2->10 12 Queries memory information (via WMI often done to detect virtual machines) 2->12 14 2 other signatures 2->14 5 CSh#U0430rk F1 x.exe 2->5         started        process3 signatures4 16 Found direct / indirect Syscall (likely to bypass EDR) 5->16
No contacted IP infos