Windows Analysis Report
D_47267_1687617Q.exe

Overview

General Information

Sample name: D_47267_1687617Q.exe
Analysis ID: 1522881
MD5: a31c36986e12203913067e4b5bd81665
SHA1: 5db1c9a5cccc75628fde0c2ee4d807b28f2dfc2b
SHA256: c68c8abb1a3272b6c9bdd749b32b91dc909b0e84afd06e067bda1a81a96319b8
Tags: exeuser-Porcupine
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Found Tor onion address
Potentially malicious time measurement code found
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 86.6% probability

Bitcoin Miner
barindex
Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners)
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004D1CE0 LoadLibraryExW, 0_2_004D1CE0
Source: D_47267_1687617Q.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 4x nop then lock or byte ptr [rdx], dil 0_2_004BE700
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 4x nop then shr r10, 0Dh 0_2_004C9720
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 4x nop then shr r10, 0Dh 0_2_004CABC0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 4x nop then cmp rdx, rbx 0_2_004ABE60
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 4x nop then cmp rdx, 40h 0_2_004BDFC0

Networking
barindex
Found Tor onion address
Source: D_47267_1687617Q.exe, 00000000.00000002.3253554645.0000000000711000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: m=nil base X25519%w%.0wAcceptServernetdnsdomaingophertelnetreturn.local.onionip+netCONIN$rdtscppopcntcmd/gosecretheaderAnswerLengthSTREETavx512rdrandrdseedGlobal\BooleanLayeredRoutingfloat32float64UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTreaddirconsolePATHEXTTuesdayJanuaryOctoberMUI_StdMUI_DltabortedCopySidFreeSidSleepExWSARecvWSASendconnectsignal :events19531259765625invaliduintptrChanDir Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN, goid= s=nil
Source: D_47267_1687617Q.exe String found in binary or memory: m=nil base X25519%w%.0wAcceptServernetdnsdomaingophertelnetreturn.local.onionip+netCONIN$rdtscppopcntcmd/gosecretheaderAnswerLengthSTREETavx512rdrandrdseedGlobal\BooleanLayeredRoutingfloat32float64UpgradeTrailersocks5hHEADERSReferer flags= len=%d (conn) %v=%v,expiresrefererrefreshtrailerGODEBUGname %q:method:schemeupgrade:statushttp://chunkedCreatedIM UsedCONNECTreaddirconsolePATHEXTTuesdayJanuaryOctoberMUI_StdMUI_DltabortedCopySidFreeSidSleepExWSARecvWSASendconnectsignal :events19531259765625invaliduintptrChanDir Value>ConvertforcegcallocmWcpuprofallocmRunknowngctraceIO waitrunningsyscallwaitingforevernetworkUNKNOWN, goid= s=nil
Contains functionality to call native functions
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004D3260 DuplicateHandle,GetCurrentThreadId,CreateWaitableTimerExW,CreateWaitableTimerExW,NtCreateWaitCompletionPacket,VirtualQuery, 0_2_004D3260
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004D1620 NtCancelWaitCompletionPacket,SetWaitableTimer,NtAssociateWaitCompletionPacket, 0_2_004D1620
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004D1A20 LoadLibraryExW,LoadLibraryExW,NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 0_2_004D1A20
Detected potential crypto function
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004D4100 0_2_004D4100
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004A2260 0_2_004A2260
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004DE620 0_2_004DE620
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004C6760 0_2_004C6760
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004B3840 0_2_004B3840
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004E5820 0_2_004E5820
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004C5940 0_2_004C5940
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_0050598C 0_2_0050598C
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004ACD80 0_2_004ACD80
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004DEFA0 0_2_004DEFA0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004EA020 0_2_004EA020
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_0052D0C0 0_2_0052D0C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_005310E0 0_2_005310E0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004E0160 0_2_004E0160
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_0050C240 0_2_0050C240
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004C0260 0_2_004C0260
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_005332C0 0_2_005332C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004DC280 0_2_004DC280
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004B8380 0_2_004B8380
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004FC3A0 0_2_004FC3A0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004AA400 0_2_004AA400
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004D8420 0_2_004D8420
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_005354C0 0_2_005354C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_005434C0 0_2_005434C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_005384E0 0_2_005384E0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004F9480 0_2_004F9480
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_0051A500 0_2_0051A500
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_005435E0 0_2_005435E0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004F0580 0_2_004F0580
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004C3630 0_2_004C3630
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004B76C0 0_2_004B76C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004C46A0 0_2_004C46A0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004B1760 0_2_004B1760
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004C9720 0_2_004C9720
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_0052D7C0 0_2_0052D7C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_005337C0 0_2_005337C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_005437C0 0_2_005437C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004DB8C0 0_2_004DB8C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004F5940 0_2_004F5940
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004B6960 0_2_004B6960
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_00500960 0_2_00500960
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_00531900 0_2_00531900
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004D09C0 0_2_004D09C0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004BE980 0_2_004BE980
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_0050EAA0 0_2_0050EAA0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004ADB60 0_2_004ADB60
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_0050FB29 0_2_0050FB29
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004CABC0 0_2_004CABC0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004D7BE0 0_2_004D7BE0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_00539BE0 0_2_00539BE0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004C9C00 0_2_004C9C00
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004FBC20 0_2_004FBC20
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004F1CC0 0_2_004F1CC0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_00509D40 0_2_00509D40
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_00519DE0 0_2_00519DE0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_00538DA0 0_2_00538DA0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004A3E40 0_2_004A3E40
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004CCE20 0_2_004CCE20
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004CDEC0 0_2_004CDEC0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004E7EC0 0_2_004E7EC0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004FEF00 0_2_004FEF00
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_0053EF00 0_2_0053EF00
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004CBF80 0_2_004CBF80
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004B7FA5 0_2_004B7FA5
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: String function: 004D9160 appears 586 times
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: String function: 004D8940 appears 59 times
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: String function: 0050A860 appears 539 times
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: String function: 004D63A0 appears 35 times
Source: classification engine Classification label: mal56.evad.mine.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\userBjorn
Source: D_47267_1687617Q.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: D_47267_1687617Q.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: D_47267_1687617Q.exe String found in binary or memory: concurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:sec
Source: D_47267_1687617Q.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: D_47267_1687617Q.exe String found in binary or memory: /gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus old
Source: D_47267_1687617Q.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: D_47267_1687617Q.exe String found in binary or memory: /cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.ins
Source: D_47267_1687617Q.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: D_47267_1687617Q.exe String found in binary or memory: /cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power
Source: D_47267_1687617Q.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: D_47267_1687617Q.exe String found in binary or memory: runtime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:sec
Source: D_47267_1687617Q.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: D_47267_1687617Q.exe String found in binary or memory: /sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack
Source: D_47267_1687617Q.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: D_47267_1687617Q.exe String found in binary or memory: /memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspin
Source: D_47267_1687617Q.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: D_47267_1687617Q.exe String found in binary or memory: /memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent loc
Source: D_47267_1687617Q.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: D_47267_1687617Q.exe String found in binary or memory: lfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime:
Source: D_47267_1687617Q.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: D_47267_1687617Q.exe String found in binary or memory: /memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime:
Source: D_47267_1687617Q.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: D_47267_1687617Q.exe String found in binary or memory: uncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable t
Source: D_47267_1687617Q.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: D_47267_1687617Q.exe String found in binary or memory: runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime:
Source: D_47267_1687617Q.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: D_47267_1687617Q.exe String found in binary or memory: ) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime:
Source: D_47267_1687617Q.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: D_47267_1687617Q.exe String found in binary or memory: /sched/pauses/stopping/other:secondsuser arena span is on the wrong listruntime: marked free object in span runtime: unblock on closing polldescruntime: inconsistent write deadlineUnable to determine system directoryruntime: VirtualQuery failed; errno=runtime:
Source: D_47267_1687617Q.exe String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandonedchacha20poly1305: bad key lengthtls: unknown Renegotiation valuetls: NextProtos values too largego package net: hostLookupOrder(mime: expected token after slashresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainuse of closed network connection" not supported for cpu option "ed25519: bad public key length: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurecrypto/aes: input not full blockcrypto/des: input not full blockcrypto/ecdh: invalid private keyunexpected character, want coloninput overflows the modulus sizeinteger is not minimally encodedcannot represent time as UTCTimechacha20: invalid buffer overlapChrome\Application\118.0.5993.120bytes.Buffer.Grow: negative countpseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %qrelease of handle with refcount 0sync: RUnlock of unlocked RWMutexCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWskip everything and stop the walkleafCounts[maxBits][maxBits] != n142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of range to pointer to array with length slice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangetls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangego package net: confVal.netCgo = empty hex number for chunk leng
Source: D_47267_1687617Q.exe String found in binary or memory: _cgo_pthread_key_created missingruntime: sudog with non-nil elemruntime: sudog with non-nil nextruntime: sudog with non-nil prevruntime: mcall function returnedruntime: newstack called from g=runtime: stack split at bad timepanic while printing panic valueruntime: setevent failed; errno=runtime.semasleep wait_abandonedchacha20poly1305: bad key lengthtls: unknown Renegotiation valuetls: NextProtos values too largego package net: hostLookupOrder(mime: expected token after slashresource temporarily unavailablesoftware caused connection abortnumerical argument out of domainuse of closed network connection" not supported for cpu option "ed25519: bad public key length: x509: unsupported elliptic curvex509: invalid constraint value: x509: malformed subjectPublicKeyx509: cannot parse rfc822Name %qx509: ECDSA verification failurecrypto/aes: input not full blockcrypto/des: input not full blockcrypto/ecdh: invalid private keyunexpected character, want coloninput overflows the modulus sizeinteger is not minimally encodedcannot represent time as UTCTimechacha20: invalid buffer overlapChrome\Application\118.0.5993.120bytes.Buffer.Grow: negative countpseudo header field after regularhttp: invalid Read on closed Bodynet/http: skip alternate protocolinvalid header field value for %qpad size larger than data payloadframe_pushpromise_promiseid_shorthttp2: invalid pseudo headers: %vconnection not allowed by rulesetinvalid username/password versionunsupported transfer encoding: %qrelease of handle with refcount 0sync: RUnlock of unlocked RWMutexCryptAcquireCertificatePrivateKeyGetVolumeNameForVolumeMountPointWInitializeProcThreadAttributeListSetupDiGetDeviceRegistryPropertyWSetupDiSetDeviceRegistryPropertyWskip everything and stop the walkleafCounts[maxBits][maxBits] != n142108547152020037174224853515625710542735760100185871124267578125reflect: slice index out of range of method on nil interface valuereflect: Field index out of rangereflect: array index out of range to pointer to array with length slice bounds out of range [%x:%y]base outside usable address spaceruntime: memory allocated by OS [misrounded allocation in sysAllocconcurrent map read and map writeruntime: failed to decommit pages/cpu/classes/gc/pause:cpu-seconds/cpu/classes/gc/total:cpu-seconds/gc/limiter/last-enabled:gc-cycle/memory/classes/heap/stacks:bytes/memory/classes/heap/unused:bytes/sched/pauses/stopping/gc:seconds/sched/pauses/total/other:secondsmin must be a non-zero power of 2runtime: failed mSpanList.insert runtime: castogscanstatus oldval=stoplockedm: inconsistent lockingfindrunnable: negative nmspinningfreeing stack not in a stack spanstackalloc not on scheduler stackruntime: goroutine stack exceeds runtime: text offset out of rangetimer period must be non-negativeruntime: name offset out of rangeruntime: type offset out of rangetls: failed to write to key log: tls: invalid server finished hashtls: unexpected ServerKeyExchangego package net: confVal.netCgo = empty hex number for chunk leng
Source: D_47267_1687617Q.exe String found in binary or memory: failed to construct HKDF label: %stoo many references: cannot spliceunexpected runtime.netpoll error: crypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizehttp: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00executable file not found in %PATH%SubscribeServiceChangeNotificationshash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9reflect.MakeSlice of non-slice typepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharemime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largenetwork dropped connection on resettransport endpoint is not connectedfile type does not support deadlinebigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizetoo many Questions to pack (>65535)'_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination buffernenhum arquivo .exe encontrado em %sbytes.Reader.ReadAt: negative offsethttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after failure: %vno acceptable authentication methodsTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflow444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on
Source: D_47267_1687617Q.exe String found in binary or memory: failed to construct HKDF label: %stoo many references: cannot spliceunexpected runtime.netpoll error: crypto/rsa: missing public modulusadding nil Certificate to CertPoolx509: unknown public key algorithmx509: invalid certificate policies%s %q is excluded by constraint %qx509: Ed25519 verification failurex509: unhandled critical extensioncrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid buffer overlapinvalid padding bits in BIT STRINGGODEBUG sys/cpu: can not disable "chacha20: wrong HChaCha20 key sizehttp: server closed idle connectionCONTINUATION frame with stream ID 02006-01-02T15:04:05.999999999Z07:00executable file not found in %PATH%SubscribeServiceChangeNotificationshash/crc32: invalid hash state sizeflate: corrupt input before offset 1776356839400250464677810668945312588817841970012523233890533447265625ryuFtoaFixed32 called with prec > 9reflect.MakeSlice of non-slice typepersistentalloc: align is too large/memory/classes/heap/released:bytesgreyobject: obj not pointer-alignedmismatched begin/end of activeSweepmheap.freeSpanLocked - invalid freefailed to get or create weak handleattempt to clear non-empty span setruntime: close polldesc w/o unblockruntime: inconsistent read deadlineNtCreateWaitCompletionPacket failedfindrunnable: netpoll with spinningpidleput: P has non-empty run queuetraceback did not unwind completelyruntime: createevent failed; errno=unsupported signature algorithm: %vtls: too many non-advancing recordstls: server selected an invalid PSKtls: invalid Kyber server key sharemime: bogus characters after %%: %qhpack: invalid Huffman-encoded datadynamic table size update too largenetwork dropped connection on resettransport endpoint is not connectedfile type does not support deadlinebigmod: modulus is smaller than natx509: malformed extension OID fieldx509: wrong Ed25519 public key sizex509: invalid authority info accessmlkem768: invalid ciphertext lengthcrypto/md5: invalid hash state sizetoo many Questions to pack (>65535)'_' must separate successive digitsP224 point is the point at infinityP256 point is the point at infinityP384 point is the point at infinityP521 point is the point at infinitysuperfluous leading zeros in lengthchacha20: output smaller than inputtransform: short destination buffernenhum arquivo .exe encontrado em %sbytes.Reader.ReadAt: negative offsethttp: unexpected EOF reading trailer LastStreamID=%v ErrCode=%v Debug=%qRoundTrip retrying after failure: %vno acceptable authentication methodsTime.UnmarshalBinary: invalid lengthstrings.Builder.Grow: negative countstrings: Join output length overflow444089209850062616169452667236328125ryuFtoaFixed64 called with prec > 180123456789abcdefghijklmnopqrstuvwxyzmethod ABI and value ABI don't alignlfstack node allocated from the heap) is larger than maximum page size (runtime: invalid typeBitsBulkBarrieruncaching span but s.allocCount == 0/memory/classes/metadata/other:bytes/sched/pauses/stopping/other:secondsuser arena span is on
Source: D_47267_1687617Q.exe String found in binary or memory: net/addrselect.go
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Section loaded: powrprof.dll Jump to behavior
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Section loaded: umpdc.dll Jump to behavior
Source: D_47267_1687617Q.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: D_47267_1687617Q.exe Static file information: File size 5580288 > 1048576
Source: D_47267_1687617Q.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x26f800
Source: D_47267_1687617Q.exe Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x289e00
Source: D_47267_1687617Q.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
PE file contains sections with non-standard names
Source: D_47267_1687617Q.exe Static PE information: section name: .xdata
Source: D_47267_1687617Q.exe Static PE information: section name: .symtab
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_00512880 rdtscp 0_2_00512880
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004D2320 GetSystemInfo,SetProcessPriorityBoost, 0_2_004D2320
Source: D_47267_1687617Q.exe Binary or memory string: sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=tlsmaxrsasizeaccess denieduser canceledPKCS1WithSHA1ECDSAWithSHA1CLIENT_RANDOM in host namelame referralgzip, deflateGetTempPath2Wlevel 3 resetsrmount errortimer expiredexchange fullRegDeleteKeyWRegEnumValueWgocacheverifyinstallgoroothtml/templateinvalid ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSemail addressshared_secretname too longempty integerunsupported: SustainabilityTransformationAuthenticationInitializationRiskManagementVirtualMachineis a directoryunexpected EOFContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofinternal errorunknown error unknown code: Not AcceptableComputerNameExasynctimerchan: extra text: ControlServiceCreateServiceWCryptGenRandomIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenCertCloseStoreClearCommBreakClearCommErrorCreateEventExWCreateMutexExWCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWProcess32NextWSetConsoleModeSetFilePointerSizeofResourceVirtualProtectVirtualQueryExNetUserGetInfoCoInitializeExCoUninitializeGetUserNameExWTranslateNameWGetShellWindowVerQueryValueWgetprotobyname procedure in invalid syntax1907348632812595367431640625unsafe.Pointer on zero Valueunknown methoduserArenaStateGC (dedicated)read mem statsgcstoptheworldprofstackdepthtraceallocfreeGC assist waitfinalizer waitsync.Cond.Waits.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersion
Source: D_47267_1687617Q.exe Binary or memory string: sched={pc:, gp->status= pluginpath= : unknown pc called from runtime: pid=tlsmaxrsasizeaccess denieduser canceledPKCS1WithSHA1ECDSAWithSHA1CLIENT_RANDOM in host namelame referralgzip, deflateGetTempPath2Wlevel 3 resetsrmount errortimer expiredexchange fullRegDeleteKeyWRegEnumValueWgocacheverifyinstallgoroothtml/templateinvalid ASN.1SHA256-RSAPSSSHA384-RSAPSSSHA512-RSAPSSemail addressshared_secretname too longempty integerunsupported: SustainabilityTransformationAuthenticationInitializationRiskManagementVirtualMachineis a directoryunexpected EOFContent-LengthMAX_FRAME_SIZEPROTOCOL_ERRORINTERNAL_ERRORREFUSED_STREAMERR_UNKNOWN_%daccept-charsetcontent-lengthread_frame_eofinternal errorunknown error unknown code: Not AcceptableComputerNameExasynctimerchan: extra text: ControlServiceCreateServiceWCryptGenRandomIsWellKnownSidMakeAbsoluteSDOpenSCManagerWSetThreadTokenCertCloseStoreClearCommBreakClearCommErrorCreateEventExWCreateMutexExWCreateProcessWFindFirstFileWFormatMessageWGetConsoleModeGetProcAddressGetTickCount64IsWow64ProcessLoadLibraryExWModule32FirstWProcess32NextWSetConsoleModeSetFilePointerSizeofResourceVirtualProtectVirtualQueryExNetUserGetInfoCoInitializeExCoUninitializeGetUserNameExWTranslateNameWGetShellWindowVerQueryValueWgetprotobyname procedure in invalid syntax1907348632812595367431640625unsafe.Pointer on zero Valueunknown methoduserArenaStateGC (dedicated)read mem statsgcstoptheworldprofstackdepthtraceallocfreeGC assist waitfinalizer waitsync.Cond.Waits.allocCount= nil elem type! to finalizer GC worker initruntime: full=runtime: want=MB; allocated RtlGetVersiontimeEndPeriodbad restart PC-thread limit
Source: D_47267_1687617Q.exe, 00000000.00000002.3255090691.000001FB58B3C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Anti Debugging
barindex
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_00512880 Start: 00512889 End: 0051289F 0_2_00512880
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_00512880 rdtscp 0_2_00512880
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\D_47267_1687617Q.exe Code function: 0_2_004D1A20 LoadLibraryExW,LoadLibraryExW,NtCreateWaitCompletionPacket,NtAssociateWaitCompletionPacket,NtCancelWaitCompletionPacket,RtlGetCurrentPeb,RtlGetVersion, 0_2_004D1A20
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1522881 Sample: D_47267_1687617Q.exe Startdate: 30/09/2024 Architecture: WINDOWS Score: 56 8 Found Tor onion address 2->8 10 AI detected suspicious sample 2->10 5 D_47267_1687617Q.exe 2->5         started        process3 signatures4 12 Found Tor onion address 5->12 14 Contains functionality to registers a callback to get notified when the system is suspended or resumed (often done by Miners) 5->14 16 Potentially malicious time measurement code found 5->16
No contacted IP infos