Virtualization/Sandbox Evasion Behaviour

[man-im-unoriginal-af]

Sent the binary (sha256; 7101910d67a1b477edfb0a90c2424ef15b6cdbc2ef2dbb606b8854791eb98a25) for analysis and found both ATT&CK and Malware Behavior Catalog (MBC) that explicitly lists the following:

• ATT&CK Technique T1497.001: Virtualization/Sandbox Evasion::System Checks
• MBC Behavior B0009: Virtual Machine Detection

reference anti-VM strings targeting Xen
- "XenixServer" @ file+0x19E694

Could just be a fluke, but still hoping for a good explanation on why this behaviour exists, thanks.

[TorniX0]

The binary SHA256 hash you provided matches with the latest version of OpenTimerResolution (v1.0.4.6, at the date of writing this message). I can confirm that the detections you've received are false positives. There are no VM detection checks present in OpenTimerResolution or in any of the provided binaries.
If you don't want to trust the pre-built binaries from the release page, you're free to decompile them or to download the source code, inspect it, and build the software yourself using Visual Studio.

[realcoloride]

"but still hoping for a good explanation on why this behavior exists"
i cannot believe a human thought it was a good idea to make an issue like this

@TorniX0 you should have just closed without explanation

[man-im-unoriginal-af]

It's okay. I know you're trying your best with what little social skills you have to reply like this. Keep trying along with touching more grass your way. Though, I could stand to be corrected with a more relevant and more amicable reply.

…

On Thu, Jul 4, 2024, 5:26 AM Coloride < ***@***.***> wrote: "but still hoping for a good explanation on why this behavior exists" i cannot believe a human thought it was a good idea to make an issue like this @TorniX0 you should have just closed without explan *DuckDuckGo* removed one tracker. More <https://duckduckgo.com/-h09T3cVuqEOE8m2IHfWPv0839L0DDCrOepHPdJZWE3liXafEDfdgMPcIA4nVMP9dJkD4gTWtw3s4ZnJy1CsBzEO8NKzFQmtQPbEutAXp56NJypAUAgpTdG5tiqyv7879ozLzehfDe0qB1q7EUKuHfCiEnSyL00yKxcLd53jyN3GfOt7r7uR_bnFAjvFeuVRonHFft83rI5HiBfq3AP5OdfEVsNWAqlAO-FjAe5nay5DuuUeyt8ySM0JHTJ0Mn8fHSHF3Gm97PwB6f7iVeOa-IA6RRIMhDuaxkALEIg9DtNOaZRwTZRDnX--4EJZByIUceB5JGAnCR-2j6uCG2kK6Phb0gDstai5rI2lvqqSuciWfMx5cy2meFAEu9L4BJVWX2GxFQhN4P38UXE-PqCeAYe5QwlXeXcWxogqLV-fj7dYX9BukLjahssNVYobdIDtF2ftHaWMKC9fI7UwjESV55pDSAKBlx2miW49O8ffpy4ZZJD_IiDy6qnRWdSojIIIa4xe38> Deactivate <https://duckduckgo.com/> "but still hoping for a good explanation on why this behavior exists" i cannot believe a human thought it was a good idea to make an issue like this @TorniX0 <https://github.com/TorniX0> you should have just closed without explanation — Reply to this email directly, view it on GitHub <#7 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHPQFBTKSJ2ZB62EZAB37Q3ZKRT7XAVCNFSM6AAAAABKKK6OHCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBXGMZTMMJTGA> . You are receiving this because you authored the thread.Message ID: ***@***.***>