Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 18, 2021, 7:46 a.m.	Nov. 18, 2021, 7:54 a.m.

Size	534.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`9a0348ea86a8f394c5d243795d12d1d8`
SHA256	`1eeefc619c47e94bba1f888ccf927afa4ed7ce28ffc269cc336153ffb3ecb4a2`
CRC32	`1BD4B1B0`
ssdeep	`12288:Zd93q9K7YOR3LJsB2+fHnyv0A4wYYq29PZYxb0P:zw9KhVu/vyv0b69`
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

yale.exe "C:\Users\test22\AppData\Local\Temp\yale.exe"
2340
- yale.exe "C:\Users\test22\AppData\Local\Temp\yale.exe"
  2704

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 18, 2021, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 7:47 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 18, 2021, 7:47 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 18, 2021, 7:46 a.m.			0	0
IsDebuggerPresent Nov. 18, 2021, 7:46 a.m.			0	0
IsDebuggerPresent Nov. 18, 2021, 7:46 a.m.			0	0
IsDebuggerPresent Nov. 18, 2021, 7:46 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 18, 2021, 7:46 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Nov. 18, 2021, 7:47 a.m.	stacktrace: 0x6c1790 0x6c0fbb DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738c2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x738d264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x738d2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739874ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73987610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a11dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a11e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a11f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a1416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f6f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 93 d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6c1c03 registers.esp: 2027696 registers.edi: 2027720 registers.eax: 0 registers.ebp: 2027732 registers.edx: 195 registers.ebx: 2027980 registers.esi: 37857648 registers.ecx: 0	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Nov. 18, 2021, 7:47 a.m.

stacktrace:

0x6c1790
0x6c0fbb
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x738c2652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x738d264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x738d2e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x739874ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x73987610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x73a11dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x73a11e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x73a11f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x73a1416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x73f6f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74277f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74274de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x772e9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x772e9ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 93 d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x6c1c03
registers.esp: 2027696
registers.edi: 2027720
registers.eax: 0
registers.ebp: 2027732
registers.edx: 195
registers.ebx: 2027980
registers.esi: 37857648
registers.ecx: 0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 99 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 2162688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00e10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73941000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73942000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00392000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a16000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a16000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00990000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00990000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00990000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00992000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a00000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00084e00', u'virtual_address': u'0x00002000', u'entropy': 7.576155887828499, u'name': u'.text', u'virtual_size': u'0x00084d54'}

entropy

7.57615588783

description

A section with a high entropy has been found

entropy

0.996251171509

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 18, 2021, 7:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 18, 2021, 7:46 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess Nov. 18, 2021, 7:46 a.m.	status_code: 0xffffffff process_identifier: 2668 process_handle: 0x00000250		0	0
NtTerminateProcess Nov. 18, 2021, 7:46 a.m.	status_code: 0xffffffff process_identifier: 2668 process_handle: 0x00000250	1	0	0

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2668 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f4		3221225496	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2704 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Nov. 18, 2021, 7:47 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

yale.exe tried to sleep 10912888 seconds, actually delayed analysis time by 10912888 seconds

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2340 manipulating memory of non-child process 2668
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2668 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f4		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 18, 2021, 7:46 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELô«aàN~m @ À@0mKH H.textM N `.rsrcHP@@.reloc V@B base_address: 0x00400000 process_identifier: 2704 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 18, 2021, 7:46 a.m.	buffer: 8Ph ´Xê´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p'InternalNamehkhtwEMHyAuWFGbNPSDjrgKdyCkyeHCaPb.exe(LegalCopyright x'OriginalFilenamehkhtwEMHyAuWFGbNPSDjrgKdyCkyeHCaPb.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2704 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 18, 2021, 7:46 a.m.	buffer: `= base_address: 0x0043a000 process_identifier: 2704 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 18, 2021, 7:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2704 process_handle: 0x00000258	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 18, 2021, 7:46 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELô«aàN~m @ À@0mKH H.textM N `.rsrcHP@@.reloc V@B base_address: 0x00400000 process_identifier: 2704 process_handle: 0x00000258	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2340 called NtSetContextThread to modify thread in remote process 2704
NtSetContextThread Nov. 18, 2021, 7:46 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4418942 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000250 process_identifier: 2704	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2340 resumed a thread in remote process 2704
NtResumeThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 2704	1	0	0

