Edit tour

Windows Analysis Report
Speccy64.exe

Overview

General Information

Sample name:	Speccy64.exe
Analysis ID:	1636374
MD5:	96c1387f64e0a0061b1daabb267a5d40
SHA1:	1b6b0616d61ee17c9b6c98bcf217d50b08262e3a
SHA256:	276397aec815a10a06bc7440bcf6c6d4995c54baea4276e324ecd7a65883aa18
Infos:

Detection

Score:	54
Range:	0 - 100
Confidence:	100%

Signatures

Exploit detected, runtime environment starts unknown processes

Queries disk data (e.g. SMART data)

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

AV process strings found (often used to terminate AV products)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if Kaspersky Antivirus is installed

Creates a process in suspended mode (likely to inject code)

Detected non-DNS traffic on DNS port

Enables debug privileges

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the installation date of Windows

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Tries to disable installed Antivirus / HIPS / PFW

Uses cacls to modify the permissions of files

Classification

Process Tree

System is w10x64

Speccy64.exe (PID: 8128 cmdline: "C:\Users\user\Desktop\Speccy64.exe" MD5: 96C1387F64E0A0061B1DAABB267A5D40)

java.exe (PID: 7904 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java" -version MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)

conhost.exe (PID: 7952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

icacls.exe (PID: 5864 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 1336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

SecEdit.exe (PID: 5304 cmdline: /export /cfg "C:\Users\user\AppData\Local\Temp\spc_se.txt" /quiet /areas SECURITYPOLICY MD5: FE961D8056062E047BCFBD77EBD431B7)

conhost.exe (PID: 4536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: Speccy64.exe, 00000000.00000002.2450263393.00007FF646F7A000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_6d190ca3-b

Source: Speccy64.exe

Static PE information: certificate valid

Source: Speccy64.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\cpuid\applications\cpuidsdk\driver\sys_cpuz_149\objfre_wxp_x86\i386\cpuz149_x32.pdb source: Speccy64.exe
Source:	Binary string: C:\BUILD\work\655d602927444bef\bin_x64\v143\Release Static\neutral\Speccy64.pdb source: Speccy64.exe
Source:	Binary string: C:\BUILD\work\655d602927444bef\bin_x64\v143\Release Static\neutral\Speccy64.pdb source: Speccy64.exe
Source:	Binary string: d:\cpuid\applications\cpuidsdk\driver\sys_cpuz_149\objfre_win7_ia64\ia64\cpuz149_ia64.pdb source: Speccy64.exe
Source:	Binary string: d:\cpuid\applications\cpuidsdk\driver\sys_cpuz_149\objfre_win7_amd64\amd64\cpuz149_x64.pdb source: Speccy64.exe

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\System32\conhost.exe

Source: global traffic

TCP traffic: 192.168.2.4:49280 -> 162.159.36.2:53

Source: Joe Sandbox View

IP Address: 2.22.242.9 2.22.242.9

Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	TCP traffic detected without corresponding DNS query: 162.159.36.2
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /ncc.txt HTTP/1.1Connection: Keep-AliveUser-Agent: Avast AntivirusHost: ncc.avast.com

Source: global traffic	DNS traffic detected: DNS query: ncc.avast.com
Source: global traffic	DNS traffic detected: DNS query: speccy.piriform.com

Source: Speccy64.exe	String found in binary or memory: http://asp.ff.avast.com/avast_sitecorrect://http://ta.ff.avast.com/avast_myavast://http://ai.ff.avas
Source: java.exe, 00000004.00000002.1264185739.0000000004400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: Speccy64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: Speccy64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: Speccy64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Speccy64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: Speccy64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: Speccy64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: Speccy64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Speccy64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: Speccy64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Speccy64.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Speccy64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: Speccy64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Speccy64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Speccy64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: Speccy64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Speccy64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: Speccy64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Speccy64.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Speccy64.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: Speccy64.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: Speccy64.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Speccy64.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: Speccy64.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Speccy64.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: Speccy64.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: Speccy64.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: Speccy64.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: Speccy64.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: Speccy64.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Speccy64.exe	String found in binary or memory: http://files.avast.com/beta9x/avast_free_antivirus_setup_online.exeASWSig2A5549FF2866EA44F68D28FB2B1
Source: Speccy64.exe	String found in binary or memory: http://files.avast.com/iavs9x/avast_premier_antivirus_setup_online.exeASWSig2A5FB1A9FDC683FA551EB348
Source: Speccy64.exe	String found in binary or memory: http://honzik.avcdn.net/setup/avast-tu/beta/avast_cleanup_online_setup.exeASWSig2A1E3DD1C1B204ED89FD
Source: Speccy64.exe	String found in binary or memory: http://honzik.avcdn.net/setup/avast-tu/release/avast_cleanup_online_setup.exeASWSig2A4C1A1197A19B18F
Source: Speccy64.exe	String found in binary or memory: http://honzik.avcdn.net/setup/avg-av/release/avg_antivirus_free_online_setup.exeASWSig2A2D7E61EA63DA
Source: Speccy64.exe	String found in binary or memory: http://honzik.avcdn.net/setup/avg-av/release/avg_internet_security_online_setup.exeASWSig2A40170EEB1
Source: Speccy64.exe	String found in binary or memory: http://honzik.avcdn.net/setup/avg-bs/beta/avg_battery_saver_online_setup.exeASWSig2A4D178CA216002CE0
Source: Speccy64.exe	String found in binary or memory: http://honzik.avcdn.net/setup/avg-bs/release/avg_battery_saver_online_setup.exeASWSig2A7E478FFFFFA84
Source: Speccy64.exe	String found in binary or memory: http://honzik.avcdn.net/setup/avg-tu/beta/avg_tuneup_online_setup.exeASWSig2A51F05E8C170B452F21205C3
Source: Speccy64.exe	String found in binary or memory: http://honzik.avcdn.net/setup/avg-tu/release/avg_tuneup_online_setup.exeASWSig2A19497FDBA8D930F12196
Source: java.exe, 00000004.00000002.1264185739.0000000004400000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: Speccy64.exe	String found in binary or memory: http://keys.backup.norton.com
Source: Speccy64.exe, 00000000.00000002.2446160894.000001820764C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ncc.avast.com/l4
Source: Speccy64.exe	String found in binary or memory: http://ncc.avast.com/ncc.txt
Source: Speccy64.exe	String found in binary or memory: http://ncc.avast.com/ncc.txtCommChannel.dllinvalid
Source: Speccy64.exe, 00000000.00000003.1186915741.00000182097C1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ncc.avast.com/ncc.txth$
Source: Speccy64.exe	String found in binary or memory: http://ocsp.digicert.com0
Source: Speccy64.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: Speccy64.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: Speccy64.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: Speccy64.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: Speccy64.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: Speccy64.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: Speccy64.exe	String found in binary or memory: http://p%03d.sb.avast.com/V1/MD/avast_streambackraw_%03d://http://p%03d.sb.avast.com/V1/PD/Do
Source: Speccy64.exe	String found in binary or memory: http://posttestserver.com/a
Source: Speccy64.exe	String found in binary or memory: http://www.avast.com0/
Source: Speccy64.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: Speccy64.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: Speccy64.exe	String found in binary or memory: https://bits.avcdn.net/productfamily_ANTIVIRUS/insttype_ONE_FREE/platform_WIN/installertype_ONLINE/b
Source: Speccy64.exe	String found in binary or memory: https://bits.avcdn.net/productfamily_ANTIVIRUS/insttype_ONE_PRO/platform_WIN/installertype_ONLINE/bu
Source: Speccy64.exe	String found in binary or memory: https://brain.jumpshot.com/dropbox/tagavast_streambacksubmit_commchannel
Source: Speccy64.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: Speccy64.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: Speccy64.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avast-atrk/release/avast_antitrack_online_setup.exeASWSig2A532CCF5ABF
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avast-bg/beta/avast_breach_guard_online_setup.exeASWSig2A6DF674D10553
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avast-bg/release/avast_breach_guard_online_setup.exeASWSig2A2457920CE
