Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1561652
MD5: a00d324c74f00710ced44b8c7f1a3561
SHA1: 218364f5e378c73877815755538d99250bbef5e5
SHA256: 86935c2a69aa7096890dd8b72291170dfd9a5d7b22f3a83e70b6e7afcc2d75d7
Tags: exeuser-Bitsight
Infos:

Detection

Score: 10
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to get notified if a device is plugged in / out
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
One or more processes crash
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the installation date of Windows
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: certificate valid
Source: file.exe Static PE information: DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: Taskmgr.pdbUGP source: file.exe
Source: Binary string: Taskmgr.pdb source: file.exe
Contains functionality to get notified if a device is plugged in / out
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00651502 EnterCriticalSection,UnregisterDeviceNotification,GetLastError,CloseHandle, 0_2_00651502
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005DF0B3 memset,FindClose,SHGetSpecialFolderPathW,FindFirstFileW,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetLastError,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree, 0_2_005DF0B3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064AF6F GetLogicalDriveStringsW,QueryDosDeviceW,GetLastError,_wcsnicmp, 0_2_0064AF6F
Source: Amcache.hve.4.dr String found in binary or memory: http://upx.sf.net
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00658620 CreateStreamOnHGlobal,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,OpenClipboard,GetLastError,GetCurrentThreadId,EmptyClipboard,GetHGlobalFromStream,GetCurrentThreadId,SetClipboardData,CloseClipboard, 0_2_00658620
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00658620 CreateStreamOnHGlobal,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,OpenClipboard,GetLastError,GetCurrentThreadId,EmptyClipboard,GetHGlobalFromStream,GetCurrentThreadId,SetClipboardData,CloseClipboard, 0_2_00658620
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00646DB2 CreateStreamOnHGlobal,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,SendMessageW,SendMessageW,SendMessageW,memset,SendMessageW,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,SendMessageW,SendMessageW,memset,SendMessageW,SendMessageW,OpenClipboard,GetLastError,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,EmptyClipboard,GetHGlobalFromStream,GetCurrentThreadId,SetClipboardData,CloseClipboard,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_00646DB2
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00609855 LdrInitializeThunk,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,RegGetValueW,RegOpenKeyExW,RegDeleteValueW,RegCloseKey,GetCurrentThreadId,GetCurrentThreadId,LdrInitializeThunk,LdrInitializeThunk,RegGetValueW,GetCurrentThreadId,RegSetValueExW,GetCurrentThreadId,RegCloseKey, 0_2_00609855
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E7700 memset,memset,?GetHWND@NativeHWNDHost@DirectUI@@QAEPAUHWND__@@XZ,ForwardGadgetMessage,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,LdrInitializeThunk,GetKeyState,SetFocus, 0_2_005E7700
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060D05C NtQuerySystemInformation, 0_2_0060D05C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064B0AA NtQueryInformationProcess,CloseHandle,RtlNtStatusToDosError,GetCurrentThreadId, 0_2_0064B0AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E81C1 NtQueryInformationToken,memset,NtQueryInformationToken,RtlInitUnicodeString,RtlCompareUnicodeString,RtlNtStatusToDosErrorNoTeb,RtlNtStatusToDosErrorNoTeb,HeapFree, 0_2_005E81C1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EE397 NtQuerySystemInformation,RtlNtStatusToDosError,EnterCriticalSection,GetCurrentThreadId,LeaveCriticalSection, 0_2_005EE397
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F1410 LdrInitializeThunk,GetCurrentThread,NtQueryInformationThread,RtlNtStatusToDosError,GetCurrentThreadId,LdrInitializeThunk,GetCurrentThread,NtQueryInformationThread,RtlNtStatusToDosError,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LeaveCriticalSection,GetCurrentThreadId,GetCurrentThreadId,__aulldiv,GetCurrentThreadId,GetCurrentThreadId,VDMEnumProcessWOW,SysFreeString,SysAllocString,GetCurrentThreadId,LdrInitializeThunk,QueueUserWorkItem,SetEvent,PostMessageW, 0_2_005F1410
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F26F0 NtQuerySystemInformation,RtlNtStatusToDosError,SysFreeString,SysAllocString,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,GetCurrentThreadId,CompareStringOrdinal,CompareStringOrdinal,SysFreeString,SysAllocString,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,memset,GetVersionExW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LdrInitializeThunk,LdrInitializeThunk,memset,GetVersionExW,GetLastError,_ftol2,LeaveCriticalSection, 0_2_005F26F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E19FF PcwCreateQuery,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,PcwCreateQuery,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NtQueryTimerResolution,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,RtlNtStatusToDosError,GetCurrentThreadId, 0_2_005E19FF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EDBE6 NtQuerySystemInformation,RtlNtStatusToDosError, 0_2_005EDBE6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F5C20 CompareStringOrdinal,OpenProcess,GetLastError,GetCurrentThreadId,NtQueryInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId,CloseHandle, 0_2_005F5C20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060ECED NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,ReadProcessMemory,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetLastError,GetCurrentThreadId,GetLastError,GetCurrentThreadId,GetLastError, 0_2_0060ECED
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EDD90 NtQuerySystemInformation,RtlNtStatusToDosError, 0_2_005EDD90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EC040 memset,NtQuerySystemInformation,GetPhysicallyInstalledSystemMemory,EnterCriticalSection,LeaveCriticalSection,GetProcessHeap,HeapFree,RtlNtStatusToDosError,RtlNtStatusToDosError,GetLastError, 0_2_005EC040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006500A8 LdrInitializeThunk,GetCurrentThread,NtQueryInformationThread,RtlNtStatusToDosError,GetCurrentThreadId, 0_2_006500A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061D198 ZwQueryWnfStateData, 0_2_0061D198
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00613290 NtQuerySystemInformationEx,RtlNtStatusToDosError, 0_2_00613290
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0065B3BC GetCurrentThreadId,LdrInitializeThunk,NtQuerySystemInformation,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId, 0_2_0065B3BC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0066D463 DuplicateHandle,GetLastError,GetCurrentThreadId,NtQueryObject,RtlNtStatusToDosError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,CloseHandle, 0_2_0066D463
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061D477 NtPowerInformation,RtlNtStatusToDosError, 0_2_0061D477
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EC4F0 EnterCriticalSection,GetCurrentThreadId,VDMEnumProcessWOW,SetEvent,WaitForSingleObject,LeaveCriticalSection,NtQuerySystemInformation,RtlNtStatusToDosError,PostMessageW, 0_2_005EC4F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064E4B9 GetCurrentThreadId,NtSetInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId, 0_2_0064E4B9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006595C2 memset,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId, 0_2_006595C2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E36C1 ZwQueryWnfStateData,ZwQueryWnfStateData,GetProcAddress, 0_2_005E36C1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EB69F NtOpenFile,RtlNtStatusToDosError,SetLastError, 0_2_005EB69F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061B719 GetLogicalProcessorInformationEx,GetLastError,LocalAlloc,GetLogicalProcessorInformationEx,GetLastError,LocalAlloc,NtPowerInformation,LocalFree,RtlNumberOfSetBitsUlongPtr,LocalFree, 0_2_0061B719
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0066D71A DuplicateHandle,GetLastError,NtQueryInformationFile,RtlNtStatusToDosError,GetFileType,CloseHandle, 0_2_0066D71A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0066A7FB NtSetInformationFile, 0_2_0066A7FB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E28C4 PcwCreateQuery,RtlInitUnicodeString,RtlInitUnicodeString,PcwAddQueryItem,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapAlloc,NtQueryTimerResolution,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,RtlNtStatusToDosError,GetCurrentThreadId, 0_2_005E28C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00631989 memset,LdrInitializeThunk,EtwCheckCoverage,NtSetInformationProcess,GetLastError,CloseHandle,LdrInitializeThunk,NtQueryInformationProcess,LdrInitializeThunk,CloseHandle, 0_2_00631989
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064CA3E NtQueryInformationProcess,RtlNtStatusToDosError, 0_2_0064CA3E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00613B5C NtQuerySystemInformation,RtlNtStatusToDosError, 0_2_00613B5C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00677C33 NtQueryInformationToken,NtQueryInformationToken, 0_2_00677C33
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00624C00 GetCurrentThreadId,GetCurrentThreadId,NtQuerySystemInformation, 0_2_00624C00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EECAF NtQuerySystemInformation,RtlNtStatusToDosError,EnterCriticalSection,GetCurrentThreadId,GetCurrentThreadId,SetEvent, 0_2_005EECAF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005FBDE3 NtQuerySystemInformation,GetDurationFormatEx, 0_2_005FBDE3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0066CE2C GetCurrentProcessId,OpenProcess,GetLastError,GetCurrentThreadId,LdrInitializeThunk,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle, 0_2_0066CE2C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EBE88 NtQuerySystemInformation,GetProcessHeap,HeapAlloc,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_005EBE88
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064BE8F GetProcessHeap,HeapAlloc,GetCurrentThreadId,memset,NtQueryInformationProcess,RtlNtStatusToDosError,GetCurrentThreadId,NtQueryInformationProcess,GetProcessHeap,HeapFree,RtlNtStatusToDosError,GetCurrentThreadId, 0_2_0064BE8F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0065AF3D NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,NtQuerySystemInformation,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId, 0_2_0065AF3D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064FFD4 GetCurrentThreadId,NtQueryInformationProcess,CloseHandle,RtlNtStatusToDosError,GetCurrentThreadId, 0_2_0064FFD4
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EB300: memset,DeviceIoControl,CloseHandle,SetLastError,SetLastError,GetLastError,CloseHandle,SetLastError, 0_2_005EB300
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F1410 0_2_005F1410
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060A630 0_2_0060A630
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F26F0 0_2_005F26F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060BABC 0_2_0060BABC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0065F026 0_2_0065F026
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F81B0 0_2_005F81B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064B210 0_2_0064B210
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0062A4BF 0_2_0062A4BF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005CA632 0_2_005CA632
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006196B0 0_2_006196B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064D747 0_2_0064D747
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00610840 0_2_00610840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F99AA 0_2_005F99AA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00659B00 0_2_00659B00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061EC66 0_2_0061EC66
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E9C40 0_2_005E9C40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0065FCFB 0_2_0065FCFB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061FDFA 0_2_0061FDFA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E2DB0 0_2_005E2DB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EDE20 0_2_005EDE20
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0060068C appears 50 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0061B9D0 appears 78 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 006428F8 appears 124 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 005F7A70 appears 36 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 005E9AE8 appears 1002 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1460
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000002.2451967769.000000000068B000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTaskmgr.exej% vs file.exe
Source: file.exe, 00000000.00000002.2452938841.00000000060D0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRuntimeBroker.exej% vs file.exe
Source: file.exe, 00000000.00000000.2038868847.0000000000696000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameTaskmgr.exej% vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameTaskmgr.exej% vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Binary string: %s (%d)CBExpandoButtonImageCBExpandoButtonImageTextCpuChartTitleNumaCpuChartTitleLogicalRateLabelCpuDPA_Createbcrypt.dllsidebar_disk_name_%ddashSidebarEntrydashSidebarEntryViewer%s\Device\%sdashSidebarMemoryChart
Source: file.exe Binary string: F\device\mup\WdcAppHistoryMonitor::GetColumnTexth:mm:ssWdcAppHistoryMonitor::UpdateInitializeWdcAppHistoryMonitor::_ReconcileImmersiveApplicationWdcAppHistoryMonitor::_ReconcileSingleAppPackageWdcAppHistoryMonitor::_ReconcileMultiAppPackageWdcAppHistoryMonitor::_GetPackageIconPathAppXManifest.xmlLogoWdcAppHistoryMonitor::_GetIconAndBackgroundColorForApplicationWdcAppHistoryMonitor::_CreateAppHistoryEntryWdcAppHistoryMonitor::_CreateApplicationEntryWdcAppHistoryMonitor::_CreateAndInitIconItemWdcAppHistoryMonitor::_SetIconWdcAppHistoryMonitor::_SetStackedIconWdcAppHistoryMonitor::_GetDwmDosPath%s%s\dwm.exeWdcAppHistoryMonitor::_AddDesktopItemEntry%windir%\system32\svchost.exeWdcAppHistoryMonitor::_AddAppMappingKeyByKeyWdcAppHistoryMonitor::_MapAndGetPackageNameKeyWdcAppHistoryMonitor::_MapAndGetSpecialItemEntrySystem\System interruptssvchost.exe [Uninstalled AppsRemote running AppsWdcAppHistoryMonitor::_MapAndGetDesktopItemEntryWdcAppHistoryMonitor::_CheckAndProcessShortExePathsWdcAppHistoryMonitor::_AddAppMappingKeyWdcAppHistoryMonitor::_RemoveAppMappingKeyByPrimarykeyWdcAppHistoryMonitor::_IsImmersiveApplicationInstallDateSoftware\Microsoft\Windows NT\CurrentVersionLastUpdateTextWdcAppHistoryMonitor::_RefreshLastUpdatedTextWdcAppHistoryMonitor::_RetireOldUsageDataWdcAppHistoryMonitor::_RegisterForSrumDataWdcAppHistoryMonitor::_ProcessNetworkSrumRecordWdcAppHistoryMonitor::_UpdateServiceMappingWdcAppHistoryMonitor::_GetServiceExePathWdcAppHistoryMonitor::_ProcessCpuSrumRecordWdcAppHistoryMonitor::_ProcessNotificationsSrumRecordAppHistoryStringCache::InitializeAppHistoryStringCache::AddI
Source: classification engine Classification label: clean10.evad.winEXE@2/5@0/0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F80B1 FormatMessageW,GetLastError, 0_2_005F80B1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00614D39 GetProcessHeap,HeapAlloc,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,GetProcessHeap,HeapFree,GetCurrentThreadId,GetLastError,GetCurrentThreadId,GetLastError,GetCurrentThreadId, 0_2_00614D39
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00603169 CoCreateInstance,GetCurrentThreadId,GetCurrentThreadId,GetComputerNameW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetCurrentThreadId,ConvertSidToStringSidW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,LocalFree, 0_2_00603169
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\TM.750ce7b0-e5fd-454f-9fad-2f66513dfa1b
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:64:WilError_02
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1200
Source: C:\Windows\SysWOW64\WerFault.exe File created: C:\ProgramData\Microsoft\Windows\WER\Temp\e910683c-5a33-452c-a804-9511b4f78957 Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1200 -s 1460
Source: C:\Users\user\Desktop\file.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: credui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vdmdbg.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d12.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: networkuxbroker.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srumapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.ui.immersive.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: tiledatarepository.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: staterepository.core.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepository.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: actxprxy.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09c5dd34-009d-40fa-bcb9-0165ad0c15d4}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window found: window name: SysTabControl32 Jump to behavior
Source: file.exe Static PE information: certificate valid
Source: initial sample Static PE information: Valid certificate with Microsoft Issuer
Source: file.exe Static file information: File size 1278832 > 1048576
Source: file.exe Static PE information: More than 200 imports for DUI70.dll
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: file.exe Static PE information: DYNAMIC_BASE, FORCE_INTEGRITY, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: file.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: Taskmgr.pdbUGP source: file.exe
Source: Binary string: Taskmgr.pdb source: file.exe
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .imrsiv
Source: file.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00618149 push ecx; ret 0_2_0061815C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061811D push ecx; ret 0_2_00618130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C4C00 push esp; iretd 0_2_005C4C11
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005C4C38 push esp; iretd 0_2_005C4C39
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060A630 LoadIconW,SendMessageW,SetTimer,LdrInitializeThunk,GetClientRect,SetWindowPos,LdrInitializeThunk,IsIconic,LdrInitializeThunk,ShowWindow,GetCurrentThreadId,GetFocus,IsWindow,SetFocus,?GetKeyFocusedElement@HWNDElement@DirectUI@@SGPAVElement@2@XZ,SetFocus,LdrInitializeThunk,PostMessageW,DestroyWindow,DestroyWindow,PostQuitMessage,ShowWindow,ShowWindow,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,CheckMenuItem,GetCurrentThreadId,CheckMenuItem,PostMessageW,GetTickCount64,GetCurrentThreadId,KillTimer,GetCurrentThreadId,GetCurrentThreadId,OpenIcon,SetForegroundWindow,SetWindowPos,PostMessageW,PostMessageW,IsWindowEnabled,DefWindowProcW,GetTickCount64, 0_2_0060A630
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0066C466 IsIconic,ShowWindowAsync,GetLastActivePopup,IsWindow,GetWindowLongW,ShowWindow,SwitchToThisWindow,MessageBeep, 0_2_0066C466
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060B558 LdrInitializeThunk,IsIconic,PostMessageW, 0_2_0060B558
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0060B59A IsIconic,IsZoomed,IsZoomed,GetWindowRect,EqualRect,CopyRect,GetWindowRect,EqualRect,CopyRect,GetCurrentThreadId,RegSetValueExW,GetCurrentThreadId,RegCloseKey, 0_2_0060B59A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006658B0 IsIconic,ShowWindowAsync,SetWindowPos,AllowSetForegroundWindow,SetForegroundWindow, 0_2_006658B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00615CA4 IsZoomed,IsIconic,GetWindowRect,GetWindowRect, 0_2_00615CA4
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0066CE2C GetCurrentProcessId,OpenProcess,GetLastError,GetCurrentThreadId,LdrInitializeThunk,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle, 0_2_0066CE2C
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 4.6 %
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005DF0B3 memset,FindClose,SHGetSpecialFolderPathW,FindFirstFileW,GetProcessHeap,HeapFree,FindNextFileW,FindClose,GetLastError,GetCurrentThreadId,GetLastError,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree, 0_2_005DF0B3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064AF6F GetLogicalDriveStringsW,QueryDosDeviceW,GetLastError,_wcsnicmp, 0_2_0064AF6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061BA0F GetSystemInfo,LocalAlloc,LocalFree, 0_2_0061BA0F
Source: Amcache.hve.4.dr Binary or memory string: VMware
Source: file.exe Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.4.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.4.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.4.dr Binary or memory string: vmci.sys
Source: Amcache.hve.4.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.4.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe Binary or memory string: ImageList_RemoveImageList_ReplaceIconImageList_CreateImageList_DestroyWdcLoadStringExWdcExpandMemoryWdcExpandingCallWdcExpandVariablesTmGetDescriptionFromVersionInfoTmGetDescriptionFromVersionInfoEx\StringFileInfo\04090000\%sTmGetStringFromVersionInfoTmGetProcessCommandLine :TmCheckSpecialProcessWdcProcessMonitor::CreateEntryWdcProcessMonitor::GetImageNameWdcGetProcessCriticalWdcProcessMonitor::GetCreateTimeWdcProcessMonitor::GetCriticalWdcProcessMonitor::ListUpdateWdcProcessMonitor::_CreateHangDetectionThreadWdcProcessMonitor::ResolveImageIconWdcProcessMonitor::ResolveImageDescriptionWdcProcessMonitor::ResolveImageNameWdcProcessMonitor::InitializePCWQueryWdcProcessMonitor::UpdateQueryWdcProcessMonitor::UpdateAllProcessCpuUsage: %fAllProcessCycleUsage: %fWdcProcessMonitor::_TmGetProcessUserNameWdcProcessMonitor::_AddUserNameForSidWdcProcessMonitor::ProcessSetIsElevatedWdcProcessMonitor::GetProcessPriorityWdcProcessMonitor::ProcessToggleUACWdcProcessMonitor::LoadProcessorAffinityWdcProcessMonitor::GetCurrentAffinityWdcServiceCache::_InitBackgroundThreadWdcServiceMonitor::CreateEntrybase\diagnosis\pdui\atm\main\service.cppWdcServiceMonitor::UpdateServiceState Change: DevQueryStateAbortedUPDATE:Remove: %sWdcDiskMonitor::AddDiskRegisterDiskInterfaceToHwnd failed at %dWdcDiskMonitor::GetDiskNumberWdcDiskMonitor::GetVolumeNameWdcDiskMonitor::ShouldIncludeDiskWdcDiskMonitor::EnumerateDiskExtentsWdcDiskMonitor::GetDiskExtentsWdcDiskMonitor::GetDriveInfoUnregisterDeviceNotification failed at %dWdcDiskMonitor::ClearDiskWdcDiskMonitor::QueryWdcDiskMonitor::CloneDriveInfoWdcDiskMonitor::GetCurrentDisksWdcDiskMonitor::CloseDiskHandleWdcDiskMonitor::IsVHDWdcDiskMonitor::GetDiskCapacityTmExpandMemoryWdcCpuMonitor::InitializePCWQueryTmQueryPcwCounterWdcCpuMonitor::UpdateQueryWdcCpuMonitor::GetNumaNodesCpusWdcCpuMonitor::QueryTmProcessorFrequency::_InitGroupInfoTmProcessorFrequency::_InitProcessorInfoTmProcessorFrequency::_GetProcessorFrequencyDistributionTmProcessorFrequency::_GetInstantaneousCpuSpeedCRUMPCHelper::PCHelperInitializebase\diagnosis\pdui\atm\main\rumdatasrcs.cppCRUMPCHelper::QueryCRUMPCHelper::UpdateFSUtilizationCRUMPCHelper::UpdateProcessorUtilizationCRUMAPIHelper::InitializeSrumCRUMAPIHelper::SrumThreadCRUMHelper::RUMHelperInitializeCRUMHelper::CalcSysDiskMetricsCRUMHelper::CalcSysNetMetricsCRUMHelper::AddProcDataCRUMHelper::GetProcResUsagebase\diagnosis\pdui\atm\main\network.cppWdcNetworkMonitor::PerInstanceDataRetrieveWdcNetworkMonitor::GetAdapterInfoWdcNetworkMonitor::QueryWdcMemoryMonitor::UpdateVMQuerybase\diagnosis\pdui\atm\main\memory.cppWdcMemoryMonitor::InitializePCWQueryHyper-V Dynamic Memory Integration ServiceMicrosoft HvWdcErrorMessageGetProcessWaitChainAsyncPopulateWaitTreeOnPostGetWaitChainTreeView_GetCheckedProcessCountInitializeMRTResourceManagerresources.priMrtGetThreadPreferredUILanguageNameMrtCreateOverrideResourceContextTmGetLocalizedLogoPathTmCombinePathDUI_GetElementScreenBoundsTmFormatMessageDUI_GetElementBoundsSoftware\Mi
Source: Amcache.hve.4.dr Binary or memory string: VMware20,1
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.4.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.4.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.4.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E82FE GetThreadUILanguage,LdrInitializeThunk,GetLocaleInfoW, 0_2_005E82FE
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0061913D IsDebuggerPresent, 0_2_0061913D
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E7A66 ActivateActCtx,ActivateActCtx,OutputDebugStringA,GetLastError, 0_2_005E7A66
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0066CE2C GetCurrentProcessId,OpenProcess,GetLastError,GetCurrentThreadId,LdrInitializeThunk,NtQuerySystemInformation,GetProcessHeap,HeapFree,GetProcessHeap,HeapAlloc,RtlNtStatusToDosError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,CloseHandle, 0_2_0066CE2C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E81C1 mov ecx, dword ptr fs:[00000030h] 0_2_005E81C1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E8298 mov eax, dword ptr fs:[00000030h] 0_2_005E8298
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E82D4 mov eax, dword ptr fs:[00000030h] 0_2_005E82D4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00603169 CoCreateInstance,GetCurrentThreadId,GetCurrentThreadId,GetComputerNameW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetCurrentThreadId,ConvertSidToStringSidW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,LocalFree, 0_2_00603169
Enables debug privileges
Source: C:\Users\user\Desktop\file.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006179A0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_006179A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E9B97 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetLastError,GetLastError, 0_2_005E9B97
Source: file.exe Binary or memory string: base\diagnosis\pdui\atm\main\tmutils.cppWdcInitializeCriticalSectionGetProcessAppContainerSidTmHeatTextbase\diagnosis\pdui\atm\main\colheader.cppSortArrowSortAscendingContendSortAscendingSortDescendingContendSortDescendingAtmColumnHeader::_UpdateSortArrowHeatMapCumulativeAtmColumnHeader::UpdateSysUtilizationColumns%d:%I64uAtmViewItem::InitializeParentColumnViewExpandoImageWrapperTmFirstColumnAtmViewItem::InitializeChildColumnTmColStatusTextTmLeafIconAtmViewItem::UpdateParentRowAtmViewItem::UpdateSuspendedStatusAtmViewItem::SetVisibilityAndToolTipAtmViewItem::UpdateChildCountTmViewRowAtmViewItem::UpdateChildRowTmRowIconAtmViewItem::CreateSmallViewItemFromDataAtmViewItem::CreateChildViewItemFromDataAtmViewItem::SetIconTmColHeaderContendTmColHeaderResourceValueClassWhiteContendResourceValueClassColHeaderTextContendTmExpandoTmAppViewItemTmUsersChildViewItembase\diagnosis\pdui\atm\main\tmsmallview.cppTmSmallViewTmSmallViewItembase\diagnosis\pdui\atm\main\tmlowmemoryview.cppTmLowMemoryViewTmLowMemoryViewItemTmSpecialProcesses::InitProcessPaths%windir%\Explorer.exe%windir%\system32\PickerHost.exe%WINDIR%\ImmersiveControlPanel\SystemSettings.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeSH.exeMicrosoftEdgeDevtools.exeMicrosoftEdgeBCHost.exeWindows.WARP.JITService.exechrome.exefirefox.exeopera.exeiexplore.exevivaldi.exebrave.exetor.exemaxthon.exeepic.exepalemoon.exeApp_MonitorWdcApplicationsMonitor::CreateEntryWdcApplicationsMonitor::UpdateInitializeWdcApplicationsMonitor::GetMemoryPercentageWdcApplicationsMonitor::ResolveImagePublisher_DesktopWdcApplicationsMonitor::ResolveImageFriendlyNameTabWindowClassWindows.UI.Core.CoreWindowMicrosoft EdgeWindows.WARP.JITServiceS-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1821068571-1793888307-623627345-1529106238S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1206159417-1570029349-2913729690-1184509225S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-3513710562-3729412521-1863153555-1462103995S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-3859068477-1314311106-1651661491-1685393560S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-4043415302-551583165-304772019-4009825106S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-1618978223-3991232872-53169767-3645722245S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-4256926629-1688279915-2739229046-3928706915S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-2385269614-3243675-834220592-3047885450S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194-355265979-2879959831-980936148-1241729999WdcApplicationsMonitor::ResolveImageFriendlyName_DesktopWdcApplicationsMonitor::ResolveImageNameWdcApplicationsMonitor::IsCriticalProcessWdcApplicationsMonitor::_CalcP
Source: file.exe Binary or memory string: Shell_TrayWnd
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetThreadUILanguage,LdrInitializeThunk,GetLocaleInfoW, 0_2_005E82FE
Source: C:\Users\user\Desktop\file.exe Code function: GetCurrentProcessId,ProcessIdToSessionId,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,GetLocaleInfoEx,LdrInitializeThunk,GetKeyState,GetLastError,GetLastError,GetLastError,GetLastError,GetKeyState,GetKeyState, 0_2_00602F63
Source: C:\Users\user\Desktop\file.exe Code function: memset,LdrInitializeThunk,LdrInitializeThunk,GetLocaleInfoW,_wtoi,GetProcessHeap,HeapAlloc,GetLastError,GetCurrentThreadId, 0_2_005E5640
Queries the installation date of Windows
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E25E0 GetSystemTime,MsgWaitForMultipleObjectsEx,PeekMessageW,WaitForSingleObject,TranslateMessage,DispatchMessageW,CoUninitialize,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetLastError, 0_2_005E25E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00603169 CoCreateInstance,GetCurrentThreadId,GetCurrentThreadId,GetComputerNameW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetProcessHeap,HeapAlloc,GetCurrentThreadId,LookupAccountNameLocalW,GetLastError,GetCurrentThreadId,ConvertSidToStringSidW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,LocalFree, 0_2_00603169
