Source: Submited Sample |
Integrated Neural Analysis Model: Matched 89.9% probability |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
String found in binary or memory: https://windows.php.net/downloads/releases/archives/mallocgc |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: Number of sections : 15 > 10 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: Section: /19 ZLIB complexity 1.0001677389705883 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: Section: /32 ZLIB complexity 0.9981123428770949 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: Section: /65 ZLIB complexity 0.9988079019073569 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: Section: /78 ZLIB complexity 0.9925872011840929 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Binary string: bindm in unexpected GOOSrunqsteal: runq overflowdouble traceGCSweepStartunexpected buffer len=%vinvalid pseudo-header %qframe_headers_prio_shortinvalid request :path %qread_frame_conn_error_%sRequest Entity Too Largehttp: nil Request.Headerexec: Stdout already setfloating point exceptionconnection reset by peerlevel 2 not synchronizedlink number out of rangeout of streams resourcesfunction not implementedstructure needs cleaningnot supported by windowsCertFreeCertificateChainCreateToolhelp32SnapshotGetUserProfileDirectoryWSA Pacific Standard TimeSA Eastern Standard TimeUS Eastern Standard TimeSA Western Standard TimeMontevideo Standard TimeMagallanes Standard TimePacific SA Standard TimeAzerbaijan Standard TimeBangladesh Standard TimeNorth Asia Standard TimeCape Verde Standard Time116415321826934814453125582076609134674072265625flate: maxBits too largeerror decrypting messagecertificate unobtainableidna: disallowed rune %USetConsoleCursorPosition\Device\NamedPipe\cygwininvalid pattern syntax: x509: malformed validityaddress string too shortresource length too longunpacking Question.ClassstreamSafe was not resetGODEBUG sys/cpu: value "", required CPU feature |
Source: classification engine |
Classification label: sus22.winEXE@6/0@0/0 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7580:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03 |
Source: C:\Windows\System32\conhost.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
File opened: C:\Windows\system32\7c10d8ad9e1362281ee3eddaa0cab049c93af6e547960cb15f257a2d66b74b8dAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
File opened: C:\Windows\system32\ddf38300a7ae2239275e8d94af43932ad663dbb028586b701ba39f351b1230daAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
File opened: C:\Windows\system32\14ddd44c9e2a11941f61faf492da01d822eaa4d6270abc04e6af69218ffa003aAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA |
Jump to behavior |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
String found in binary or memory: C:/Program Files/Go/src/net/addrselect.go |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
String found in binary or memory: C:/Users/Harry/Dev/pvm/commands/install.go |
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe" -install |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe" /install |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: unknown |
Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe" /load |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Section loaded: powrprof.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Section loaded: umpdc.dll |
Jump to behavior |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static file information: File size 7715328 > 1048576 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: Raw size of .text is bigger than: 0x100000 < 0x25a400 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x267400 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: section name: .xdata |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: section name: /4 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: section name: /19 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: section name: /32 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: section name: /46 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: section name: /65 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: section name: /78 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: section name: /90 |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Static PE information: section name: .symtab |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Code function: 3_2_000000015D5FEE32 push ecx; retf |
3_2_000000015D5FEE69 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Code function: 3_2_000000015D5FD768 push ecx; retf |
3_2_000000015D5FD7C9 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Code function: 5_2_00000077777FD608 push ecx; retf |
5_2_00000077777FD609 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Code function: 5_2_00000077777FECA8 push ecx; retf |
5_2_00000077777FECA9 |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe |
Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe, 00000000.00000002.1376606657.0000026C8E834000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe, 00000003.00000002.1398366729.000001A4C7FDF000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.SuspectCRC.22408.10876.exe, 00000005.00000002.1420803524.00000254E38DF000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |