Windows Analysis Report https://www.userbenchmark.com/resources/download/UserBenchMark.exe

Overview

General Information

Sample URL: https://www.userbenchmark.com/resources/download/UserBenchMark.exe
Analysis ID: 439522
Infos:

Most interesting Screenshot:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Contains functionality to detect sleep reduction / modifications
Found stalling execution ending in API Sleep call
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Potential browser exploit detected (process start blacklist hit)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\UserBenchMark[1].exe Virustotal: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\UserBenchMark[1].exe ReversingLabs: Detection: 10%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe.nb15apu.partial Virustotal: Detection: 20% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe.nb15apu.partial ReversingLabs: Detection: 10%
Antivirus or Machine Learning detection for unpacked file
Source: 18.2.UserBenchMark.exe.411f26.3.unpack Avira: Label: TR/Dropper.Gen
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 54.39.161.167:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.39.161.167:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.39.161.167:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: Binary string: UserBenchMarkRunEngine.pdb source: UserBenchMarkRunEngine.exe, 00000014.00000002.490422601.0000000000F6E000.00000002.00020000.sdmp
Source: Binary string: D:\PROGS\mydev\UBMGPUBench\x64\Release\UBMSkillBench.pdb source: UserBenchMark.exe, 00000012.00000002.495714388.00000000026DE000.00000004.00000001.sdmp, UBMSkillBench.exe.18.dr
Source: Binary string: d3dx10_43.pdb source: UserBenchMark.exe, 00000012.00000002.497448242.0000000002EBB000.00000004.00000001.sdmp
Source: Binary string: D:\PROGS\mydev\UBMGPUBench\x64\Release\UBMSkillBench.pdbl source: UserBenchMark.exe, 00000012.00000002.495714388.00000000026DE000.00000004.00000001.sdmp, UBMSkillBench.exe.18.dr
Source: Binary string: D3DCompiler_43.pdb source: D3DCompiler_43.dll.18.dr
Source: Binary string: CUBE.pdb> source: CUBE.exe.18.dr
Source: Binary string: UBMDriveBench.pdb source: UBMDriveBench.exe.18.dr
Source: Binary string: D3DCompiler_43.pdb` source: D3DCompiler_43.dll.18.dr
Source: Binary string: RTAGS.pdb? source: RTAGS.exe.18.dr
Source: Binary string: CUBE.pdb source: CUBE.exe.18.dr
Source: Binary string: RTAGS.pdb source: RTAGS.exe.18.dr
Source: Binary string: UBMCPUBench.pdb source: UBMCPUBench.exe, 00000016.00000000.357325148.00000000003EF000.00000002.00020000.sdmp
Source: Binary string: UBMRAMBench.pdb source: UBMRAMBench.exe, 00000019.00000000.467661252.0000000000DA0000.00000002.00020000.sdmp
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_00405E61 FindFirstFileA,FindClose, 18_2_00405E61
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_0040263E FindFirstFileA, 18_2_0040263E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 18_2_0040548B
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003E2111 FindFirstFileExA, 22_2_003E2111
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D920F1 FindFirstFileExA, 25_2_00D920F1

Software Vulnerabilities:

barindex
Potential browser exploit detected (process start blacklist hit)
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe
Source: unknown DNS traffic detected: queries for: www.userbenchmark.com
Source: UserBenchMark.exe, UserBenchMark.exe, 00000012.00000002.489939704.0000000000409000.00000004.00020000.sdmp, UserBenchMark[1].exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: UserBenchMark.exe, 00000012.00000002.489939704.0000000000409000.00000004.00020000.sdmp, UserBenchMark[1].exe.2.dr String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: unknown Network traffic detected: HTTP traffic on port 49702 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49702
Source: unknown HTTPS traffic detected: 54.39.161.167:443 -> 192.168.2.5:49703 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.39.161.167:443 -> 192.168.2.5:49702 version: TLS 1.2
Source: unknown HTTPS traffic detected: 54.39.161.167:443 -> 192.168.2.5:49718 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 18_2_00405042
Creates a DirectInput object (often for capturing keystrokes)
Source: UBMRAMBench.exe, 00000019.00000002.484032950.00000000014BA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Installs a raw input device (often for capturing keystrokes)
Source: UserBenchMark.exe, 00000012.00000002.495714388.00000000026DE000.00000004.00000001.sdmp Binary or memory string: RegisterRawInputDevices

System Summary:

barindex
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00EF15A0: DeviceIoControl,DeviceIoControl,GetLastError,DeviceIoControl,WideCharToMultiByte,CreateFileA,DeviceIoControl,CloseHandle, 20_2_00EF15A0
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 18_2_0040323C
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_00404853 18_2_00404853
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_00406131 18_2_00406131
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F075C0 20_2_00F075C0
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00EF5940 20_2_00EF5940
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00ED9DA0 20_2_00ED9DA0
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00EE2D30 20_2_00EE2D30
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00EDAEB0 20_2_00EDAEB0
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F430DE 20_2_00F430DE
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00EF5050 20_2_00EF5050
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00EE41F0 20_2_00EE41F0
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00EF2580 20_2_00EF2580
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F4856A 20_2_00F4856A
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F48799 20_2_00F48799
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F56714 20_2_00F56714
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00EE9700 20_2_00EE9700
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00EE4890 20_2_00EE4890
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F4C850 20_2_00F4C850
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F419FE 20_2_00F419FE
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F6097E 20_2_00F6097E
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F3EB5A 20_2_00F3EB5A
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00EF1C50 20_2_00EF1C50
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F3DE80 20_2_00F3DE80
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F0AE00 20_2_00F0AE00
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003A48B0 22_2_003A48B0
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003B1730 22_2_003B1730
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003B1960 22_2_003B1960
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003CE02A 22_2_003CE02A
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003A2020 22_2_003A2020
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003DC425 22_2_003DC425
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003CE526 22_2_003CE526
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003B4658 22_2_003B4658
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003CE93E 22_2_003CE93E
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003CED73 22_2_003CED73
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003CF1A8 22_2_003CF1A8
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003CD460 22_2_003CD460
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003BD4B9 22_2_003BD4B9
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003D5510 22_2_003D5510
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003E55FB 22_2_003E55FB
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003D1926 22_2_003D1926
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D369D0 25_2_00D369D0
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D32020 25_2_00D32020
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D7C293 25_2_00D7C293
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D7C6C8 25_2_00D7C6C8
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D7A980 25_2_00D7A980
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D6AB42 25_2_00D6AB42
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D82CC0 25_2_00D82CC0
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D7F0E3 25_2_00D7F0E3
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D8721E 25_2_00D8721E
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D955DB 25_2_00D955DB
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D7B54A 25_2_00D7B54A
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D5F518 25_2_00D5F518
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D4DA92 25_2_00D4DA92
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D7BA46 25_2_00D7BA46
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D35A60 25_2_00D35A60
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D8BDEB 25_2_00D8BDEB
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D7BE5E 25_2_00D7BE5E
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: String function: 00ED8D20 appears 145 times
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: String function: 00ED9BC0 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: String function: 003CCE11 appears 112 times
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: String function: 003B5202 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: String function: 003B5CE4 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: String function: 003B62A0 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: String function: 00D7A336 appears 143 times
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: String function: 00D637A0 appears 52 times
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: String function: 00D47B00 appears 37 times
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: String function: 00D631B6 appears 66 times
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: String function: 00D63182 appears 177 times
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: String function: 00D6268F appears 50 times
Source: classification engine Classification label: mal72.evad.win@12/88@2/2
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F0B330 GetLastError,FormatMessageA,LocalFree,std::ios_base::_Ios_base_dtor, 20_2_00F0B330
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 18_2_00404356
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_00402020 CoCreateInstance,MultiByteToWideChar, 18_2_00402020
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{FF951407-D4E4-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4396:120:WilError_01
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF5FEABA414F6A9DB6.TMP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select Name,SocketDesignation,MaxClockSpeed,ProcessorId,LoadPercentage from Win32_Processor
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6008 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe'
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Process created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe 'C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe' start
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Process created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe UBMCPUBench.exe
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Process created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe UBMRAMBench.exe
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6008 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe 'C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe' Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Process created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe 'C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe' start Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Process created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe UBMCPUBench.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Process created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe UBMRAMBench.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Run
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: Run
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Automated click: Run
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: UserBenchMarkRunEngine.pdb source: UserBenchMarkRunEngine.exe, 00000014.00000002.490422601.0000000000F6E000.00000002.00020000.sdmp
Source: Binary string: D:\PROGS\mydev\UBMGPUBench\x64\Release\UBMSkillBench.pdb source: UserBenchMark.exe, 00000012.00000002.495714388.00000000026DE000.00000004.00000001.sdmp, UBMSkillBench.exe.18.dr
Source: Binary string: d3dx10_43.pdb source: UserBenchMark.exe, 00000012.00000002.497448242.0000000002EBB000.00000004.00000001.sdmp
Source: Binary string: D:\PROGS\mydev\UBMGPUBench\x64\Release\UBMSkillBench.pdbl source: UserBenchMark.exe, 00000012.00000002.495714388.00000000026DE000.00000004.00000001.sdmp, UBMSkillBench.exe.18.dr
Source: Binary string: D3DCompiler_43.pdb source: D3DCompiler_43.dll.18.dr
Source: Binary string: CUBE.pdb> source: CUBE.exe.18.dr
Source: Binary string: UBMDriveBench.pdb source: UBMDriveBench.exe.18.dr
Source: Binary string: D3DCompiler_43.pdb` source: D3DCompiler_43.dll.18.dr
Source: Binary string: RTAGS.pdb? source: RTAGS.exe.18.dr
Source: Binary string: CUBE.pdb source: CUBE.exe.18.dr
Source: Binary string: RTAGS.pdb source: RTAGS.exe.18.dr
Source: Binary string: UBMCPUBench.pdb source: UBMCPUBench.exe, 00000016.00000000.357325148.00000000003EF000.00000002.00020000.sdmp
Source: Binary string: UBMRAMBench.pdb source: UBMRAMBench.exe, 00000019.00000000.467661252.0000000000DA0000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 18_2_00405E88
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_10002A10 push eax; ret 18_2_10002A3E
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F2622C push ecx; ret 20_2_00F2623F
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F269A6 push ecx; ret 20_2_00F269B9
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003B62E6 push ecx; ret 22_2_003B62F9
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003B5CBE push ecx; ret 22_2_003B5CD1
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D6314B push ecx; ret 25_2_00D6315E
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D637E6 push ecx; ret 25_2_00D637F9

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\nso1892.tmp\RealProgress.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\FLOCK.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\nso1892.tmp\nsExec.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\d3dx9_43.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\nso1892.tmp\inetc.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\nso1892.tmp\md5dll.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\POM.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\RTAGS.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\D3DCompiler_43.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\nso1892.tmp\System.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\SHADOW.exe Jump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\UserBenchMark[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMSkillBench.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMGPUStats.exe Jump to dropped file
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe.nb15apu.partial Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\d3dx10_43.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\NBODY.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMDriveBench.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe File created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\CUBE.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003B4658 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 22_2_003B4658
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect sleep reduction / modifications
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003A48B0 22_2_003A48B0
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D369D0 25_2_00D369D0
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Stalling execution: Execution stalls by calling Sleep
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select Capacity,Speed from Win32_PhysicalMemory
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select Manufacturer,Product,SerialNumber from Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select Name,ReleaseDate,SMBIOSBIOSVersion,SMBIOSMajorVersion,SMBIOSMinorVersion,Version from Win32_BIOS
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select Capacity,Speed from Win32_PhysicalMemory
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe System information queried: FirmwareTableInformation Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nso1892.tmp\RealProgress.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\FLOCK.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\d3dx9_43.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\RTAGS.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\D3DCompiler_43.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\POM.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\SHADOW.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMSkillBench.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMGPUStats.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\d3dx10_43.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\NBODY.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\CUBE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMDriveBench.exe Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe API coverage: 8.0 %
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe API coverage: 6.9 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe TID: 5064 Thread sleep time: -30800s >= -30000s Jump to behavior
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select Manufacturer,Model from Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : select Name,SocketDesignation,MaxClockSpeed,ProcessorId,LoadPercentage from Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_00405E61 FindFirstFileA,FindClose, 18_2_00405E61
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_0040263E FindFirstFileA, 18_2_0040263E
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 18_2_0040548B
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003E2111 FindFirstFileExA, 22_2_003E2111
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D920F1 FindFirstFileExA, 25_2_00D920F1
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00EE2D30 _Smanip,_Smanip,timeGetTime,__Mtx_unlock,GetSystemInfo,CallNtPowerInformation,_Smanip,_Smanip,timeGetTime,__Mtx_unlock,_Smanip,_Smanip,timeGetTime,_Smanip,_Smanip,timeGetTime,__Mtx_unlock, 20_2_00EE2D30
Source: UBMCPUBench.exe, 00000016.00000003.363332174.00000000016B7000.00000004.00000001.sdmp Binary or memory string: econd8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec
Source: UBMCPUBench.exe, 00000016.00000003.367041659.00000000016D2000.00000004.00000001.sdmp Binary or memory string: 8258RemoteFX Synth3D VSC VM Transport Channel8260Number of space available signals received8262Number of space available signals received per second8264Number of data available signals received8266Number of data available signals received per second8268Number of space available signals sent8270Number of space available signals sent per second8272Number of data available signals sent8274Number of data available signals sent per second8276Number of data available event was reset8278Number of data available event was reset per second8280Number of space available event was reset8282Number of space available event was reset per second8244RemoteFX Synth3D VSC VM Device8246Number of created VMT channels8248Number of waiting VMT channels8250Number of connected VMT channels8252Number of disconnected VMT channels8254Total number of created VMT channels8256Number of RDVGM restarted notifications7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/seckd
Source: UBMCPUBench.exe, 00000016.00000003.363325846.000000000170E000.00000004.00000001.sdmp Binary or memory string: ions7320WorkflowServiceHost 4.0.0.07322Workflows Created7324Workflows Created Per Second7326Workflows Executing7328Workflows Completed7330Workflows Completed Per Second7332Workflows Aborted7334Workflows Aborted Per Second7336Workflows In Memory7338Workflows Persisted7340Workflows Persisted Per Second7342Workflows Terminated7344Workflows Terminated Per Second7346Workflows Loaded7348Workflows Loaded Per Second7350Workflows Unloaded7352Workflows Unloaded Per Second7354Workflows Suspended7356Workflows Suspended Per Second7358Workflows Idle Per Second7360Average Workflow Load Time7362Average Workflow Load Time Base7364Average Workflow Persist Time7366Average Workflow Persist Time Base8154Terminal Services8156Active Sessions8158Inactive Sessions8160Total Sessions5200Hyper-V Hypervisor Logical Processor5202Global Time5204Total Run Time5206Hypervisor Run Time5208Hardware Interrupts/sec5210Context Switches/sec5212Inter-Processor Interrupts/sec5214Scheduler Interrupts/sec5216Timer Interrupts/sec5218Inter-Processor Interrupts Sent/sec5220Processor Halts/sec5222Monitor Transition Cost5224Context Switch Time5226C1 Transitions/sec5228% C1 Time5230C2 Transitions/sec5232% C2 Time5234C3 Transitions/sec5236% C3 Time5238Frequency5240% of Max Frequency5242Parking Status5244Processor State Flags5246Root Vp Index5248Idle Sequence Number5250Global TSC Count5252Active TSC Count5254Idle Accumulation5256Reference Cycle Count 05258Actual Cycle Count 05260Reference Cycle Count 15262Actual Cycle Count 15264Proximity Domain Id5266Posted Interrupt Notifications/sec5268Guest Run Time5270Idle Time5272% Total Run Time5274% Hypervisor Run Time5276% Guest Run Time5278% Idle Time5280Total Interrupts/sec5182Hyper-V Hypervisor5184Logical Processors5186Partitions5188Total Pages5190Virtual Processors5192Monitored Notifications5194Modern Standby Entries5196Platform Idle Transitions5198HypervisorStartupCost5282Hyper-V Hypervisor Root Partition5284Virtual Processors5286Virtual TLB Pages5288Address Spaces5290Deposited Pages5292GPA Pages5294GPA Space Modifications/sec5296Virtual TLB Flush Entires/sec5298Recommended Virtual TLB Size53004K GPA pages53022M GPA pages53041G GPA pages5306512G GPA pages53084K device pages53102M device pages53121G device pages5314512G device pages5316Attached Devices5318Device Interrupt Mappings5320I/O TLB Flushes/sec5322I/O TLB Flush Cost5324Device Interrupt Errors5326Device DMA Errors5328Device Interrupt Throttle Events5330Skipped Timer Ticks5332Partition Id5334Nested TLB Size5336Recommended Nested TLB Size5338Nested TLB Free List Size5340Nested TLB Trimmed Pages/sec5342I/O TLB Flushes Base5344Hyper-V Hypervisor Root Virtual Processor5346Total Run Time5348Hypervisor Run Time5350Remote Node Run Time5352Normalized Run Time5354Hypercalls/sec5356Hypercalls Cost5358Page Invalidations/sec5360Page Invalidations Cost5362Control Register Accesses/sec5364Control Register Accesses Cost5366IO Instructions/sec5368IO Instructions Cost5370HLT Instructions/sec5372HLT Instructions
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe API call chain: ExitProcess graph end node

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F46EA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00F46EA7
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_00405E88 GetModuleHandleA,LoadLibraryA,GetProcAddress, 18_2_00405E88
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F52893 mov eax, dword ptr fs:[00000030h] 20_2_00F52893
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003D8A33 mov eax, dword ptr fs:[00000030h] 22_2_003D8A33
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D88205 mov eax, dword ptr fs:[00000030h] 25_2_00D88205
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003DE743 GetProcessHeap, 22_2_003DE743
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F26027 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00F26027
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F46EA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_00F46EA7
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003B6096 SetUnhandledExceptionFilter, 22_2_003B6096
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003D0937 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_003D0937
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003B5AB9 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 22_2_003B5AB9
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003B5F7B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 22_2_003B5F7B
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D63591 SetUnhandledExceptionFilter, 25_2_00D63591
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D62F46 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_00D62F46
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D63432 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_00D63432
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D7DE27 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_00D7DE27

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Process created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe 'C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe' start Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Process created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe UBMCPUBench.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Process created: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe UBMRAMBench.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_039610D3 GetModuleFileNameA,GlobalAlloc,CharPrevA,GlobalFree,GetTempFileNameA,CopyFileA,CreateFileA,CreateFileMappingA,MapViewOfFile,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle,lstrcatA,lstrlenA,GlobalAlloc,FindWindowExA,FindWindowExA,FindWindowExA,lstrcmpiA,DeleteFileA,GlobalAlloc,GlobalLock,GetVersionExA,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,CreatePipe,CreatePipe,CreatePipe,GetStartupInfoA,CreateProcessA,GetTickCount,PeekNamedPipe,GetTickCount,ReadFile,lstrlenA,lstrlenA,GlobalSize,GlobalUnlock,GlobalReAlloc,GlobalLock,lstrlenA,lstrlenA,lstrlenA,lstrcpynA,lstrcatA,GlobalSize,lstrlenA,lstrcpyA,CharNextA,GetTickCount,TerminateProcess,lstrcpyA,Sleep,WaitForSingleObject,GetExitCodeProcess,PeekNamedPipe,lstrcpyA,lstrcpyA,wsprintfA,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,DeleteFileA,GlobalFree,GlobalFree,GlobalUnlock,GlobalFree, 18_2_039610D3
Source: UserBenchMark.exe, 00000012.00000002.491910694.0000000000CA0000.00000002.00000001.sdmp, UserBenchMarkRunEngine.exe, 00000014.00000002.491450698.00000000017B0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: UserBenchMark.exe, 00000012.00000002.491910694.0000000000CA0000.00000002.00000001.sdmp, UserBenchMarkRunEngine.exe, 00000014.00000002.491450698.00000000017B0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: UserBenchMark.exe, 00000012.00000002.491910694.0000000000CA0000.00000002.00000001.sdmp, UserBenchMarkRunEngine.exe, 00000014.00000002.491450698.00000000017B0000.00000002.00000001.sdmp Binary or memory string: SProgram Managerl
Source: UserBenchMark.exe, 00000012.00000002.491910694.0000000000CA0000.00000002.00000001.sdmp, UserBenchMarkRunEngine.exe, 00000014.00000002.491450698.00000000017B0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd,
Source: UserBenchMark.exe, 00000012.00000002.491910694.0000000000CA0000.00000002.00000001.sdmp, UserBenchMarkRunEngine.exe, 00000014.00000002.491450698.00000000017B0000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F26795 cpuid 20_2_00F26795
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: IsValidCodePage,GetLocaleInfoW, 20_2_00F5F0A6
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: GetLocaleInfoW, 20_2_00F57288
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: EnumSystemLocalesW, 20_2_00F5F369
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: EnumSystemLocalesW, 20_2_00F5F31E
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: EnumSystemLocalesW, 20_2_00F5F404
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 20_2_00F5F80A
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 20_2_00F5F9DE
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: EnumSystemLocalesW, 20_2_00F56D9F
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: EnumSystemLocalesW, 22_2_003E401B
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: EnumSystemLocalesW, 22_2_003E40B6
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 22_2_003E4143
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: GetLocaleInfoW, 22_2_003E4393
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 22_2_003E44BC
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: GetLocaleInfoW, 22_2_003E45C3
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 22_2_003E4690
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: EnumSystemLocalesW, 22_2_003DCAB0
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: GetLocaleInfoW, 22_2_003DCF17
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: IsValidCodePage,GetLocaleInfoW, 22_2_003E3D58
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: EnumSystemLocalesW, 22_2_003E3FD0
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: EnumSystemLocalesW, 25_2_00D94096
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 25_2_00D94123
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: GetLocaleInfoW, 25_2_00D94373
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 25_2_00D9449C
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: EnumSystemLocalesW, 25_2_00D8C476
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: GetLocaleInfoW, 25_2_00D945A3
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 25_2_00D94670
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: GetLocaleInfoW, 25_2_00D8C95F
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: GetLocaleInfoW, 25_2_00D61775
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: ___crtGetLocaleInfoEx, 25_2_00D6192B
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: IsValidCodePage,GetLocaleInfoW, 25_2_00D93D38
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: EnumSystemLocalesW, 25_2_00D93FFB
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: EnumSystemLocalesW, 25_2_00D93FB0
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F572F2 GetSystemTimeAsFileTime, 20_2_00F572F2
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UserBenchMarkRunEngine.exe Code function: 20_2_00F5BBEA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 20_2_00F5BBEA
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\UserBenchMark.exe Code function: 18_2_00405B88 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 18_2_00405B88

