Windows Analysis Report
HSZXPMB7kS.exe

Overview

General Information

Sample name: HSZXPMB7kS.exe
renamed because original name is a hash value
Original sample name: 2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd.exe
Analysis ID: 1522688
MD5: d6f5ca5da79a7eb267670cc0e6f5d590
SHA1: 6d62f339e2bb9b107b0309663d30e4e4647e4b5d
SHA256: 2a3da413f9f0554148469ea715f2776ab40e86925fb68cc6279ffc00f4f410dd
Tags: exeUAC-0099user-JAMESWT_MHT
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
File is packed with WinRar
Found evasive API chain (date check)
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Searches for the Microsoft Outlook file path
Sigma detected: Suspicious LNK Double Extension File Created
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: HSZXPMB7kS.exe Avira: detected
Multi AV Scanner detection for submitted file
Source: HSZXPMB7kS.exe ReversingLabs: Detection: 63%
Source: HSZXPMB7kS.exe Virustotal: Detection: 65% Perma Link
Uses 32bit PE files
Source: HSZXPMB7kS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: HSZXPMB7kS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: HSZXPMB7kS.exe
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0012BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 1_2_0012BA94
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0013D410 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 1_2_0013D410
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0014C4F8 FindFirstFileExA, 1_2_0014C4F8
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Source: unknown DNS traffic detected: query: 183.59.114.20.in-addr.arpa replaycode: Name error (3)
Source: unknown DNS traffic detected: query: 15.164.165.52.in-addr.arpa replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
Source: global traffic DNS traffic detected: DNS query: 183.59.114.20.in-addr.arpa
Contains functionality to call native functions
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0013B080 SetWindowLongW,NtdllDefWindowProc_W, 1_2_0013B080
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00127AAF: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW, 1_2_00127AAF
Detected potential crypto function
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_001292C6 1_2_001292C6
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00137DCC 1_2_00137DCC
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00135001 1_2_00135001
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00138243 1_2_00138243
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00135272 1_2_00135272
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00146298 1_2_00146298
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_001302F7 1_2_001302F7
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_001313F6 1_2_001313F6
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0013741E 1_2_0013741E
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_001464C7 1_2_001464C7
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_001355A0 1_2_001355A0
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0014E5F0 1_2_0014E5F0
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_001307A0 1_2_001307A0
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0012D833 1_2_0012D833
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0013889F 1_2_0013889F
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0012395A 1_2_0012395A
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0014EA9E 1_2_0014EA9E
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00124A8E 1_2_00124A8E
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00152BA4 1_2_00152BA4
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0012FCCC 1_2_0012FCCC
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00122EB6 1_2_00122EB6
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: String function: 0013FEEC appears 42 times
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: String function: 0013FFC0 appears 56 times
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: String function: 00140790 appears 31 times
Searches for the Microsoft Outlook file path
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE Jump to behavior
Uses 32bit PE files
Source: HSZXPMB7kS.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal56.winEXE@1/1@2/0
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00127727 GetLastError,FormatMessageW, 1_2_00127727
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0013B0BE CLSIDFromString,CoCreateInstance, 1_2_0013B0BE
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0013B6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,CreateStreamOnHGlobal,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree, 1_2_0013B6C2
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_5346625 Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Command line argument: sfxname 1_2_0013F04C
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Command line argument: sfxstime 1_2_0013F04C
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Command line argument: STARTDLG 1_2_0013F04C
Source: HSZXPMB7kS.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe File read: C:\Windows\win.ini Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: HSZXPMB7kS.exe ReversingLabs: Detection: 63%
Source: HSZXPMB7kS.exe Virustotal: Detection: 65%
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe File read: C:\Users\user\Desktop\HSZXPMB7kS.exe Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: <pi-ms-win-core-synch-l1-2-0.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: <pi-ms-win-core-fibers-l1-1-1.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: <pi-ms-win-core-localization-l1-2-1.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: dxgidebug.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: msiso.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: mshtml.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: umpdc.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: srpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: msimtf.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: uiautomationcore.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32 Jump to behavior
Source: HSZXPMB7kS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: HSZXPMB7kS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: HSZXPMB7kS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: HSZXPMB7kS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: HSZXPMB7kS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: HSZXPMB7kS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: HSZXPMB7kS.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
Source: HSZXPMB7kS.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: HSZXPMB7kS.exe
Source: HSZXPMB7kS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: HSZXPMB7kS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: HSZXPMB7kS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: HSZXPMB7kS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: HSZXPMB7kS.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
File is packed with WinRar
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe File created: C:\Users\user\Desktop\__tmp_rar_sfx_access_check_5346625 Jump to behavior
PE file contains sections with non-standard names
Source: HSZXPMB7kS.exe Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_001407E0 push ecx; ret 1_2_001407F3
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0013FEEC push eax; ret 1_2_0013FF0A
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Memory allocated: 5B60000 memory reserve | memory write watch Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Evasive API call chain: GetLocalTime,DecisionNodes
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0012BA94 FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError, 1_2_0012BA94
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0013D410 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW, 1_2_0013D410
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0014C4F8 FindFirstFileExA, 1_2_0014C4F8
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0013F81F VirtualQuery,GetSystemInfo, 1_2_0013F81F
Source: HSZXPMB7kS.exe, 00000001.00000002.1565305433.0000000003089000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe API call chain: ExitProcess graph end node
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_001409FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_001409FA
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_001491A0 mov eax, dword ptr fs:[00000030h] 1_2_001491A0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0014D1E0 GetProcessHeap, 1_2_0014D1E0
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_001409FA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_001409FA
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00140B8D SetUnhandledExceptionFilter, 1_2_00140B8D
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00140D7A SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00140D7A
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00144FDF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_00144FDF
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_00140816 cpuid 1_2_00140816
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: GetLocaleInfoW,GetNumberFormatW, 1_2_0013C083
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0013F04C GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle, 1_2_0013F04C
Source: C:\Users\user\Desktop\HSZXPMB7kS.exe Code function: 1_2_0012C365 GetVersionExW, 1_2_0012C365
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1522688 Sample: HSZXPMB7kS.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 56 8 183.59.114.20.in-addr.arpa 2->8 10 15.164.165.52.in-addr.arpa 2->10 12 Antivirus / Scanner detection for submitted sample 2->12 14 Multi AV Scanner detection for submitted file 2->14 6 HSZXPMB7kS.exe 17 2->6         started        signatures3 process4
No contacted IP infos

Contacted Domains

Name IP Active
15.164.165.52.in-addr.arpa unknown unknown
183.59.114.20.in-addr.arpa unknown unknown