Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.5% probability |
Source: ZxndP8S9k7.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: ZxndP8S9k7.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: classification engine |
Classification label: sus22.winEXE@2/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6044:120:WilError_03 |
Source: C:\Users\user\Desktop\ZxndP8S9k7.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: ZxndP8S9k7.exe |
String found in binary or memory: hreadflow_limitfont/woff2formactionformmethodformtargetgetsockoptgoroutine gtrapprox;gtreqless;gvertneqq;heartsuit;hosts.jsonhttp-equivhttp_proxyimage/jpegimage/webpinstanceofinvalidptrkeep-aliveleftarrow;lesseqgtr;local-addrlocal_pathlocal_portlocal_typelvert |
Source: ZxndP8S9k7.exe |
String found in binary or memory: nmidlelocked= on zero Value out of range procedure in t.npagesKey= to finalizer untyped args $htmltemplate_,"color":true}-thread limit .in-addr.arpa.1907348632812595367431640625: extra text: ; SameSite=LaxAccept-CharsetApplyFunction;CertCloseStoreContent- |
Source: ZxndP8S9k7.exe |
String found in binary or memory: ange procedure in t.npagesKey= to finalizer untyped args $htmltemplate_,"color":true}-thread limit .in-addr.arpa.1907348632812595367431640625: extra text: ; SameSite=LaxAccept-CharsetApplyFunction;CertCloseStoreContent-LengthCreateProcessWCryptGenRandomDif |
Source: ZxndP8S9k7.exe |
String found in binary or memory: ff:6Mask/Addr |
Source: unknown |
Process created: C:\Users\user\Desktop\ZxndP8S9k7.exe "C:\Users\user\Desktop\ZxndP8S9k7.exe" |
Source: C:\Users\user\Desktop\ZxndP8S9k7.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\ZxndP8S9k7.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ZxndP8S9k7.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\ZxndP8S9k7.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: ZxndP8S9k7.exe |
Static file information: File size 2859008 > 1048576 |
Source: ZxndP8S9k7.exe |
Static PE information: Raw size of UPX1 is bigger than: 0x100000 < 0x2b9c00 |
Source: ZxndP8S9k7.exe |
Static PE information: section name: UPX2 |
Source: initial sample |
Static PE information: section name: UPX0 |
Source: initial sample |
Static PE information: section name: UPX1 |
Source: C:\Users\user\Desktop\ZxndP8S9k7.exe |
Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ZxndP8S9k7.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\ZxndP8S9k7.exe |
System information queried: CurrentTimeZoneInformation |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: ZxndP8S9k7.exe, 00000005.00000002.1273968437.0000000000401000.00000040.00000001.01000000.00000003.sdmp |
Binary or memory string: Subject: AMDisbetter!AuthenticAMDBidi_ControlCIDR addressCONTINUATIONCentaurHaulsCircleMinus;CircleTimes;Content TypeContent-TypeCookie.ValueECDSA-SHA256ECDSA-SHA384ECDSA-SHA512Equilibrium;FECRecoveredFindNextFileGenuineIntelGenuineTMx86Geode by NSCGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetStdHandleGetTempPathWGreaterLess;I'm a teapotInCsumErrorsInstAltMatchJoin_ControlKVMKVMKVMKVMLeftCeiling;LessGreater;LittleEndianLoadLibraryWMax-ForwardsMediumSpace;Meetei_MayekMicrosoft HvMime-VersionMulti-StatusNot ExtendedNot ModifiedNotLessLess;NotPrecedes;NotSucceeds;NotSuperset;OverBracket;PUSH_PROMISEPahawh_HmongPassiveOpensRCPT TO:<%s>ReadConsoleWRevertToSelfRightVector;Rrightarrow;RuleDelayed;SERIALNUMBERSetEndOfFileSmallCircle;Sora_SompengSquareUnion;SubsetEqual;Syloti_NagriTransitionalTransmetaCPUTransmitFileUnauthorizedUpDownArrow;Updownarrow;VIA VIA VIA VMwareVMwareVerticalBar;X-ImforwardsX-Powered-ByXenVMMXenVMM_MSpanManualabi mismatchadvapi32.dllaltmatch -> anynotnl -> autocompletebackepsilon;bad g statusbad g0 stackbad recoveryblacksquare;block clausecan't happencas64 failedchan receivecircledcirc;circleddash;clients.jsonclose notifyconfig path:content-typecontext.TODOcurlyeqprec;curlyeqsucc;diamondsuit;dumping heapecho requestend tracegc |
Source: ZxndP8S9k7.exe |
Binary or memory string: setEqual;Syloti_NagriTransitionalTransmetaCPUTransmitFileUnauthorizedUpDownArrow;Updownarrow;VIA VIA VIA VMwareVMwareVerticalBar;X-ImforwardsX-Powered-ByXenVMMXenVMM_MSpanManualabi mismatchadvapi32.dllaltmatch -> anynotnl -> autocompletebackepsilon;bad g statu |
Source: ZxndP8S9k7.exe, 00000005.00000002.1274978992.0000000000AEE000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |