Windows Analysis Report
s9sRFRPn1i.exe

Overview

General Information

Sample name: s9sRFRPn1i.exe
Analysis ID: 1427909
MD5: 262a7eb58a01d1aab21b24292c181cd3
SHA1: 535312b7048fb90be981e04ea759c5ad8aaf6eda
SHA256: 107090a44888272297ecb7a715a9abca4bc17dafe6aa57505436722a5a9926a6
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Found direct / indirect Syscall (likely to bypass EDR)
Queries memory information (via WMI often done to detect virtual machines)
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to call native functions
Contains functionality to launch a program with higher privileges
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
PE file contains sections with non-standard names
Program does not show much activity (idle)
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: s9sRFRPn1i.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: s9sRFRPn1i.exe Virustotal: Detection: 65% Perma Link
Source: s9sRFRPn1i.exe ReversingLabs: Detection: 37%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B464A0 memcpy,memcpy,memcpy,memcpy,memcpy,memcmp,memcpy,memcpy,memcpy,memcmp,memcpy,memcpy,BCryptGenRandom,SystemFunction036,memcpy, 0_2_00007FF607B464A0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B7EEC0 memcpy,memcpy,HeapFree,BCryptGenRandom,SystemFunction036, 0_2_00007FF607B7EEC0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B57370 BCryptGenRandom,SystemFunction036, 0_2_00007FF607B57370
Source: s9sRFRPn1i.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 4x nop then sub rsp, 58h 0_2_00007FF607C21790
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BBD930 memcmp,memcmp,memcmp,memcpy,memcpy,memcpy,memcmp,memcmp,memcmp,memcmp,memcmp,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,HeapFree,memcpy,WakeByAddressSingle,memcpy,ioctlsocket,recv,WSAGetLastError,ioctlsocket,memcpy,memcmp,memcmp,memcmp,WSAGetLastError,WSAGetLastError,HeapFree,HeapFree,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy,memcpy, 0_2_00007FF607BBD930
Source: s9sRFRPn1i.exe, 00000000.00000003.1725529210.000002995B2DF000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1715401234.000002995AC55000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B2E6000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1724219798.000002995AC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: s9sRFRPn1i.exe, 00000000.00000003.1725529210.000002995B2DF000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1715401234.000002995AC55000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B2E6000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1724219798.000002995AC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: s9sRFRPn1i.exe, 00000000.00000003.1725529210.000002995B2DF000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1725529210.000002995B2B7000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B2BE000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1715401234.000002995AC55000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B2E6000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1724219798.000002995AC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: s9sRFRPn1i.exe, 00000000.00000003.1725529210.000002995B2DF000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1715401234.000002995AC55000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B2E6000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1724219798.000002995AC5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: s9sRFRPn1i.exe, 00000000.00000003.1715401234.000002995AC6D000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1724219798.000002995AC77000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertGlobalRootG2.crt
Source: s9sRFRPn1i.exe, 00000000.00000003.1725529210.000002995B2B7000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B2BE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: s9sRFRPn1i.exe String found in binary or memory: https://docs.rs/rustls/latest/rustls/manual/_03_howto/index.html#unexpected-eof
Contains functionality to call native functions
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BAE2B0 NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,NtQueryInformationProcess,ReadProcessMemory,ReadProcessMemory,HeapFree,GetLastError,HeapFree,VirtualQueryEx,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,RtlRestoreThreadPreferredUILanguages,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,RtlDeleteBoundaryDescriptor,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,RtlDeleteBoundaryDescriptor,HeapFree,HeapFree,HeapFree,HeapFree, 0_2_00007FF607BAE2B0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB4EB0 PdhCollectQueryData,HeapFree,HeapFree,RtlAllocateHeap,NtQuerySystemInformation,HeapFree,RtlDeleteBoundaryDescriptor,GetSystemTimePreciseAsFileTime,HeapFree,HeapFree,memcpy,HeapFree,HeapFree,HeapFree,memcpy,memcpy,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,RtlDeleteBoundaryDescriptor,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,WakeByAddressAll,HeapFree,HeapFree,HeapFree, 0_2_00007FF607BB4EB0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BAF1E0 NtQueryInformationProcess,NtQueryInformationProcess,HeapFree,HeapFree, 0_2_00007FF607BAF1E0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B13CC0 RtlDeleteBoundaryDescriptor,HeapFree,HeapFree,GetTickCount64,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess, 0_2_00007FF607B13CC0
Detected potential crypto function
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B12738 0_2_00007FF607B12738
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BA86E0 0_2_00007FF607BA86E0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB2390 0_2_00007FF607BB2390
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BAE2B0 0_2_00007FF607BAE2B0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BAA270 0_2_00007FF607BAA270
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB2FD0 0_2_00007FF607BB2FD0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB4EB0 0_2_00007FF607BB4EB0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B36C70 0_2_00007FF607B36C70
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BA77B0 0_2_00007FF607BA77B0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB1750 0_2_00007FF607BB1750
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BF56B0 0_2_00007FF607BF56B0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BAF640 0_2_00007FF607BAF640
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B9B610 0_2_00007FF607B9B610
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B140FD 0_2_00007FF607B140FD
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B11D6D 0_2_00007FF607B11D6D
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB3AA0 0_2_00007FF607BB3AA0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B379E0 0_2_00007FF607B379E0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B4E930 0_2_00007FF607B4E930
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B828F0 0_2_00007FF607B828F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B9E880 0_2_00007FF607B9E880
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BFE880 0_2_00007FF607BFE880
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B408A0 0_2_00007FF607B408A0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B5C850 0_2_00007FF607B5C850
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BAC7C0 0_2_00007FF607BAC7C0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CAA7F0 0_2_00007FF607CAA7F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BA07E0 0_2_00007FF607BA07E0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CA47B0 0_2_00007FF607CA47B0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B946C0 0_2_00007FF607B946C0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BCE6F0 0_2_00007FF607BCE6F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BF2650 0_2_00007FF607BF2650
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B4C660 0_2_00007FF607B4C660
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CA45F0 0_2_00007FF607CA45F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B5C540 0_2_00007FF607B5C540
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB0560 0_2_00007FF607BB0560
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B36510 0_2_00007FF607B36510
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B44520 0_2_00007FF607B44520
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B80530 0_2_00007FF607B80530
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B6C480 0_2_00007FF607B6C480
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CAA480 0_2_00007FF607CAA480
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B464A0 0_2_00007FF607B464A0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BDA440 0_2_00007FF607BDA440
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B50460 0_2_00007FF607B50460
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BF2470 0_2_00007FF607BF2470
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BBC3D0 0_2_00007FF607BBC3D0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B863D0 0_2_00007FF607B863D0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B28380 0_2_00007FF607B28380
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B76380 0_2_00007FF607B76380
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B22390 0_2_00007FF607B22390
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BFE310 0_2_00007FF607BFE310
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BC8320 0_2_00007FF607BC8320
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BEC2E0 0_2_00007FF607BEC2E0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BE22A0 0_2_00007FF607BE22A0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B142AB 0_2_00007FF607B142AB
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B281D0 0_2_00007FF607B281D0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B641D0 0_2_00007FF607B641D0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B9C1F0 0_2_00007FF607B9C1F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B46180 0_2_00007FF607B46180
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CA4170 0_2_00007FF607CA4170
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B25100 0_2_00007FF607B25100
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BA1110 0_2_00007FF607BA1110
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B9D0D0 0_2_00007FF607B9D0D0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CA30F0 0_2_00007FF607CA30F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B5B0E0 0_2_00007FF607B5B0E0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B990A0 0_2_00007FF607B990A0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B3309B 0_2_00007FF607B3309B
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B690B0 0_2_00007FF607B690B0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BA9040 0_2_00007FF607BA9040
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B8F050 0_2_00007FF607B8F050
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BCD050 0_2_00007FF607BCD050
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CB8FF0 0_2_00007FF607CB8FF0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B9AF80 0_2_00007FF607B9AF80
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C96F10 0_2_00007FF607C96F10
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BDCF00 0_2_00007FF607BDCF00
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB0F10 0_2_00007FF607BB0F10
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B8CF30 0_2_00007FF607B8CF30
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B1EED0 0_2_00007FF607B1EED0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B32ECF 0_2_00007FF607B32ECF
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B32E5A 0_2_00007FF607B32E5A
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B64E00 0_2_00007FF607B64E00
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B32E0A 0_2_00007FF607B32E0A
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B84DC0 0_2_00007FF607B84DC0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BC0DD0 0_2_00007FF607BC0DD0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B18DE6 0_2_00007FF607B18DE6
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B28DF0 0_2_00007FF607B28DF0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B44DA0 0_2_00007FF607B44DA0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB2DB0 0_2_00007FF607BB2DB0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B32DAE 0_2_00007FF607B32DAE
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B4AD50 0_2_00007FF607B4AD50
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C2AD70 0_2_00007FF607C2AD70
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B18D67 0_2_00007FF607B18D67
