Windows Analysis Report
ZipThis.exe

Overview

General Information

Sample name: ZipThis.exe
Analysis ID: 1501610
MD5: aef8e2ddee43159f655e6a824ecc74bf
SHA1: 8621b15772b32e8a2f1c1888e91c494c95ea6a63
SHA256: 4e21e9cb996113fa0dd6a73ead7ffa066ce81e3f0ea4f18c7a409f8d4c3bf3b3
Infos:

Detection

Score: 20
Range: 0 - 100
Whitelisted: false
Confidence: 40%

Signatures

AI detected suspicious sample
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 95.7% probability
Source: C:\Users\user\Desktop\ZipThis.exe Directory created: C:\Program Files\ZipThis Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Directory created: C:\Program Files\ZipThis\zipthisUserId.txt Jump to behavior
Source: ZipThis.exe Static PE information: certificate valid
Source: unknown HTTPS traffic detected: 45.33.84.9:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: ZipThis.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /v6 HTTP/1.1Content-Type: text/plain; charset=utf-8Host: apb.thisilient.comContent-Length: 88Expect: 100-continueConnection: Keep-Alive
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: apb.thisilient.com
Source: unknown HTTP traffic detected: POST /v6 HTTP/1.1Content-Type: text/plain; charset=utf-8Host: apb.thisilient.comContent-Length: 88Expect: 100-continueConnection: Keep-Alive
Source: ZipThis.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ZipThis.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ZipThis.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: ZipThis.exe String found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
Source: ZipThis.exe String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0$
Source: ZipThis.exe String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: ZipThis.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ZipThis.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ZipThis.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ZipThis.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: ZipThis.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: ZipThis.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: ZipThis.exe String found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
Source: ZipThis.exe String found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
Source: ZipThis.exe String found in binary or memory: http://ocsp.globalsign.com/rootr30;
Source: ZipThis.exe, 00000000.00000002.4110921291.000001A980001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: ZipThis.exe, 00000000.00000002.4114945578.000001A9ECC36000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://scripts.sil.org/OFL
Source: ZipThis.exe String found in binary or memory: http://scripts.sil.org/OFLThis
Source: ZipThis.exe String found in binary or memory: http://scripts.sil.org/OFLhttps://rsms.me/Rasmus
Source: ZipThis.exe String found in binary or memory: http://scripts.sil.org/OFLhttps://www.indiantypefoundry.comhttp://www.colophon-foundry.orgColophon
Source: ZipThis.exe, 00000000.00000002.4114945578.000001A9ECC20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://scripts.sil.org/OFLital
Source: ZipThis.exe String found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
Source: ZipThis.exe String found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
Source: ZipThis.exe String found in binary or memory: http://secure.globalsign.com/cacert/root-r3.crt06
Source: ZipThis.exe, 00000000.00000002.4117295212.000001A9F0A72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.colophon-foundry.org
Source: ZipThis.exe, 00000000.00000002.4110921291.000001A980001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apb.thisilient.com
Source: ZipThis.exe String found in binary or memory: https://apb.thisilient.com/v6
Source: ZipThis.exe, 00000000.00000002.4110921291.000001A980001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://apb.thisilient.com/v6h
Source: ZipThis.exe String found in binary or memory: https://can.thisilient.com/r
Source: ZipThis.exe String found in binary or memory: https://github.com/rsms/inter)
Source: ZipThis.exe String found in binary or memory: https://key-guard.io/privacy-policy?
Source: ZipThis.exe String found in binary or memory: https://key-guard.io/terms-of-use?
Source: ZipThis.exe, 00000000.00000002.4117295212.000001A9F0A72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://rsms.me/
Source: ZipThis.exe String found in binary or memory: https://visit.keyguardai.com/click?pid=496&offer_id=14039178
Source: ZipThis.exe String found in binary or memory: https://www.globalsign.com/repository/0
Source: ZipThis.exe, 00000000.00000002.4117295212.000001A9F0A72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.indiantypefoundry.com
Source: ZipThis.exe, 00000000.00000002.4110921291.000001A980001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zipthisapp.com/legal
Source: ZipThis.exe String found in binary or memory: https://www.zipthisapp.com/legal?
Source: ZipThis.exe, 00000000.00000002.4110921291.000001A980001000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zipthisapp.com/policy
Source: ZipThis.exe String found in binary or memory: https://www.zipthisapp.com/policy?
Source: ZipThis.exe String found in binary or memory: https://www.zipthisapp.com/see-you-later
Source: ZipThis.exe String found in binary or memory: https://www.zipthisapp.com/success?u=wSoftware
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 45.33.84.9:443 -> 192.168.2.4:49734 version: TLS 1.2
Detected potential crypto function
Source: C:\Users\user\Desktop\ZipThis.exe Code function: 0_2_00007FFD9B6EB68C 0_2_00007FFD9B6EB68C
Source: C:\Users\user\Desktop\ZipThis.exe Code function: 0_2_00007FFD9B6E6E58 0_2_00007FFD9B6E6E58
Source: C:\Users\user\Desktop\ZipThis.exe Code function: 0_2_00007FFD9B6D0D45 0_2_00007FFD9B6D0D45
Source: C:\Users\user\Desktop\ZipThis.exe Code function: 0_2_00007FFD9B6E09CE 0_2_00007FFD9B6E09CE
Source: C:\Users\user\Desktop\ZipThis.exe Code function: 0_2_00007FFD9B6D404D 0_2_00007FFD9B6D404D
Source: C:\Users\user\Desktop\ZipThis.exe Code function: 0_2_00007FFD9B6D2045 0_2_00007FFD9B6D2045
PE file does not import any functions
Source: ZipThis.exe Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: ZipThis.exe, 00000000.00000000.1649955511.000001A9EA2F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameZipThisApp.exe6 vs ZipThis.exe
Source: ZipThis.exe, 00000000.00000000.1649955511.000001A9EA2F2000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameUninstall.exe4 vs ZipThis.exe
Source: ZipThis.exe Binary or memory string: OriginalFilenameZipThisApp.exe6 vs ZipThis.exe
Source: ZipThis.exe Binary or memory string: OriginalFilenameUninstall.exe4 vs ZipThis.exe
Source: ZipThis.exe, ProcessPathFinder.cs Base64 encoded string: 'QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxHb29nbGVcQ2hyb21lXEFwcGxpY2F0aW9uXGNocm9tZS5leGU=', 'QzpcUHJvZ3JhbSBGaWxlc1xHb29nbGVcQ2hyb21lXEFwcGxpY2F0aW9uXGNocm9tZS5leGU='
Source: classification engine Classification label: sus20.winEXE@1/2@1/1
Source: C:\Users\user\Desktop\ZipThis.exe File created: C:\Program Files\ZipThis Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe File created: C:\Users\user\AppData\Roaming\SMCR Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Mutant created: NULL
Source: ZipThis.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ZipThis.exe Static file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
Source: C:\Users\user\Desktop\ZipThis.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ZipThis.exe String found in binary or memory: $settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -StartWhenAvailable -RestartCount 2 -RestartInterval (New-TimeSpan -Minutes 10) -RunOnlyIfNetworkAvailable
Source: ZipThis.exe String found in binary or memory: 2belongings/add_circle.png>belongings/add_circle_white.pngR
Source: ZipThis.exe String found in binary or memory: /Belongings/add_circle.png
Source: ZipThis.exe String found in binary or memory: /Belongings/add_circle_white.png
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: d3d9.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: msctfui.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: d3dcompiler_47.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\ZipThis.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Directory created: C:\Program Files\ZipThis Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Directory created: C:\Program Files\ZipThis\zipthisUserId.txt Jump to behavior
Source: ZipThis.exe Static PE information: certificate valid
Source: ZipThis.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: ZipThis.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: ZipThis.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: ZipThis.exe Static file information: File size 2883888 > 1048576
Source: ZipThis.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x29fa00
Source: ZipThis.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: ZipThis.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Binary contains a suspicious time stamp
Source: ZipThis.exe Static PE information: 0xE96BB7F9 [Thu Feb 4 19:39:37 2094 UTC]
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ZipThis.exe Code function: 0_2_00007FFD9B5BD2A5 pushad ; iretd 0_2_00007FFD9B5BD2A6
Source: C:\Users\user\Desktop\ZipThis.exe Code function: 0_2_00007FFD9B6E7969 push ebx; retf 0_2_00007FFD9B6E796A
Source: C:\Users\user\Desktop\ZipThis.exe Code function: 0_2_00007FFD9B6E88BB push dword ptr [edi-74B7A0B5h]; retf 0_2_00007FFD9B6E88C3
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\ZipThis.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\ZipThis.exe Memory allocated: 1A9EC090000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Memory allocated: 1A9EC240000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ZipThis.exe Window / User API: threadDelayed 2613 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Window / User API: threadDelayed 7189 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -33204139332677172s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -99887s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -99707s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -99578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -99455s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -99333s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -99093s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -98945s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -98828s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -98717s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe TID: 5472 Thread sleep time: -98609s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 99887 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 99707 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 99578 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 99455 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 99333 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 99203 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 99093 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 98945 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 98828 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 98717 Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Thread delayed: delay time: 98609 Jump to behavior
Source: ZipThis.exe, 00000000.00000002.4116733309.000001A9F0658000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Enables debug privileges
Source: C:\Users\user\Desktop\ZipThis.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Memory allocated: page read and write | page guard Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ZipThis.exe Queries volume information: C:\Users\user\Desktop\ZipThis.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ZipThis.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1501610 Sample: ZipThis.exe Startdate: 30/08/2024 Architecture: WINDOWS Score: 20 9 apb.thisilient.com 2->9 13 AI detected suspicious sample 2->13 6 ZipThis.exe 14 6 2->6         started        signatures3 process4 dnsIp5 11 apb.thisilient.com 45.33.84.9, 443, 49734 LINODE-APLinodeLLCUS United States 6->11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.33.84.9
 apb.thisilient.com United States
63949 LINODE-APLinodeLLCUS false

Contacted Domains

Name IP Active
apb.thisilient.com 45.33.84.9 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://apb.thisilient.com/v6 false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown