Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 3, 2021, 10:05 a.m.	June 3, 2021, 10:10 a.m.

Size	971.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4b5e8f1de3016ca1027db5eb4e0a98dd`
SHA256	`5349c12829e9211379203cade48f7d00777a66b4cb898d68764da90890aae048`
CRC32	`B407540A`
ssdeep	`24576:iL9s4eEqwW8iA6fR+OfMTm8pIjbXHdseCkhnw:iLOR+/T7SXXHw`
Yara	PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals anti_vm_detect - Possibly employs anti-virtualization techniques Is_DotNET_EXE - (no description) IsPE32 - (no description) Malicious_Library_Zero - Malicious_Library

XiTAmVLm88EpcSc.exe "C:\Users\test22\AppData\Local\Temp\XiTAmVLm88EpcSc.exe"
8052
- XiTAmVLm88EpcSc.exe "C:\Users\test22\AppData\Local\Temp\XiTAmVLm88EpcSc.exe"
  2060

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 3, 2021, 10:05 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 3, 2021, 10:07 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 103 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc91000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fc92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00432000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00433000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00467000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00434000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00435000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00436000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00452000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0045c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00691000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00465000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00446000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00438000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00439000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00692000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:05 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00693000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00694000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 8052 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bc9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000edc00', u'virtual_address': u'0x00002000', u'entropy': 7.3689455018026795, u'name': u'.text', u'virtual_size': u'0x000eda14'}

entropy

7.3689455018

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00004c00', u'virtual_address': u'0x000f0000', u'entropy': 7.7656279153400805, u'name': u'.rsrc', u'virtual_size': u'0x00004ab0'}

entropy

7.76562791534

description

A section with a high entropy has been found

entropy

0.999484801649

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 3, 2021, 10:07 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Possibly employs anti-virtualization techniques	rule	vmdetect
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

C:\Users\test22\AppData\Local\Temp\XiTAmVLm88EpcSc.exe

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 2060 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f0	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 3, 2021, 10:07 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELSíTà r Ð@@.textPpr ` base_address: 0x00400000 process_identifier: 2060 process_handle: 0x000001f0	1	1	0
WriteProcessMemory June 3, 2021, 10:07 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2060 process_handle: 0x000001f0	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 3, 2021, 10:07 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELSíTà r Ð@@.textPpr ` base_address: 0x00400000 process_identifier: 2060 process_handle: 0x000001f0	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8052 called NtSetContextThread to modify thread in remote process 2060
NtSetContextThread June 3, 2021, 10:07 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313248 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001f4 process_identifier: 2060	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 8052 resumed a thread in remote process 2060
NtResumeThread June 3, 2021, 10:07 a.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2060	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (10 events)

Time & API	Arguments	Status	Return
NtResumeThread June 3, 2021, 10:05 a.m.	thread_handle: 0x000000d0 suspend_count: 1 process_identifier: 8052	1	0
NtResumeThread June 3, 2021, 10:05 a.m.	thread_handle: 0x00000160 suspend_count: 1 process_identifier: 8052	1	0
CreateProcessInternalW June 3, 2021, 10:07 a.m.	thread_identifier: 6596 thread_handle: 0x000001f4 process_identifier: 2060 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\XiTAmVLm88EpcSc.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\XiTAmVLm88EpcSc.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001f0	1	1
NtGetContextThread June 3, 2021, 10:07 a.m.	thread_handle: 0x000001f4	1	0
NtAllocateVirtualMemory June 3, 2021, 10:07 a.m.	process_identifier: 2060 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f0	1	0
WriteProcessMemory June 3, 2021, 10:07 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $}f?9QH9QH9QH"úHuQH"ÏH:QH"ÌH8QHRich9QHPELSíTà r Ð@@.textPpr ` base_address: 0x00400000 process_identifier: 2060 process_handle: 0x000001f0	1	1
WriteProcessMemory June 3, 2021, 10:07 a.m.	buffer: base_address: 0x00401000 process_identifier: 2060 process_handle: 0x000001f0	1	1
WriteProcessMemory June 3, 2021, 10:07 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2060 process_handle: 0x000001f0	1	1
NtSetContextThread June 3, 2021, 10:07 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4313248 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001f4 process_identifier: 2060	1	0
NtResumeThread June 3, 2021, 10:07 a.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2060	1	0

File has been identified by 33 AntiVirus engines on VirusTotal as malicious (33 events)

Elastic	malicious (high confidence)
DrWeb	Trojan.PackedNET.793
FireEye	Generic.mg.4b5e8f1de3016ca1
McAfee	PWS-FCUF!4B5E8F1DE301
Malwarebytes	Spyware.TelegramBot
Sangfor	Trojan.MSIL.Noon.gen
K7AntiVirus	Trojan ( 0057d7201 )
Alibaba	Trojan:Win32/Kryptik.ali2000016
K7GW	Trojan ( 0057d7201 )
CrowdStrike	win/malicious_confidence_60% (W)
Cyren	W32/MSIL_Kryptik.DZG.gen!Eldorado
Symantec	Trojan.Gen.2
ESET-NOD32	a variant of MSIL/Kryptik.ABFU
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Kaspersky	HEUR:Trojan-Spy.MSIL.Noon.gen
Paloalto	generic.ml
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
Ikarus	Trojan.MSIL.Crypt
eGambit	Unsafe.AI_Score_98%
Avira	TR/Kryptik.yegqb
Kingsoft	Win32.Troj.Undef.(kcloud)
AegisLab	Trojan.MSIL.Noon.l!c
GData	Win32.Trojan-Stealer.FormBook.5ARW9G
Cynet	Malicious (score: 100)
AhnLab-V3	Suspicious/Win.MSILKrypt.X2104
MAX	malware (ai score=100)
TrendMicro-HouseCall	TROJ_GEN.R06CH0CF221
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/Kryptik.ADC!tr
AVG	Win32:PWSX-gen [Trj]
Cybereason	malicious.156a79

XiTAmVLm88EpcSc.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All