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B76D10 0_2_00007FF607B76D10
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B34CD3 0_2_00007FF607B34CD3
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BE2CF0 0_2_00007FF607BE2CF0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C9CCB0 0_2_00007FF607C9CCB0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B40CB0 0_2_00007FF607B40CB0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B32C00 0_2_00007FF607B32C00
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B44BC0 0_2_00007FF607B44BC0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BC8BD0 0_2_00007FF607BC8BD0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B5CBE0 0_2_00007FF607B5CBE0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CB2BE0 0_2_00007FF607CB2BE0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C96B90 0_2_00007FF607C96B90
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BDCBB0 0_2_00007FF607BDCBB0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B9AB30 0_2_00007FF607B9AB30
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B18A78 0_2_00007FF607B18A78
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B48A90 0_2_00007FF607B48A90
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C08A40 0_2_00007FF607C08A40
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B8EA70 0_2_00007FF607B8EA70
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C9CA00 0_2_00007FF607C9CA00
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B4AA20 0_2_00007FF607B4AA20
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BFE9E0 0_2_00007FF607BFE9E0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CAA9E0 0_2_00007FF607CAA9E0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B1E980 0_2_00007FF607B1E980
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CB4950 0_2_00007FF607CB4950
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BC4950 0_2_00007FF607BC4950
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BBD930 0_2_00007FF607BBD930
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C058C0 0_2_00007FF607C058C0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B5D8B9 0_2_00007FF607B5D8B9
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B45880 0_2_00007FF607B45880
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB7850 0_2_00007FF607BB7850
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B9D860 0_2_00007FF607B9D860
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B2D7E0 0_2_00007FF607B2D7E0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B837A0 0_2_00007FF607B837A0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B637A0 0_2_00007FF607B637A0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C01760 0_2_00007FF607C01760
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB76C0 0_2_00007FF607BB76C0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BDB6F0 0_2_00007FF607BDB6F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B3369D 0_2_00007FF607B3369D
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B6B6B0 0_2_00007FF607B6B6B0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B3364B 0_2_00007FF607B3364B
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B59610 0_2_00007FF607B59610
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B33622 0_2_00007FF607B33622
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B335D9 0_2_00007FF607B335D9
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B2B5F0 0_2_00007FF607B2B5F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B275F0 0_2_00007FF607B275F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B7D590 0_2_00007FF607B7D590
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C9F5A0 0_2_00007FF607C9F5A0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B9D520 0_2_00007FF607B9D520
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B59530 0_2_00007FF607B59530
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B434C0 0_2_00007FF607B434C0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B334CD 0_2_00007FF607B334CD
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B614F0 0_2_00007FF607B614F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B8B4B0 0_2_00007FF607B8B4B0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B35440 0_2_00007FF607B35440
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B11450 0_2_00007FF607B11450
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B3F470 0_2_00007FF607B3F470
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BBF420 0_2_00007FF607BBF420
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B3342A 0_2_00007FF607B3342A
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B333D6 0_2_00007FF607B333D6
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B493F0 0_2_00007FF607B493F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B7D3A0 0_2_00007FF607B7D3A0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B613A0 0_2_00007FF607B613A0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B333AF 0_2_00007FF607B333AF
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B3330B 0_2_00007FF607B3330B
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C97320 0_2_00007FF607C97320
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B1532B 0_2_00007FF607B1532B
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B932D0 0_2_00007FF607B932D0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B1532B 0_2_00007FF607B1532B
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B732E0 0_2_00007FF607B732E0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B592F0 0_2_00007FF607B592F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CA7290 0_2_00007FF607CA7290
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B4D280 0_2_00007FF607B4D280
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B3329D 0_2_00007FF607B3329D
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B33193 0_2_00007FF607B33193
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B78120 0_2_00007FF607B78120
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C98060 0_2_00007FF607C98060
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CA0020 0_2_00007FF607CA0020
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B22030 0_2_00007FF607B22030
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B71FF0 0_2_00007FF607B71FF0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BA5F80 0_2_00007FF607BA5F80
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B89F79 0_2_00007FF607B89F79
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CA7F80 0_2_00007FF607CA7F80
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CA3F40 0_2_00007FF607CA3F40
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B1FF20 0_2_00007FF607B1FF20
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B5DEBB 0_2_00007FF607B5DEBB
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B5FE90 0_2_00007FF607B5FE90
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BA7E30 0_2_00007FF607BA7E30
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B63D90 0_2_00007FF607B63D90
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B87DB0 0_2_00007FF607B87DB0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B23D50 0_2_00007FF607B23D50
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CA7D00 0_2_00007FF607CA7D00
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C95D20 0_2_00007FF607C95D20
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BC5C10 0_2_00007FF607BC5C10
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B31C10 0_2_00007FF607B31C10
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B4DC30 0_2_00007FF607B4DC30
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B33BCE 0_2_00007FF607B33BCE
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B85BD0 0_2_00007FF607B85BD0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B47B80 0_2_00007FF607B47B80
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B8BB90 0_2_00007FF607B8BB90
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B57B50 0_2_00007FF607B57B50
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B33B31 0_2_00007FF607B33B31
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B65B30 0_2_00007FF607B65B30
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BF9AE0 0_2_00007FF607BF9AE0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B25A80 0_2_00007FF607B25A80
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B95A90 0_2_00007FF607B95A90
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BBBAA0 0_2_00007FF607BBBAA0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B33A38 0_2_00007FF607B33A38
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CB7A50 0_2_00007FF607CB7A50
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B2BA40 0_2_00007FF607B2BA40
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B899FE 0_2_00007FF607B899FE
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BEFA00 0_2_00007FF607BEFA00
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B89A04 0_2_00007FF607B89A04
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B899FA 0_2_00007FF607B899FA
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B89A10 0_2_00007FF607B89A10
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B89A0A 0_2_00007FF607B89A0A
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B89A16 0_2_00007FF607B89A16
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B89A1C 0_2_00007FF607B89A1C
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B999D0 0_2_00007FF607B999D0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BF59D0 0_2_00007FF607BF59D0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B899EE 0_2_00007FF607B899EE
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B899F4 0_2_00007FF607B899F4
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B519F0 0_2_00007FF607B519F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B679F0 0_2_00007FF607B679F0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B4F950 0_2_00007FF607B4F950
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B57960 0_2_00007FF607B57960
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607CA9960 0_2_00007FF607CA9960
Source: classification engine Classification label: mal72.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B9D0D0 FormatMessageW,GetLastError, 0_2_00007FF607B9D0D0
Source: s9sRFRPn1i.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: s9sRFRPn1i.exe Virustotal: Detection: 65%
Source: s9sRFRPn1i.exe ReversingLabs: Detection: 37%
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Section loaded: pdh.dll Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Section loaded: perfos.dll Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32 Jump to behavior
Source: s9sRFRPn1i.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: s9sRFRPn1i.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: s9sRFRPn1i.exe Static file information: File size 2414592 > 1048576
Source: s9sRFRPn1i.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1a9000
Source: s9sRFRPn1i.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT
PE file contains sections with non-standard names
Source: s9sRFRPn1i.exe Static PE information: section name: .xdata
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607D5E830 push rbp; retf 0_2_00007FF607D5E833
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607D5EBA8 push rbp; retf 0_2_00007FF607D5EBAB
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C20AA8 push rbp; retf 0_2_00007FF607D5EB13
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607C20AA8 push rsi; retf 0_2_00007FF607D5EB73
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607D5EA88 push rbp; retf 0_2_00007FF607D5EA8B
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B732E0 GetSystemTimePreciseAsFileTime followed by cmp: cmp word ptr [rcx+18h], 0016h and CTI: je 00007FF607B73AF8h 0_2_00007FF607B732E0
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB2390 GetSystemInfo,HeapFree,HeapFree,memcpy,HeapFree,memcpy,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,memcpy,memcpy, 0_2_00007FF607BB2390
Source: s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995906A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V ncxfrwalxntsfux Bus
Source: s9sRFRPn1i.exe, 00000000.00000003.1713119405.000002995AA94000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEBB000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995902C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid PartitionllF'p
Source: s9sRFRPn1i.exe, 00000000.00000003.1708492388.000002995AA7F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: reated Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Tot
Source: s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995906A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEBB000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEF9000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995902C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Dynamic Memory Integration Service
Source: s9sRFRPn1i.exe, 00000000.00000003.1725529210.000002995B3A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
Source: s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: X2Hyper-V VM Vid Partition
Source: s9sRFRPn1i.exe, 00000000.00000003.1707202437.000002995AA77000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flus
Source: s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual Processor
Source: s9sRFRPn1i.exe, 00000000.00000003.1713288817.000002995AA94000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost483
Source: s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEBB000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995902C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical Processor
Source: s9sRFRPn1i.exe, 00000000.00000003.1713119405.000002995AA94000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O T
Source: s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sWDHyper-V Hypervisor Root Partition
Source: s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEBB000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995902C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisorr
Source: s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processor.dll
Source: s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEBB000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995902C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Virtual Machine Bus Pipes
Source: s9sRFRPn1i.exe, 00000000.00000003.1724219798.000002995AC94000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1715401234.000002995AC8A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B2D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: THyper-V Hypervisor Root Virtual ProcessorH
Source: s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995906A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &Hyper-V Hypervisor
Source: s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995906A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 2Hyper-V VM Vid Partition"=
Source: s9sRFRPn1i.exe, 00000000.00000003.1707361781.000002995AA44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot4890HWP Request MSR Context Switches/sec4892Guest Run Time4894Idle Time4896% Total Run Time4898% Hypervisor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost5032Debug Register Accesses/sec5034Debug Register Accesses Cost5036Page Fault Intercepts/sec5038Page Fault Intercepts Cost5040NMI Interrupts/sec5042NMI Interrupts Cost5044Guest Page Table Maps/sec5046Large Page TLB Fills/sec5048Small Page TLB Fills/sec5050Reflected Guest Page Faults/sec5052APIC MMIO Accesses/sec5054IO Intercept Messages/sec5056Memory Intercept Messages/sec5058APIC EOI Accesses/sec5060Other Messages/sec5062Page Table Allocations/sec5064Logical Processor Migrations/sec5066Address Space Evictions/sec5068Address Space Switches/sec5070Address Domain Flushes/sec5072Address Spa
Source: s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V VM Vid Partition
Source: s9sRFRPn1i.exe, 00000000.00000003.1713119405.000002995AA94000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ime6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshotumbe
Source: s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995906A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition
Source: s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration Service
Source: s9sRFRPn1i.exe, 00000000.00000003.1715165374.000002995ACA1000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1729139779.000002995ACA9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B2E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: s9sRFRPn1i.exe, 00000000.00000003.1715401234.000002995AC6D000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1724219798.000002995AC77000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPS6
Source: s9sRFRPn1i.exe, 00000000.00000003.1707821187.000002995AA80000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: visor Run Time4900% Guest Run Time4902% Idle Time4904Total Interrupts/sec4788Hyper-V Hypervisor4790Logical Processors4792Partitions4794Total Pages4796Virtual Processors4798Monitored Notifications4800Modern Standby Entries4802Platform Idle Transitions4804HypervisorStartupCost4906Hyper-V Hypervisor Root Partition4908Virtual Processors4910Virtual TLB Pages4912Address Spaces4914Deposited Pages4916GPA Pages4918GPA Space Modifications/sec4920Virtual TLB Flush Entires/sec4922Recommended Virtual TLB Size49244K GPA pages49262M GPA pages49281G GPA pages4930512G GPA pages49324K device pages49342M device pages49361G device pages4938512G device pages4940Attached Devices4942Device Interrupt Mappings4944I/O TLB Flushes/sec4946I/O TLB Flush Cost4948Device Interrupt Errors4950Device DMA Errors4952Device Interrupt Throttle Events4954Skipped Timer Ticks4956Partition Id4958Nested TLB Size4960Recommended Nested TLB Size4962Nested TLB Free List Size4964Nested TLB Trimmed Pages/sec4966Pages Shattered/sec4968Pages Recombined/sec4970I/O TLB Flushes Base4972Hyper-V Hypervisor Root Virtual Processor4974Total Run Time4976Hypervisor Run Time4978Remote Node Run Time4980Normalized Run Time4982Ideal Cpu4984Hypercalls/sec4986Hypercalls Cost4988Page Invalidations/sec4990Page Invalidations Cost4992Control Register Accesses/sec4994Control Register Accesses Cost4996IO Instructions/sec4998IO Instructions Cost5000HLT Instructions/sec5002HLT Instructions Cost5004MWAIT Instructions/sec5006MWAIT Instructions Cost5008CPUID Instructions/sec5010CPUID Instructions Cost5012MSR Accesses/sec5014MSR Accesses Cost5016Other Intercepts/sec5018Other Intercepts Cost5020External Interrupts/sec5022External Interrupts Cost5024Pending Interrupts/sec5026Pending Interrupts Cost5028Emulated Instructions/sec5030Emulated Instructions Cost
Source: s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEBB000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995902C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: DHyper-V Hypervisor Root Partitiona