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005F26F0 NtQuerySystemInformation,RtlNtStatusToDosError,SysFreeString,SysAllocString,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,GetCurrentThreadId,CompareStringOrdinal,CompareStringOrdinal,SysFreeString,SysAllocString,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,memset,GetVersionExW,GetLastError,GetCurrentThreadId,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,GetCurrentThreadId,EnterCriticalSection,LeaveCriticalSection,EnterCriticalSection,LdrInitializeThunk,LdrInitializeThunk,memset,GetVersionExW,GetLastError,_ftol2,LeaveCriticalSection, 0_2_005F26F0
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.4.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr Binary or memory string: MsMpEng.exe
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00604549 ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z,GetCurrentThreadId,?SetID@Element@DirectUI@@QAEJPBG@Z,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,GetCurrentThreadId,?SetID@Element@DirectUI@@QAEJPBG@Z,GetCurrentThreadId,?SetAccDesc@Element@DirectUI@@QAEJPBG@Z,GetCurrentThreadId,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,GetCurrentThreadId,?Add@Element@DirectUI@@QAEJPAV12@@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,GetCurrentThreadId,SysFreeString,SysAllocString,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapAlloc,GetCurrentThreadId,GetCurrentThreadId,GetProcessHeap,HeapFree,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?SetID@Element@DirectUI@@QAEJPBG@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?Destroy@Element@DirectUI@@QAEJ_N@Z,?Destroy@Element@DirectUI@@QAEJ_N@Z, 0_2_00604549
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005EA843 StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?GetLayoutPos@Element@DirectUI@@QAEHXZ,?SetContentString@Element@DirectUI@@QAEJPBG@Z,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,?GetLayoutPos@Element@DirectUI@@QAEHXZ,?SetLayoutPos@Element@DirectUI@@QAEJH@Z,?RemoveListener@Element@DirectUI@@QAEXPAUIElementListener@2@@Z,?SetWidth@Element@DirectUI@@QAEJH@Z, 0_2_005EA843
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00613991 StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z,?Add@Element@DirectUI@@QAEJPAV12@@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z,?Add@Element@DirectUI@@QAEJPAV12@@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,?Add@Element@DirectUI@@QAEJPAV12@@Z,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,GetCurrentThreadId,?Destroy@Element@DirectUI@@QAEJ_N@Z, 0_2_00613991
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005FED39 ?CreateElement@DUIXmlParser@DirectUI@@QAEJPBGPAVElement@2@1PAKPAPAV32@@Z,?SetID@Element@DirectUI@@QAEJPBG@Z,?SetAccDesc@Element@DirectUI@@QAEJPBG@Z,?SetAccName@Element@DirectUI@@QAEJPBG@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?SetID@Element@DirectUI@@QAEJPBG@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,?Add@Element@DirectUI@@QAEJPAV12@@Z,?SetContentString@Element@DirectUI@@QAEJPBG@Z,?SetAccName@Element@DirectUI@@QAEJPBG@Z, 0_2_005FED39
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00611DCC PathIsNetworkPathW,SHParseDisplayName,SHBindToParent,StrRetToBufW,ILFree, 0_2_00611DCC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00605D89 StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,GetCurrentThreadId,GetCurrentThreadId,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?GetParent@Element@DirectUI@@QAEPAV12@XZ,?GetParent@Element@DirectUI@@QAEPAV12@XZ,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z,StrToID,?FindDescendent@Element@DirectUI@@QAEPAV12@G@Z,?AddListener@Element@DirectUI@@QAEJPAUIElementListener@2@@Z, 0_2_00605D89
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1561652 Sample: file.exe Startdate: 24/11/2024 Architecture: WINDOWS Score: 10 5 file.exe 2->5         started        process3 7 WerFault.exe 19 16 5->7         started       
No contacted IP infos