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avast-bs/beta/avast_battery_saver_online_setup.exeASWSig2A3A3BE3789E6
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avast-bs/release/avast_battery_saver_online_setup.exeASWSig2A072492C0
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avast-du/beta/avast_driver_updater_online_setup.exeASWSig2A3CBDA28891
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avast-du/release/avast_driver_updater_online_setup.exeASWSig2A021F36B
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avast-vpn/release/avast_vpn_online_setup.exeASWSig2A06FCDABA5742BE662
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avg-atrk/release/avg_antitrack_online_setup.exeASWSig2A2B99C8EA31CB6D
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avg-bg/beta/avg_breach_guard_online_setup.exeASWSig2A56213C511B9A9241
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avg-bg/release/avg_breach_guard_online_setup.exeASWSig2A14AA13983E189
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avg-du/beta/avg_driver_updater_online_setup.exeASWSig2A667B4A5D8ECDBD
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avg-du/release/avg_driver_updater_online_setup.exeASWSig2A24A39E8D727
Source: Speccy64.exe	String found in binary or memory: https://honzik.avcdn.net/setup/avg-vpn/release/avg_vpn_online_setup.exeASWSig2A27B1BBBA8E4138C4EDCFD
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/avg/beta9x/avg_internet_security_setup.exeASWSig2A7D77EF27F362060AF957E761
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/avg/iavs9x/avg_internet_security_setup.exeASWSig2A123D026AE3BEAC0AC7D4DC35
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/avg/iavs9x/avg_internet_security_setup.exeASWSig2A357ACEF8FE55D8ED7E2EA469
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/beta9x/avast_pro_antivirus_setup_online.exeASWSig2A579D90FED0C6441EE7B258F
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/iavs9x/avast_free_antivirus_setup_online.exeASWSig2A2EC0971AB07DE15C30023C
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/iavs9x/avast_pro_antivirus_setup_online.exeASWSig2A03A4D7B0044FDD707267F64
Source: Speccy64.exe	String found in binary or memory: https://license.piriform.com/activate/?p=%s&c=%s&cv=%s&l=%s&lk=%s&mk=%s.exe64.exe.lic.dat/unregister
Source: Speccy64.exe	String found in binary or memory: https://openid-stage.avast.comhttps://openid-stage.avg.commy-devices-stage.avast.commy-win-stage.ff.
Source: Speccy64.exe, 00000000.00000002.2446785748.0000018209110000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://openid.avast.com
Source: Speccy64.exe	String found in binary or memory: https://openid.avg.comhttps://openid.avast.comalpha-rollout-service.ff.avast.commy-devices.avast.com
Source: Speccy64.exe	String found in binary or memory: https://posttestserver.com/test_channel://http://posttestserver.com/avast_streambacksubmit_generic:/
Source: Speccy64.exe	String found in binary or memory: https://s-trackoff.avcdn.net/avg/trackoff/7854df286ff1c4e1f4d81d466f4a1b0243b39837ac99c5b98817907f76
Source: Speccy64.exe	String found in binary or memory: https://s-trackoff.avcdn.net/trackoff/8ad1526a87b9617cf6dd677cdf9f87a0e3fd1555b6a8828d87ec2bef2850fa
Source: Speccy64.exe, 00000000.00000003.1807020198.0000018209E77000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2448583385.0000018209E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://speccy.piriform.com/
Source: Speccy64.exe, 00000000.00000003.1807020198.0000018209E77000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2448583385.0000018209E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://speccy.piriform.com/T
Source: Speccy64.exe, 00000000.00000003.1807020198.0000018209E77000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2448583385.0000018209E78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://speccy.piriform.com:80/ip/
Source: Speccy64.exe	String found in binary or memory: https://www.ccleaner.com/go/app_cc_get_updateMozilla/4.0Unknown
Source: Speccy64.exe	String found in binary or memory: https://www.ccleaner.com/go/app_sp_home_help%s?a=%s&v=%s&l=%dMainDlg::SaveSnapshotMainDlg::LoadSnaps
Source: Speccy64.exe	String found in binary or memory: https://www.ccleaner.com/go/app_sp_privacy_policy%s?a=&v=%s&l=%dstatictooltips_class32Software
Source: Speccy64.exe	String found in binary or memory: https://www.ccleaner.com/go/app_sp_reg_purchaseRegistering
Source: Speccy64.exe	String found in binary or memory: https://www.ccleaner.com/go/app_sp_reg_renewhttps://www.ccleaner.com/autohttps://www.ccleaner.com/sp
Source: Speccy64.exe	String found in binary or memory: https://www.ccleaner.com/inapp/notificationsContent-Type:
Source: Speccy64.exe, 00000000.00000003.1211733882.0000018209846000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1205968682.0000018209846000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1208612776.0000018209846000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1806371747.0000018209846000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1212419433.0000018209846000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2447417428.00000182096B4000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2448167496.0000018209846000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ccleaner.com/speccy/update?v=1.33.079&l=1033
Source: Speccy64.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: Speccy64.exe	Static PE information: Resource name: BRANDING type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Source: Speccy64.exe	Static PE information: Resource name: RT_RCDATA type: MS-DOS executable, LE executable for MS Windows (VxD)
Source: Speccy64.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (native) Intel 80386, for MS Windows
Source: Speccy64.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (native) x86-64, for MS Windows
Source: Speccy64.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (native) Intel Itanium, for MS Windows
Source: Speccy64.exe	Static PE information: Resource name: RT_RCDATA type: PE32 executable (native) Intel 80386, for MS Windows
Source: Speccy64.exe	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (native) x86-64, for MS Windows

Source: Speccy64.exe, 00000000.00000002.2451016032.00007FF64756A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamecpuz.sys< vs Speccy64.exe
Source: Speccy64.exe, 00000000.00000002.2451016032.00007FF64756A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamebranding.dll\ vs Speccy64.exe
Source: Speccy64.exe, 00000000.00000002.2451016032.00007FF64756A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSpeccy.exe. vs Speccy64.exe
Source: Speccy64.exe	Binary or memory string: OriginalFilenamecpuz.sys< vs Speccy64.exe
Source: Speccy64.exe	Binary or memory string: OriginalFilenamebranding.dll\ vs Speccy64.exe
Source: Speccy64.exe	Binary or memory string: OriginalFilenameSpeccy.exe. vs Speccy64.exe

Source: Speccy64.exe	Binary string: \Device\cpuz149\DosDevices\CPUZ149
Source: Speccy64.exe	Binary string: ais_gen_arpot_corepi_versionset_pps failedFailed to get branding dataempty policy dataFailed to set PPS to icarus.ProcessProductInstance during ApplyProductInstance failedClient data validation failedFailed to get product instance dataAbout to set pps to icarusApplyProductInstance called in controlled productNo Product instance availablevalidationclientDataProcessProductInstance during product update failedProduct updated. Refreshing branding dataUsing installer product instanceUsing application product instanceapp.product_instance.changeIsBrandingUpdateRequired check failedBroadcastPiChangedEvent failedupdate_policyinvalid policy File Locationprocessing policy nodelicensing node not found in core branding datalicensingpolicyavcfg://Morph/Policy/Dataavcfg://Morph/Policy/FileLocationapp.product_instance.policy_changedavcfg://Morph/Policy/Resultpublic.morph.product_instance_changed%hu.0\BrandingData%hu.%hu.%hu%hu.%huDSA Verification FailedFailed to decrypt secure storage data: {}Empty file: {}Failed IsFileModified read file modified timeBranding target detected: {}license branding node does not have download url{prodversion}Communication with {} failed, code: {}, message: {}Communication with {} failed on certificate verification, code: {}, message: {}{:x}About to send request to {}_evtFailed to type cast to PIDataInternalRequest to {} failedGetting branding data from main product for not controlled productapp.morph.suite_mode_providerpublic.morph.get_product_instance_{}public.morph.get_branding_data_{}GetSchemaCategory failedFailed to get schema category from product instance dataGetSchemaVersion failedFailed to get schema version from product instance dataSchemacategoryschemametaDataFailed to get coreBranding membersFailed to get coreBranding nodeFailed to get fileLocation from branding nodeFailed to get core branding node for member: {}Failed to get license branding data. Try redownloading itFailed to get core branding licensing nodecoreBrandingFailed to get license branding dataGetTemplateCategory failedFailed to get template category from product instance dataGetTemplateVersion failedFailed to get template version from product instance dataRemoveProductInstance called in controlled productapp.lif.activations.IsSupportedVersionInstalled.lif.activations.IsSupportedVersionInstalledget_available_productsdeactivateinternal.appId or brandId not setspecified product not known by targeted instanceerh_pingHparameter not object.lif.activations.GetAccountDataapp.alpha.GetVaarHeaders.lif.activations.RemoveLicenseapp.lif.activations.GetAccountDataapp.lif.activations.AccountLogout.lif.activations.AccountLogout.lif.activations.GetActiveProduct.lif.activations.Activate.lif.activations.GetAvailableProducts.lif.activations.GetActiveProducts.lif.activations.IsInstallederh_isinstalledII - You must pass product identifier as parameter.erh_issvinstalledISVI - You must pass application type as parameter.Invalid argument..lifact.get_available_productserh_deactivateHe
Source: Speccy64.exe	Binary string: \Device\cpuz149`aNa:a&a
Source: Speccy64.exe	Binary string: \| ASWSig2BUnable to open file '{}' for reading!The digest is not initialized!ASWSig3BUnknown DSA key!invalid hex_char_value<char>Unable to read outside of the mapped view!Unable to retrieve pointer of the unmapped view!DiskSN2DiskSN1DiskSN4DiskSN3ProcessorSNEnclosureInformatonTAGMemoryPNProcessorTAGBoardInformationSNSystemInformationSNEnclosureInformatonSNBoardInformationTAGPowerSupplyTAGPowerSupplySNProcessorIDSystemUUIDMemoryTAGMemorySNPowerSupplyPNBatterySNSCSIDISK\\.\Scsi%u:\Device\PhysicalMemoryGetSystemFirmwareTableSystemVolumeGUIDDiskMajoritySN\\.\PhysicalDrive%u\\?\VolumeMicrosoft HvNtOpenSection%d/%d/%d - Unable to retrieve a file name!NtQueryInformationFileFailed to open log file '{}'{}.to_delete.{:016x}Failed to create new log file '{}'.tmp..logNtSetInformationFile{}.to_rotate.{:016x}GetModuleHandleW ({})%04hu-%02hu-%02hu %02hu:%02hu:%02hu.%03huGetProcAddress ({})Code: BOM not present in '{}'{:#010x} ({})
Source: Speccy64.exe	Binary string: \Device\cpuz149\DosDevices\CPUZ149\DosDevices\Global\CPUZ149

Source: classification engine

Classification label: mal54.spyw.expl.evad.winEXE@10/4@2/2

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7952:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1336:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4536:120:WilError_03

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: Speccy64.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Speccy64.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Speccy64.exe	String found in binary or memory: id-cmc-addExtensions
Source: Speccy64.exe	String found in binary or memory: set-addPolicy
Source: Speccy64.exe	String found in binary or memory: iphlpapi.dllif_nametoindexws2_32FreeAddrInfoExWGetAddrInfoExCancelGetAddrInfoExWkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d
Source: Speccy64.exe	String found in binary or memory: <?xml version="1.0"?> <Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Author>Piriform Ltd</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <!-- <GroupId>S-1-5-11</GroupId> --> <!-- <UserId>_UserID_</UserId> --> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>"_Path_To_App_"</Command> <Arguments>$(Arg0)</Arguments> </Exec> </Actions> </Task>
Source: Speccy64.exe	String found in binary or memory: <?xml version="1.0"?> <Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Author>Piriform Ltd</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <!-- <GroupId>S-1-5-11</GroupId> --> <!-- <UserId>_UserID_</UserId> --> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>"_Path_To_App_"</Command> <Arguments>$(Arg0)</Arguments> </Exec> </Actions> </Task>
Source: Speccy64.exe	String found in binary or memory: namekey/registerProvided registration key is not Businness Edition typeError during registration %dSuccessully registered from command lineBundle license succesfully activated.Save to registry as BN: %s and BK: %scall to empty boost::functionmap/set too longSoftware\PiriformLicenseKeyLicenseNamelicense.iniopen0Speccytemp_spupdatespupdatehttps://www.ccleaner.com/go/app_sp_reg_renewhttps://www.ccleaner.com/autohttps://www.ccleaner.com/speccy/updatehttps://license.piriform.com/update00000000UpdateKey%04d%02d%02d1.14.001RegOpenKeyTransactedWAdvapi32.dlllist too longhttps://www.ccleaner.com/go/app_sp_privacy_policy%s?a=&v=%s&l=%dstatictooltips_class32Software\Microsoft\Internet Explorer\SettingsAnchor ColorAnchor Color Visited<A></A><>:"/\\|?*/txtexport.txtError exporting txt file %s/xmlexport.xmlError exporting xml file %sSpeccyTreeSCROLLBARATL:%pWVerdanainvalid vector subscriptRunSpeccyMinimizeToTrayMetricsInTooltipMetricsInTraySensorNameTrayRefreshTimeLanguageTemperatureUnitsNeedUpdateHideNavPaneSilentInstallNewVersionDontConfirmPublishSpeccy.iniportable.datcheck branding dllSettings::Load = %dSOFTWARE\Piriform\SpeccyUpdateCheckSoftware\Piriform\Speccy/totray" <?xml version="1.0"?> <Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Author>Piriform Ltd</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <!-- <GroupId>S-1-5-11</GroupId> --> <!-- <UserId>_UserID_</UserId> --> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>"_Path_To_App_"</Command> <Arguments>$(Arg0)</Arguments> </Exec> </Actions> </Task>_Path_To_App_RegCreateKeyTransactedWSoftware\Microsoft\Windows\CurrentVersion\RunSpeccyLocal\SpeccyHandlePiriformSpeccyCMessageMethodMarshaler::ExecuteQueuedMethodsC:\BUILD\work\655d602927444bef\src\Speccy\SpeccyCommon\MessageMethodMarshaler.h/translateIsWow64Process/debug%s\Speccy_log[%s][%d-%d-%d_%d-%d-%d].txt[%d{%Y-%m-%d %H:%M:%S}] [%-5p] %m%nDEBUG 3/debug1DEBUG 1/debug2DEBUG 2/debug3speccy64.exeCan't create MainMarshaler window/old/updatesuccess/updatefailedMyAppenderkernel32.dll#32770F
Source: Speccy64.exe	String found in binary or memory: namekey/registerProvided registration key is not Businness Edition typeError during registration %dSuccessully registered from command lineBundle license succesfully activated.Save to registry as BN: %s and BK: %scall to empty boost::functionmap/set too longSoftware\PiriformLicenseKeyLicenseNamelicense.iniopen0Speccytemp_spupdatespupdatehttps://www.ccleaner.com/go/app_sp_reg_renewhttps://www.ccleaner.com/autohttps://www.ccleaner.com/speccy/updatehttps://license.piriform.com/update00000000UpdateKey%04d%02d%02d1.14.001RegOpenKeyTransactedWAdvapi32.dlllist too longhttps://www.ccleaner.com/go/app_sp_privacy_policy%s?a=&v=%s&l=%dstatictooltips_class32Software\Microsoft\Internet Explorer\SettingsAnchor ColorAnchor Color Visited<A></A><>:"/\\|?*/txtexport.txtError exporting txt file %s/xmlexport.xmlError exporting xml file %sSpeccyTreeSCROLLBARATL:%pWVerdanainvalid vector subscriptRunSpeccyMinimizeToTrayMetricsInTooltipMetricsInTraySensorNameTrayRefreshTimeLanguageTemperatureUnitsNeedUpdateHideNavPaneSilentInstallNewVersionDontConfirmPublishSpeccy.iniportable.datcheck branding dllSettings::Load = %dSOFTWARE\Piriform\SpeccyUpdateCheckSoftware\Piriform\Speccy/totray" <?xml version="1.0"?> <Task xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"> <RegistrationInfo> <Author>Piriform Ltd</Author> </RegistrationInfo> <Triggers /> <Principals> <Principal id="Author"> <!-- <GroupId>S-1-5-11</GroupId> --> <!-- <UserId>_UserID_</UserId> --> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Settings> <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy> <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries> <AllowHardTerminate>true</AllowHardTerminate> <StartWhenAvailable>false</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle>false</RunOnlyIfIdle> <WakeToRun>false</WakeToRun> <ExecutionTimeLimit>P3D</ExecutionTimeLimit> <Priority>7</Priority> </Settings> <Actions Context="Author"> <Exec> <Command>"_Path_To_App_"</Command> <Arguments>$(Arg0)</Arguments> </Exec> </Actions> </Task>_Path_To_App_RegCreateKeyTransactedWSoftware\Microsoft\Windows\CurrentVersion\RunSpeccyLocal\SpeccyHandlePiriformSpeccyCMessageMethodMarshaler::ExecuteQueuedMethodsC:\BUILD\work\655d602927444bef\src\Speccy\SpeccyCommon\MessageMethodMarshaler.h/translateIsWow64Process/debug%s\Speccy_log[%s][%d-%d-%d_%d-%d-%d].txt[%d{%Y-%m-%d %H:%M:%S}] [%-5p] %m%nDEBUG 3/debug1DEBUG 1/debug2DEBUG 2/debug3speccy64.exeCan't create MainMarshaler window/old/updatesuccess/updatefailedMyAppenderkernel32.dll#32770F
