Windows Analysis Report
hdI44WsQzp

Overview

General Information

Sample name: hdI44WsQzp
renamed because original name is a hash value
Original sample name: ba8ab5a0280b953aa97435ff8946cbcbb2755a27
Analysis ID: 1544568
MD5: 81051bcc2cf1bedf378224b0a93e2877
SHA1: ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA256: 7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
Infos:

Detection

Score: 0
Range: 0 - 100
Whitelisted: true
Confidence: 100%

Signatures

Monitors registry run keys for changes
Contains capabilities to detect virtual machines
Queries the volume information (name, serial number etc) of a device

Classification

Source: classification engine Classification label: clean21.win@2/1@0/0
Source: C:\Windows\System32\Taskmgr.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b
Source: C:\Windows\System32\Taskmgr.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: unknown Process created: C:\Windows\System32\Taskmgr.exe "C:\Windows\system32\taskmgr.exe" /4
Source: C:\Windows\System32\Taskmgr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{09c5dd34-009d-40fa-bcb9-0165ad0c15d4}\InProcServer32 Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Window found: window name: SysTabControl32 Jump to behavior

Boot Survival
barindex
Monitors registry run keys for changes
Source: C:\Windows\System32\Taskmgr.exe Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Registry key monitored: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Windows\System32\Taskmgr.exe File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Source: Taskmgr.exe, 0000000B.00000002.2100145614.000001B5DA540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorui
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2100145614.000001B5DA540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rkflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V Heartbeat ServiceD
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HHyper-V Volume Shadow Copy Requestord
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisorb
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus PipesZ
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware Virtual disk SCSI Disk Device0
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisorui
Source: Taskmgr.exe, 0000000B.00000003.1876737109.000001B5DAA5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: (100 ns)3184Compacted Container Fill Ratio (%)3188Compactions failed due to ineligible container3190Compactions failed due to max fragmentation3192Container Move Retry Count3194Container moves failed due to ineligible container3196Compaction Failure Count3198Container Move Failure Count3200Dirty metadata pages3202Dirty table list entries3204Delete Queue entries9698Storage Management WSP Spaces Runtime9700Runtime Count 4ms9702Runtime Count 16ms9704Runtime Count 64ms9706Runtime Count 256ms9708Runtime Count 1s9710Runtime Count 4s9712Runtime Count 16s9714Runtime Count 1min9716Runtime Count Infinite3094Hyper-V Virtual Machine Bus Pipes3096Reads/sec3098Writes/sec3100Bytes Read/sec3102Bytes Written/sec9616SMB Direct Connection9618Stalls (Send Credit)/sec9620Stalls (Send Queue)/sec9622Stalls (RDMA Registrations)/sec9624Sends/sec9626Remote Invalidations/sec9628Memory Regions9630Bytes Received/sec9632Bytes Sent/sec9634Bytes RDMA Read/sec9636Bytes RDMA Written/sec9638Stalls (RDMA Read)/sec9640Receives/sec9642RDMA Registrations/sec96
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: >Hyper-V Guest Service Interface
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root PartitionF
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processorb
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service:
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: :Hyper-V Data Exchange Service
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes C
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorlr
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: BHyper-V PowerShell Direct Service
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000003.1879476729.000001B5DA62A000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2100145614.000001B5DA629000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid PartitionlHO
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000003.1879476729.000001B5DA62A000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2100145614.000001B5DA629000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000000B.00000002.2100145614.000001B5DA554000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V jxtdneswtnmcldt Bus
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition
Source: Taskmgr.exe, 0000000B.00000003.1876714557.000001B5DAABF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ota Statistics3434Total Requests/Second3436User Quota Violations/Second3438System Quota Violations/Second3440Active Shells3442Active Operations3444Active Users3446Process ID1914Hyper-V VM Vid Partition1916Physical Pages Allocated1918Preferred NUMA Node Index1920Remote Physical Pages1922ClientHandles1924CompressPackTimeInUs1926CompressUnpackTimeInUs1928CompressPackInputSizeInBytes1930CompressUnpackInputSizeInBytes1932CompressPackOutputSizeInBytes1934CompressUnpackOutputSizeInBytes1936CompressUnpackUncompressedInputSizeInBytes1938CompressPackDiscardedSizeInBytes1940CompressWorkspaceSizeInBytes1942CompressScratchPoolSizeInBytes1944CryptPackTimeInUs1946CryptUnpackTimeInUs1948CryptPackInputSizeInBytes1950CryptUnpackInputSizeInBytes1952CryptPackOutputSizeInBytes1954CryptUnpackOutputSizeInBytes1956CryptScratchPoolSizeInBytesgg
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: Taskmgr.exe, 0000000B.00000003.1876737109.000001B5DAA5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: on the server3336Errors - Receive errors on the server3338In - Total packets received3340Out - Total packets sent3342Sessions - Total sessions3230Teredo Server3232In - Teredo Server Total Packets: Success + Error3234In - Teredo Server Success Packets: Total3236In - Teredo Server Success Packets: Bubbles3238In - Teredo Server Success Packets: Echo3240In - Teredo Server Success Packets: RS-Primary3242In - Teredo Server Success Packets: RS-Secondary3244In - Teredo Server Error Packets: Total3246In - Teredo Server Error Packets: Header Error3248In - Teredo Server Error Packets: Source Error3250In - Teredo Server Error Packets: Destination Error3252In - Teredo Server Error Packets: Authentication Error3254Out - Teredo Server: RA-Primary3256Out - Teredo Server: RA-Secondary 3258In - Teredo Server Total Packets: Success + Error / sec3206Teredo Client3208In - Teredo Router Advertisement3210In - Teredo Bubble3212In - Teredo Data3214In - Teredo Invalid3216Out - Teredo Router Solicitation3218Out - Teredo Bubble3220Out - Teredo Data3222In - Teredo Data User Mode3224In - Teredo Data Kernel Mode3226Out - Teredo Data User Mode3228Out - Teredo Data Kernel Mode6468Hyper-V Dynamic Memory Integration Service6470Maximum Memory, Mbytes1848Bluetooth Radio1850Classic ACL bytes wr
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HHyper-V Time Synchronization Service$
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}00.png88
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V jxtdneswtnmcldt Bus Pipes
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipesd
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicshutdown
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root PartitionX
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicvss
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition}
Source: Taskmgr.exe, 0000000B.00000003.1877323378.000001B5DA60B000.00000004.00000020.00020000.00000000.sdmp, Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA994000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partition
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ZHyper-V Remote Desktop Virtualization ServiceU
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmicheartbeat
Source: Taskmgr.exe, 0000000B.00000002.2102211850.000001B5DA870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <Hyper-V Guest Shutdown ServiceI
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\ProgramData\Microsoft\User Account Pictures\user.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\Assets\SmallLogo.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\System32\RuntimeBroker.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\Assets\Icons\AppListIcon.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation Jump to behavior
Source: C:\Windows\System32\Taskmgr.exe Queries volume information: C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\Assets\SquareLogo44x44.scale-100.png VolumeInformation Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1544568 Sample: hdI44WsQzp Startdate: 29/10/2024 Architecture: WINDOWS Score: 0 4 Taskmgr.exe 2 13 2->4         started        7 Taskmgr.exe 2->7         started        signatures3 9 Monitors registry run keys for changes 4->9
No contacted IP infos