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003C6875 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 22_2_003C6875
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMCPUBench.exe Code function: 22_2_003C754F Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext, 22_2_003C754F
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D74BB1 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext, 25_2_00D74BB1
Source: C:\Users\user\AppData\Local\Temp\UserBenchMarkTemp\UBMRAMBench.exe Code function: 25_2_00D73ED7 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 25_2_00D73ED7
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 439522 URL: https://www.userbenchmark.c... Startdate: 24/06/2021 Architecture: WINDOWS Score: 72 48 Multi AV Scanner detection for dropped file 2->48 8 iexplore.exe 2 57 2->8         started        process3 process4 10 UserBenchMark.exe 124 8->10         started        14 iexplore.exe 26 8->14         started        dnsIp5 38 192.168.2.1 unknown unknown 10->38 26 C:\Users\user\...\UserBenchMarkRunEngine.exe, PE32 10->26 dropped 28 C:\Users\user\AppData\...\UBMRAMBench.exe, PE32 10->28 dropped 30 C:\Users\user\AppData\...\UBMCPUBench.exe, PE32 10->30 dropped 36 17 other files (none is malicious) 10->36 dropped 16 UserBenchMarkRunEngine.exe 1 10->16         started        40 www.userbenchmark.com 54.39.161.167, 443, 49702, 49703 OVHFR Canada 14->40 32 C:\...\UserBenchMark.exe.nb15apu.partial, PE32 14->32 dropped 34 C:\Users\user\...\UserBenchMark[1].exe, PE32 14->34 dropped file6 process7 signatures8 42 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 16->42 44 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 16->44 46 Queries memory information (via WMI often done to detect virtual machines) 16->46 19 UBMRAMBench.exe 1 16->19         started        22 UBMCPUBench.exe 1 16->22         started        24 conhost.exe 16->24         started        process9 signatures10 50 Query firmware table information (likely to detect VMs) 19->50 52 Found stalling execution ending in API Sleep call 19->52 54 Contains functionality to detect sleep reduction / modifications 19->54
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
54.39.161.167
 www.userbenchmark.com Canada
16276 OVHFR false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
www.userbenchmark.com 54.39.161.167 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
0 true low