Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 10, 2021, 8:44 a.m.	April 10, 2021, 8:49 a.m.

Size	685.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`39a920febc79e6df3e3b6ac767877d66`
SHA256	`038be70d00970bdeed90434c6f0281c9bb765909ce3c88c20e98c98e3b567d5d`
CRC32	`29DA7F5E`
ssdeep	`12288:uBDoh61c1or+ECi4vRkXoUhCzoWEM+58RpehCPRojA6rDpnw8nEDglXs7tl8vbP:Bc1UqlCiARSoy5M+5epehQR`
Yara	Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Azorult_Net_1_Zero - Win32 Trojan PWS .NET Azorult PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check

xlsf.exe "C:\Users\test22\AppData\Local\Temp\xlsf.exe"
1116
- xlsf.exe "C:\Users\test22\AppData\Local\Temp\xlsf.exe"
  2444

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (50 out of 207 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0
IsDebuggerPresent April 10, 2021, 8:44 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey April 10, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b16580 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b167c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 10, 2021, 8:44 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00b167c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 10, 2021, 8:44 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (2 events)

section	NJT*5\x175`
section

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 137 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72741000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72742000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02280000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 569344 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00842000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 10, 2021, 8:44 a.m.	process_identifier: 1116 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008ce000 process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

xlsf.exe tried to sleep 362 seconds, actually delayed analysis time by 362 seconds

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0008b000', u'virtual_address': u'0x00002000', u'entropy': 7.99965421052019, u'name': u'NJT*5\\x175`', u'virtual_size': u'0x0008afb8'}

entropy

7.99965421052

description

A section with a high entropy has been found

entropy

0.812865497076

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 10, 2021, 8:44 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 10, 2021, 8:49 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Affect private profile	rule	win_files_operation
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 2444 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000194fc	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 10, 2021, 8:46 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 2444 process_handle: 0x000194fc	1	1	0
WriteProcessMemory April 10, 2021, 8:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2444 process_handle: 0x000194fc	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory April 10, 2021, 8:46 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 2444 process_handle: 0x000194fc	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1116 called NtSetContextThread to modify thread in remote process 2444
NtSetContextThread April 10, 2021, 8:46 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313072 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000f71c process_identifier: 2444	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1116 resumed a thread in remote process 2444
NtResumeThread April 10, 2021, 8:46 a.m.	thread_handle: 0x0000f71c suspend_count: 1 process_identifier: 2444	1	0	0

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread April 10, 2021, 8:44 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread April 10, 2021, 8:44 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread April 10, 2021, 8:44 a.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread April 10, 2021, 8:44 a.m.	thread_handle: 0x00011170 suspend_count: 1 process_identifier: 1116	1	0
NtGetContextThread April 10, 2021, 8:44 a.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread April 10, 2021, 8:44 a.m.	thread_handle: 0x000000e8	1	0
NtResumeThread April 10, 2021, 8:44 a.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread April 10, 2021, 8:44 a.m.	thread_handle: 0x0000edf4 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread April 10, 2021, 8:44 a.m.	thread_handle: 0x00008b08 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread April 10, 2021, 8:44 a.m.	thread_handle: 0x00019790 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread April 10, 2021, 8:46 a.m.	thread_handle: 0x00009da4 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread April 10, 2021, 8:46 a.m.	thread_handle: 0x000194f8 suspend_count: 1 process_identifier: 1116	1	0
NtResumeThread April 10, 2021, 8:46 a.m.	thread_handle: 0x0000a58c suspend_count: 1 process_identifier: 1116	1	0
CreateProcessInternalW April 10, 2021, 8:46 a.m.	thread_identifier: 2216 thread_handle: 0x0000f71c process_identifier: 2444 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\xlsf.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\xlsf.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000194fc	1	1
NtGetContextThread April 10, 2021, 8:46 a.m.	thread_handle: 0x0000f71c	1	0
NtAllocateVirtualMemory April 10, 2021, 8:46 a.m.	process_identifier: 2444 region_size: 163840 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000194fc	1	0
WriteProcessMemory April 10, 2021, 8:46 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELu=à pðÏ@@.text op ` base_address: 0x00400000 process_identifier: 2444 process_handle: 0x000194fc	1	1
WriteProcessMemory April 10, 2021, 8:46 a.m.	buffer: base_address: 0x00401000 process_identifier: 2444 process_handle: 0x000194fc	1	1
WriteProcessMemory April 10, 2021, 8:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2444 process_handle: 0x000194fc	1	1
NtSetContextThread April 10, 2021, 8:46 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313072 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000f71c process_identifier: 2444	1	0
NtResumeThread April 10, 2021, 8:46 a.m.	thread_handle: 0x0000f71c suspend_count: 1 process_identifier: 2444	1	0

File has been identified by 38 AntiVirus engines on VirusTotal as malicious (38 events)

Elastic	malicious (high confidence)
MicroWorld-eScan	Trojan.GenericKD.36663427
McAfee	RDN/Generic.dx
Malwarebytes	Malware.Heuristic.1003
Sangfor	Trojan.Win32.AgentTesla.ml
K7AntiVirus	Riskware ( 0040eff71 )
K7GW	Riskware ( 0040eff71 )
CrowdStrike	win/malicious_confidence_90% (W)
Symantec	ML.Attribute.HighConfidence
ESET-NOD32	a variant of MSIL/Kryptik.AAJB
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Injuke.gen
BitDefender	Trojan.GenericKD.36663427
Avast	FileRepMalware
Ad-Aware	Trojan.GenericKD.36663427
Emsisoft	Trojan.GenericKD.36663427 (B)
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
FireEye	Generic.mg.39a920febc79e6df
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
GData	Win32.Trojan-Stealer.FormBook.DVASJR
eGambit	Unsafe.AI_Score_91%
Gridinsoft	Trojan.Win32.Agent.oa
AegisLab	Trojan.Win32.Generic.4!c
Microsoft	Trojan:Win32/AgentTesla!ml
Cynet	Malicious (score: 100)
MAX	malware (ai score=80)
VBA32	CIL.HeapOverride.Heur
Cylance	Unsafe
Rising	Trojan.Generic!8.C3 (CLOUD)
Yandex	Trojan.AvsArher.bUx2VN
Ikarus	Trojan.MSIL.Crypt
Fortinet	PossibleThreat.PALLAS.H
BitDefenderTheta	Gen:NN.ZemsilF.34670.Qu0@amLj9uk
AVG	FileRepMalware
Cybereason	malicious.7fd77f
Qihoo-360	Win32/Trojan.Generic.HwMAdoAA

xlsf.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All