Source: Speccy64.exe	String found in binary or memory: expiration-time : install-time : * UNKNOWN install-time : [is-trial : license-remaining-days: license-total-days : expiration-time : UNKNOWN *x-product-name : x-aff-id : x-expiry-time-ext : is-expired : x-auto-renewal-ready : x-auto-renewal : x-license-total-days : x-product-code : (id: UNKNOWN (???)x-is-license-started : build : registry:>verbose:>uilcid : langid : culture : rcode : activate-time : install-time : eula-acc-date : aff-id : is-trial : num-licenses : expiry-date-ext: expiry-date : product-version: product-name : endpoint:>active-package : install-date: aff-id : version : installed-date : auto-renewal : expired-days : product-version : product-name : product-name : product-name-short : product-code : auto-renewal-ready : is-oem-product : install-date : data-root : version : product-type-family: product-type : oem-commercial : localization : valid-to : valid-from : name : LicStorage:>type : , term : (sn : expiry-date : product-code: devices : expiry-date : install-date : version : product-name : seat-number : auto-renewal : license-status: license-type : product-name-s: product-code : product-id : oem-name : -product-id-s: product-id : partner : _trial-days : AvastUI.exeAvastAVGAviraBullGuard.exeBullGuardCCleanerClamTray.exeekrn.exeF-SecureG Datakxetray.exeNortonSymantecPC ToolsWebrootMsMpEng.exeMicrosoft Security EssentialsHMA! Pro VPNVpn.exe%d
Source: Speccy64.exe	String found in binary or memory: https://bits.avcdn.net/productfamily_ANTIVIRUS/insttype_ONE_FREE/platform_WIN/installertype_ONLINE/build_BETAASWSig2A50E9B280FB970C68488B34F4B02C48015564A64A73C3AC02767F9552650EDD63492C6879540F589C4BA02BBD13DF01CCE85F2CCB8DB24FAC033CF05E528D2AB3ASWSig2A
Source: Speccy64.exe	String found in binary or memory: https://bits.avcdn.net/productfamily_ANTIVIRUS/insttype_ONE_PRO/platform_WIN/installertype_ONLINE/build_RELEASEASWSig2A05DC2836FD96A0C8E0E26129B9F512844DEDDF622854BE1FBFF3B85EC9E6446C6045CD7EAA5F355B344EA63212D427DE0BFEA4E8E6A00657FE3B6B2428775441ASWSig2A
Source: Speccy64.exe	String found in binary or memory: https://bits.avcdn.net/productfamily_ANTIVIRUS/insttype_ONE_FREE/platform_WIN/installertype_ONLINE/build_RELEASEASWSig2A31799EC698448D4844FE9AB2012CC98BB555A1D08BF1E6A695BC7767D4AECD7958843573D671940FB16A1EAEC0A0D7693EA1E0BAF489DC5B8246461CA68BEA03ASWSig2A
Source: Speccy64.exe	String found in binary or memory: https://bits.avcdn.net/productfamily_ANTIVIRUS/insttype_ONE_PRO/platform_WIN/installertype_ONLINE/build_BETAASWSig2A53C348E9F946300674B595968DD7FD3521A37578CB4C5C82A2247F81FC9361BB46DD6B1157D3987E812CDC9704314AF7F72F020BE092418B94E5415946028F62ASWSig2A
Source: Speccy64.exe	String found in binary or memory: /AESECDH_P256ChainingModeChainingModeECBSHA256ECCPUBLICBLOBHASHTuneupUtilitiesCleanupBatterySaverKamoAntiTrackSecure VPNSZBrowserVPNOverrideProgramFolderLogsEmpty product id for get_product_icarus_common_files_dir.proxy.iniicarus.iniSoftware\SYSTEM\Software\\IcarusOverrideDataFolderreg-keyprogram-data-dirdata-dirproduct-dirproduct-reg-keycompany-install-pathUnable to get the path of the module!Unable to retrieve the path of the module!Unable to store the path of the module!Unable to retrieve a path of the known folder ({})!SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders%APPDATA%Common AppDataProgramFiles%LOCALAPPDATA%CommonProgramFilesWindows 10Windows Server 2003 R2 (10.0.Windows Server 2019 SPWindows Windows Home ServerSoftware\Microsoft\Windows NT\CurrentVersion\ProfileListProfileImagePathSeRestorePrivilegeSeBackupPrivilege Broadcasting of 'Exception: UnknownCumulative event ' event failed., level=Synchronous part of handler for throws exception!, description=Sync: Async: Wildcards are not supported except '*' as a last subnode.handling of {} eventEvent routing statistic (in last Registering event handler for Total event count: minutes):
Source: Speccy64.exe	String found in binary or memory: Fail to schedule the chore!This function cannot be called on a default constructed taskpost_install_activatesent_from_jscfg_paramssession_idfinishsend run command to user process failactivate section not definedfile_pathusercaller-session-idmain section not definedprocessingcountinstalldelete_file%[0-9a-zA-Z\-_]+%((?:^\|[ \t])(?:\/\|-{2})[0-9a-zA-Z-_]+[:= ]"?(%[0-9a-zA-Z\-_]+%)\"?)avdef://config/LIS/{}{}_params[^0-9a-zA-Z-_]+url_sigurl_sig is not signed parameterurl_sig_disabled'url' is not signed parametercannot resolve any url (empty)'url' is not definedavdef://config/AntiTrack/InstallerURLavdef://config/AntiTrack/HashURLavdef://config/LIS/{}{}_url_sigatrkno url definedavdef://config/LIS/{}{}_urlidsqueueavdef://config/LIS/{}{}_runasUnsupported brand, for LIS get_brand_idsinstalledlastStateSOFTWARE\AVAST Software\Avast Driver Updater\RegistrationSOFTWARE\AVG\AVG Driver Updater\Registrationintegratedexpiredtrialm
Source: Speccy64.exe	String found in binary or memory: start-installing
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/avg/iavs9x/avg_internet_security_setup.exeASWSig2A123D026AE3BEAC0AC7D4DC356170E86781C38A69769DFB1B56F27ADFCCC7558D1DCC74EA4F98C62183031B573C92EEE14C5DAFAF400A383BDB5EE3D6A0FC1603ASWSig2A
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/beta9x/avast_pro_antivirus_setup_online.exeASWSig2A579D90FED0C6441EE7B258FB211F18B5FC5BBB772B881C7F52A88838E0A703C6532047C515DC38FBE73D7F560C3FF061D64CFAB1FC325AD0348532DC8930CBC2ASWSig2A
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/iavs9x/avast_pro_antivirus_setup_online.exeASWSig2A03A4D7B0044FDD707267F642421062FA75EC30F72849E7C252D121662362A56621EFEFD7B6C17EF65B7E6FCB7F0FEAF37C97C9F6BF2B6CA9348B5F7602B2FE34ASWSig2A
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/iavs9x/avast_free_antivirus_setup_online.exeASWSig2A2EC0971AB07DE15C30023C6167D647C10ADADBC4A4BD0FCEB058A66FFBD15486238F5E01608243AF3A71A93C9D5FFC75DCBD1A4C32EA7DA22B1CC379F89B5DB7ASWSig2A
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/avg/beta9x/avg_internet_security_setup.exeASWSig2A7D77EF27F362060AF957E76183811D8C3F36B302611315839F56515601BAACBE0C849A9BB49FC922CEA79827B2634646AF941C8757D83D6F31866CE88B4EB6A3ASWSig2A
Source: Speccy64.exe	String found in binary or memory: https://install.avcdn.net/avg/iavs9x/avg_internet_security_setup.exeASWSig2A357ACEF8FE55D8ED7E2EA4698ADAF5FF3CB20A1E11028223627EB828ACF81AE82E55D3E7E69598893D68AAC7E46877D54EBCD8728299CD20545F34FC72E06ED2ASWSig2A
Source: Speccy64.exe	String found in binary or memory: Start/Stop Count
Source: Speccy64.exe	String found in binary or memory: Start/Stop Count