Executed a process and injected code into it, probably while unpacking (30 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2340	1	0
NtResumeThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2340	1	0
NtResumeThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2340	1	0
NtResumeThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2340	1	0
NtGetContextThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2340	1	0
CreateProcessInternalW Nov. 18, 2021, 7:46 a.m.	thread_identifier: 2672 thread_handle: 0x000001f8 process_identifier: 2668 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\yale.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\yale.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001f4	1	1
NtGetContextThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x000001f8	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2668 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f4		3221225496
CreateProcessInternalW Nov. 18, 2021, 7:46 a.m.	thread_identifier: 2708 thread_handle: 0x00000250 process_identifier: 2704 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\yale.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\yale.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000258	1	1
NtGetContextThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x00000250	1	0
NtAllocateVirtualMemory Nov. 18, 2021, 7:46 a.m.	process_identifier: 2704 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000258	1	0
WriteProcessMemory Nov. 18, 2021, 7:46 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELô«aàN~m @ À@0mKH H.textM N `.rsrcHP@@.reloc V@B base_address: 0x00400000 process_identifier: 2704 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 18, 2021, 7:46 a.m.	buffer: base_address: 0x00402000 process_identifier: 2704 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 18, 2021, 7:46 a.m.	buffer: 8Ph ´Xê´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p'InternalNamehkhtwEMHyAuWFGbNPSDjrgKdyCkyeHCaPb.exe(LegalCopyright x'OriginalFilenamehkhtwEMHyAuWFGbNPSDjrgKdyCkyeHCaPb.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 2704 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 18, 2021, 7:46 a.m.	buffer: `= base_address: 0x0043a000 process_identifier: 2704 process_handle: 0x00000258	1	1
WriteProcessMemory Nov. 18, 2021, 7:46 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2704 process_handle: 0x00000258	1	1
NtSetContextThread Nov. 18, 2021, 7:46 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4418942 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000250 process_identifier: 2704	1	0
NtResumeThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x00000250 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Nov. 18, 2021, 7:46 a.m.	thread_handle: 0x000001d4 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000318 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000390 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000408 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x00000354 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Nov. 18, 2021, 7:47 a.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread Nov. 18, 2021, 7:48 a.m.	thread_handle: 0x000003f8 suspend_count: 1 process_identifier: 2704	1	0

File has been identified by 36 AntiVirus engines on VirusTotal as malicious (36 events)

Lionic	Trojan.Win32.Malicious.4!c
Elastic	malicious (high confidence)
McAfee	RDN/Generic.dx
CrowdStrike	win/malicious_confidence_90% (W)
Alibaba	Packed:MSIL/Confuser.67061947
Arcabit	Trojan.Generic.D2446517
BitDefenderTheta	Gen:NN.ZemsilF.34266.Hm0@aqKDENh
Cyren	W32/MSIL_Kryptik.DLB.gen!Eldorado
ESET-NOD32	a variant of MSIL/Packed.Confuser.K suspicious
Paloalto	generic.ml
Cynet	Malicious (score: 99)
Kaspersky	HEUR:Trojan-PSW.MSIL.Agensla.gen
BitDefender	Trojan.GenericKD.38036759
MicroWorld-eScan	Trojan.GenericKD.38036759
Avast	Win32:PWSX-gen [Trj]
Ad-Aware	Trojan.GenericKD.38036759
Emsisoft	Trojan.GenericKD.38036759 (B)
Comodo	TrojWare.Win32.UMal.rwkxk@0
TrendMicro	Trojan.MSIL.SABSIK.USMANKG21
FireEye	Generic.mg.9a0348ea86a8f394
Sophos	Mal/Generic-S
Webroot	W32.Malware.Gen
Avira	HEUR/AGEN.1142755
Kingsoft	Win32.PSWTroj.Undef.(kcloud)
Gridinsoft	Ransom.Win32.Gen.sa
Microsoft	Trojan:Win32/AgentTesla!ml
ViRobot	Trojan.Win32.Z.Agent.546816.FV
GData	Trojan.GenericKD.38036759
VBA32	CIL.HeapOverride.Heur
MAX	malware (ai score=82)
Malwarebytes	Trojan.Crypt.MSIL
APEX	Malicious
Yandex	Trojan.Slntscn24.bWfT6q
SentinelOne	Static AI - Malicious PE
Fortinet	MSIL/CoinMiner.YII!tr
AVG	Win32:PWSX-gen [Trj]

yale.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All