Source: s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995906A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V HypervisorU
Source: s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B2E6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: NXTcaVMWare
Source: s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995906A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipes
Source: s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: AlDHyper-V Virtual Machine Bus Pipes
Source: s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995906A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Virtual Machine Bus Pipesv>
Source: s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995906A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V ncxfrwalxntsfux Bus Pipes
Source: s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VHyper-V Dynamic Memory Integration ServiceF
Source: s9sRFRPn1i.exe, 00000000.00000003.1708492388.000002995AA84000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/
Source: s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995906A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Partition`>
Source: s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processor"
Source: s9sRFRPn1i.exe, 00000000.00000002.1734167100.00000299590E0000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1732480644.00000299590CC000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1720920374.00000299590DD000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AF6F000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B0FE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JHyper-V Hypervisor Logical ProcessorXN
Source: s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEBB000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995902C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Root Virtual Processork*
Source: s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEBB000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995902C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor Logical Processorc.sys
Source: s9sRFRPn1i.exe, 00000000.00000003.1707766821.000002995AA84000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1707202437.000002995AA8C000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1709809117.000002995AA8C000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1708356545.000002995AA8C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: kflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1
Source: s9sRFRPn1i.exe, 00000000.00000002.1734009697.000002995906A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1728708798.000002995B04A000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1714945869.000002995AEF9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V Hypervisor
Source: s9sRFRPn1i.exe, 00000000.00000003.1725529210.000002995B3A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B13CC0 RtlDeleteBoundaryDescriptor,HeapFree,HeapFree,GetTickCount64,GetCurrentProcess,CheckRemoteDebuggerPresent,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess,GetCurrentProcess,NtQueryInformationProcess, 0_2_00007FF607B13CC0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BAA270 HeapReAlloc,SafeArrayDestroy,HeapFree,HeapFree,memcpy,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapFree,memcmp,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,SysFreeString,SysFreeString, 0_2_00007FF607BAA270
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607D5EBA8 SetUnhandledExceptionFilter,Sleep, 0_2_00007FF607D5EBA8
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B111B9 SetUnhandledExceptionFilter,malloc,strlen,malloc,memcpy,_initterm, 0_2_00007FF607B111B9
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe NtQuerySystemInformation: Indirect: 0x7FF607BB5485 Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe NtQueryInformationProcess: Indirect: 0x7FF607BAE374 Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe NtQueryInformationProcess: Indirect: 0x7FF607BAF291 Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe NtQueryInformationProcess: Indirect: 0x7FF607BAE4D9 Jump to behavior
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe NtQueryInformationProcess: Indirect: 0x7FF607BAF20C Jump to behavior
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607B464A0 memcpy,memcpy,memcpy,memcpy,memcpy,memcmp,memcpy,memcpy,memcpy,memcmp,memcpy,memcpy,BCryptGenRandom,SystemFunction036,memcpy, 0_2_00007FF607B464A0
Source: s9sRFRPn1i.exe, 00000000.00000003.1724598999.000002995AEF4000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1725529210.000002995B3E4000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B3EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: s9sRFRPn1i.exe, 00000000.00000003.1725529210.000002995B3E4000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B3EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd]1Q
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe Code function: 0_2_00007FF607BB4EB0 PdhCollectQueryData,HeapFree,HeapFree,RtlAllocateHeap,NtQuerySystemInformation,HeapFree,RtlDeleteBoundaryDescriptor,GetSystemTimePreciseAsFileTime,HeapFree,HeapFree,memcpy,HeapFree,HeapFree,HeapFree,memcpy,memcpy,memcpy,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,RtlDeleteBoundaryDescriptor,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,WakeByAddressAll,HeapFree,HeapFree,HeapFree, 0_2_00007FF607BB4EB0
AV process strings found (often used to terminate AV products)
Source: s9sRFRPn1i.exe, 00000000.00000003.1717076307.000002995B493000.00000004.00000020.00020000.00000000.sdmp, s9sRFRPn1i.exe, 00000000.00000003.1725529210.000002995B48C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\Program Files\Windows Defender\MSASCui.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\s9sRFRPn1i.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1427909 Sample: s9sRFRPn1i.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 72 8 Antivirus / Scanner detection for submitted sample 2->8 10 Multi AV Scanner detection for submitted file 2->10 5 s9sRFRPn1i.exe 2->5         started        process3 signatures4 12 Queries memory information (via WMI often done to detect virtual machines) 5->12 14 Found direct / indirect Syscall (likely to bypass EDR) 5->14 16 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 5->16
No contacted IP infos