Source: unknown	Process created: C:\Users\user\Desktop\Speccy64.exe "C:\Users\user\Desktop\Speccy64.exe"
Source: C:\Users\user\Desktop\Speccy64.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -version
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Speccy64.exe	Process created: C:\Windows\System32\SecEdit.exe /export /cfg "C:\Users\user\AppData\Local\Temp\spc_se.txt" /quiet /areas SECURITYPOLICY
Source: C:\Windows\System32\SecEdit.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Speccy64.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -version	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Process created: C:\Windows\System32\SecEdit.exe /export /cfg "C:\Users\user\AppData\Local\Temp\spc_se.txt" /quiet /areas SECURITYPOLICY	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: atlthunk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: cpuidsdk.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: spfileq.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: netsetupshim.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: netsetupengine.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wuapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: wups.dll	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\SecEdit.exe	Section loaded: scecli.dll	Jump to behavior
Source: C:\Windows\System32\SecEdit.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Development Kit

Jump to behavior

Source: Speccy64.exe

Static PE information: certificate valid

Source: Speccy64.exe

Static PE information: More than 4288 > 100 exports found

Source: Speccy64.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Speccy64.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Speccy64.exe

Static file information: File size 20915616 > 1048576

Source: Speccy64.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0xda8600
Source: Speccy64.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x427200

Source: Speccy64.exe

Static PE information: More than 200 imports for KERNEL32.dll

Source: Speccy64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Speccy64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Speccy64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Speccy64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Speccy64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Speccy64.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Speccy64.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE

Source: Speccy64.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\cpuid\applications\cpuidsdk\driver\sys_cpuz_149\objfre_wxp_x86\i386\cpuz149_x32.pdb source: Speccy64.exe
Source:	Binary string: C:\BUILD\work\655d602927444bef\bin_x64\v143\Release Static\neutral\Speccy64.pdb source: Speccy64.exe
Source:	Binary string: C:\BUILD\work\655d602927444bef\bin_x64\v143\Release Static\neutral\Speccy64.pdb source: Speccy64.exe
Source:	Binary string: d:\cpuid\applications\cpuidsdk\driver\sys_cpuz_149\objfre_win7_ia64\ia64\cpuz149_ia64.pdb source: Speccy64.exe
Source:	Binary string: d:\cpuid\applications\cpuidsdk\driver\sys_cpuz_149\objfre_win7_amd64\amd64\cpuz149_x64.pdb source: Speccy64.exe

Source: Speccy64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Speccy64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Speccy64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Speccy64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Speccy64.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: Speccy64.exe

Static PE information: section name: _RDATA

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Users\user\Desktop\Speccy64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_DiskDrive
Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : ASSOCIATORS OF {Win32_DiskDrive.DeviceID='\\.\PHYSICALDRIVE0'} WHERE AssocClass=Win32_DiskDriveToDiskPartition
Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_NetworkAdapter
Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_NetworkAdapterConfiguration

Queries sensitive printer information (via WMI, Win32_Printer, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT PrinterPaperNames,DeviceID FROM Win32_Printer WHERE Name="Fax"
Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT PrinterPaperNames,DeviceID FROM Win32_Printer WHERE Name="Microsoft Print to PDF"
Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT PrinterPaperNames,DeviceID FROM Win32_Printer WHERE Name="Microsoft XPS Document Writer"
Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT PrinterPaperNames,DeviceID FROM Win32_Printer WHERE Name="OneNote (Desktop)"
Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT PrinterPaperNames,DeviceID FROM Win32_Printer WHERE Name="OneNote"

Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)

Source: C:\Users\user\Desktop\Speccy64.exe

WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\WMI : MSSMBios_RawSMBiosTables

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Source: C:\Users\user\Desktop\Speccy64.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\CIMV2 : Win32_SoundDevice

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\Speccy64.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe TID: 8180

Thread sleep time: -30000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe

File opened: PhysicalDrive0

Jump to behavior

Source: Speccy64.exe, 00000000.00000003.1212685244.0000018209E7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: Speccy64.exe, 00000000.00000002.2448864660.0000018209EFA000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1806766634.0000018209EF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: acMicrosoft Hyper-V Generation Countern
Source: Speccy64.exe, 00000000.00000003.1807241546.0000018209F58000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2448920885.0000018209F58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Speccy64.exe, 00000000.00000003.1212685244.0000018209E7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware
Source: Speccy64.exe, 00000000.00000002.2447417428.00000182096B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk Deviceon
Source: Speccy64.exe, 00000000.00000002.2449433254.000001820BD34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00apterC@@*
Source: Speccy64.exe, 00000000.00000002.2448583385.0000018209E78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Deviceoem2.inf1g
Source: java.exe, 00000004.00000002.1250433484.0000000000924000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: Speccy64.exe, 00000000.00000003.1806766634.0000018209EF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CVMware Virtual disk SCSI Disk Deviceu
Source: Speccy64.exe, 00000000.00000003.1806553139.000001820976C000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1199019113.0000018209832000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2447919456.0000018209771000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1188392604.0000018209832000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2446160894.000001820764C000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1190237944.0000018209832000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1211733882.0000018209832000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1187405248.0000018209832000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1212419433.0000018209832000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1186254481.000001820983A000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1806371747.0000018209832000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: java.exe, 00000004.00000002.1250433484.0000000000924000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: Speccy64.exe, 00000000.00000002.2447671983.0000018209707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: Speccy64.exe, 00000000.00000002.2447417428.0000018209694000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Speccy64.exe, 00000000.00000002.2447417428.00000182096B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Counter=
Source: Speccy64.exe, 00000000.00000003.1807020198.0000018209E77000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2448583385.0000018209E78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy RequestorS
Source: Speccy64.exe, 00000000.00000002.2448920885.0000018209F58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: java.exe, 00000004.00000003.1221936135.0000000014869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000004.00000003.1221936135.0000000014869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: Speccy64.exe, 00000000.00000002.2447417428.0000018209694000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange ServiceM
Source: Speccy64.exe	Binary or memory string: vmware
Source: Speccy64.exe, 00000000.00000002.2449325691.000001820BC90000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization ServiceL
Source: Speccy64.exe, 00000000.00000002.2447417428.0000018209694000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface%
Source: Speccy64.exe, 00000000.00000002.2447671983.0000018209707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: Speccy64.exe, 00000000.00000002.2449433254.000001820BD34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00
Source: Speccy64.exe	Binary or memory string: VMwareVMware
Source: Speccy64.exe, 00000000.00000002.2449433254.000001820BD34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Device
Source: Speccy64.exe, 00000000.00000003.1212685244.0000018209E7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: Speccy64.exe, 00000000.00000002.2447671983.0000018209707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: Speccy64.exe, 00000000.00000002.2448393267.0000018209E50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Speccy64.exe, 00000000.00000002.2448393267.0000018209E50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wvid.infvid.devicedescMicrosoft Hyper-V Virtualization Infrastructure Driverwvid.infCurrentControlSet/Services/LanmanWorkstation/Parameters/RequireSecuritySignaturehG
Source: Speccy64.exe, 00000000.00000003.1807020198.0000018209E77000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2448583385.0000018209E78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service=
Source: Speccy64.exe, 00000000.00000003.1807020198.0000018209E77000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2448583385.0000018209E78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct ServiceF
Source: Speccy64.exe, 00000000.00000003.1212685244.0000018209E7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: Speccy64.exe, 00000000.00000002.2447417428.00000182096B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: java.exe, 00000004.00000003.1221936135.0000000014869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: Speccy64.exe, 00000000.00000002.2447671983.0000018209707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
Source: java.exe, 00000004.00000003.1221936135.0000000014869000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: Speccy64.exe, 00000000.00000003.1212685244.0000018209E7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: Speccy64.exe, 00000000.00000002.2448583385.0000018209E78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @oem2.infloc.vmwarebusdevicedescVMware VMCI Bus Deviceoem2.inf
Source: Speccy64.exe, 00000000.00000003.1806766634.0000018209EF9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: doNECVMWar VMware SATA CD00i.sys[
Source: Speccy64.exe, 00000000.00000002.2446160894.000001820764C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ooVMware20,1
Source: java.exe, 00000004.00000002.1250433484.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Speccy64.exe, 00000000.00000002.2448393267.0000018209E50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface,k!*#
Source: Speccy64.exe, 00000000.00000002.2447417428.0000018209694000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000002.2448393267.0000018209E50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Speccy64.exe, 00000000.00000003.1806553139.00000182097BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Speccy64.exe, 00000000.00000002.2447671983.0000018209707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Speccy64.exe, 00000000.00000002.2447417428.00000182096B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service!
Source: Speccy64.exe	Binary or memory string: IsRunningOnVirtualMachine
Source: Speccy64.exe, 00000000.00000002.2447417428.00000182096B4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Speccy64.exe, 00000000.00000002.2447671983.0000018209707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: Speccy64.exe, 00000000.00000002.2448393267.0000018209E50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service4k
Source: Speccy64.exe, 00000000.00000002.2448920885.0000018209F58000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Speccy64.exe, 00000000.00000002.2448393267.0000018209E50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wgencounter.infgencounter.devicedescMicrosoft Hyper-V Generation Counterwgencounter.infrentControlSet/Services/Netlogon/Parameters/RestrictNTLMInDomainion=H

Source: C:\Users\user\Desktop\Speccy64.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected			Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\KasperskyLab\protected			Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -version			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M			Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe

File opened: Windows Firewall: C:\Windows\System32\FirewallAPI.dll

Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductID

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7904 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Speccy64.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Speccy64.exe, 00000000.00000003.1207472491.0000018209E7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: kxetray.exe
Source: Speccy64.exe, 00000000.00000003.1209898303.0000018209E76000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1211590574.0000018209E80000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1210722480.0000018209E80000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1211338928.0000018209E75000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1208991686.0000018209E75000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1207472491.0000018209E7C000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1212847516.0000018209E80000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1212685244.0000018209E7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BullGuard.exe
Source: Speccy64.exe, 00000000.00000003.1209898303.0000018209E76000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1211590574.0000018209E80000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1210722480.0000018209E80000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1211338928.0000018209E75000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1208991686.0000018209E75000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1207472491.0000018209E7C000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1212847516.0000018209E80000.00000004.00000020.00020000.00000000.sdmp, Speccy64.exe, 00000000.00000003.1212685244.0000018209E7B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pctsGui.exe
Source: Speccy64.exe, 00000000.00000003.1207472491.0000018209E7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ClamTray.exe
Source: Speccy64.exe, 00000000.00000003.1207472491.0000018209E7C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntivirusProduct
Source: C:\Users\user\Desktop\Speccy64.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : FirewallProduct

Stealing of Sensitive Information

Queries disk data (e.g. SMART data)

Source: C:\Users\user\Desktop\Speccy64.exe	Device IO: \Device\Harddisk0\DR0			Jump to behavior
Source: C:\Users\user\Desktop\Speccy64.exe	Device IO: \Device\Harddisk0\DR0			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	41 Windows Management Instrumentation	1 Services File Permissions Weakness	11 Process Injection	52 Virtualization/Sandbox Evasion	OS Credential Dumping	641 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Services File Permissions Weakness	11 Disable or Modify Tools	LSASS Memory	52 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Services File Permissions Weakness	NTDS	244 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report
Speccy64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Speccy64.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

Cryptography

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
Speccy64.exe