Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 11, 2023, 9:40 a.m.	April 11, 2023, 9:42 a.m.

Size	225.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`d5bbe92d4a8b9014708e0aa325158e2b`
SHA256	`5478f23d8a67ec7f18ee3ebcfefe3d86d89543c6f323b3de5f7696fdd7697cf4`
CRC32	`B6DF5115`
ssdeep	`6144:VeUOuccUzNkM0MU1QPvoj4DFBHLWEUuJJmfUGs70p8I:UUlcjJkrX1QPv/DbrWE5JlGs70pZ`
Yara	UPX_Zero - UPX packed file ConfuserEx_Zero - Confuser .NET Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

vsdhfvzgsfvzshfszhdfrff.exe "C:\Users\test22\AppData\Local\Temp\vsdhfvzgsfvzshfszhdfrff.exe"
2560
cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"' & exit
3060
- schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"'
  1264
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmp9A85.tmp.bat""
908
- timeout.exe timeout 3
  196
- crsi.exe "C:\Users\test22\AppData\Roaming\crsi.exe"
  2208

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 11, 2023, 9:40 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 11, 2023, 9:39 a.m.			0	0
IsDebuggerPresent April 11, 2023, 9:39 a.m.			0	0
IsDebuggerPresent April 11, 2023, 9:40 a.m.			0	0
IsDebuggerPresent April 11, 2023, 9:40 a.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 11, 2023, 9:40 a.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0
WriteConsoleW April 11, 2023, 9:40 a.m.	buffer: SUCCESS: The scheduled task "crsi" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 11, 2023, 9:39 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 164 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 1900544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00bf0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00db0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00651000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00652000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00653000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00654000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00655000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00656000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00657000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00658000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:39 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 30208 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed0400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0065f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed0178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed01a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed01c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed01f0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed0218 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed82ae process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed82a2 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed7a00 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed82bc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed82e0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed82e8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed82ec process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed82f4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed82f8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2560 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ed82fc process_handle: 0xffffffff		3221225550

Creates a suspicious process (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"'

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\crsi.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\crsi.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00036c00', u'virtual_address': u'0x00002000', u'entropy': 7.671914512927314, u'name': u'.text', u'virtual_size': u'0x00036a74'}

entropy

7.67191451293

description

A section with a high entropy has been found

entropy

0.975501113586

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 11, 2023, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 11, 2023, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (48 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"'

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2656 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0	1	0	0
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2532 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d4		3221225496	0

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"'

Manipulates memory of a non-child process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 manipulating memory of non-child process 2656
Process injection	Process 2208 manipulating memory of non-child process 2532
NtUnmapViewOfSection April 11, 2023, 9:40 a.m.	base_address: 0x00400000 region_size: 11730944 process_identifier: 2656 process_handle: 0x000002d0		3221225497	0
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2656 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0	1	0	0
NtUnmapViewOfSection April 11, 2023, 9:40 a.m.	base_address: 0x00400000 region_size: 446464 process_identifier: 2532 process_handle: 0x000002d4		3221225497	0
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2532 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d4		3221225496	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 called NtSetContextThread to modify thread in remote process 2656
Process injection	Process 2208 called NtSetContextThread to modify thread in remote process 2532
NtSetContextThread April 11, 2023, 9:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245310 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c8 process_identifier: 2656	1	0	0
NtSetContextThread April 11, 2023, 9:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245310 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002cc process_identifier: 2532	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2560 resumed a thread in remote process 2656
Process injection	Process 908 resumed a thread in remote process 2208
Process injection	Process 2208 resumed a thread in remote process 2532
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2656	1	0	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2208	1	0	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2532	1	0	0

Executed a process and injected code into it, probably while unpacking (44 events)

Time & API	Arguments	Status	Return
NtResumeThread April 11, 2023, 9:39 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread April 11, 2023, 9:39 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread April 11, 2023, 9:39 a.m.	thread_handle: 0x00000184 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread April 11, 2023, 9:39 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread April 11, 2023, 9:39 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread April 11, 2023, 9:39 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread April 11, 2023, 9:39 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread April 11, 2023, 9:39 a.m.	thread_handle: 0x00000210 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread April 11, 2023, 9:39 a.m.	thread_handle: 0x00000224 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2560	1	0
NtGetContextThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2560	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2560	1	0
CreateProcessInternalW April 11, 2023, 9:40 a.m.	thread_identifier: 2660 thread_handle: 0x000002c8 process_identifier: 2656 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\vsdhfvzgsfvzshfszhdfrff.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtUnmapViewOfSection April 11, 2023, 9:40 a.m.	base_address: 0x00400000 region_size: 11730944 process_identifier: 2656 process_handle: 0x000002d0		3221225497
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2656 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0	1	0
NtGetContextThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000002c8	1	0
NtSetContextThread April 11, 2023, 9:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245310 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c8 process_identifier: 2656	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2656	1	0
CreateProcessInternalW April 11, 2023, 9:40 a.m.	thread_identifier: 1356 thread_handle: 0x00000084 process_identifier: 1264 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW April 11, 2023, 9:40 a.m.	thread_identifier: 148 thread_handle: 0x00000084 process_identifier: 196 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 3 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW April 11, 2023, 9:40 a.m.	thread_identifier: 2260 thread_handle: 0x00000088 process_identifier: 2208 current_directory: filepath: C:\Users\test22\AppData\Roaming\crsi.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\crsi.exe" filepath_r: C:\Users\test22\AppData\Roaming\crsi.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2208	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000001a4 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000001d8 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2208	1	0
NtGetContextThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000000ec	1	0
NtGetContextThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000000ec	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000000ec suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000002b8 suspend_count: 1 process_identifier: 2208	1	0
CreateProcessInternalW April 11, 2023, 9:40 a.m.	thread_identifier: 2524 thread_handle: 0x000002cc process_identifier: 2532 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\crsi.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d4	1	1
NtUnmapViewOfSection April 11, 2023, 9:40 a.m.	base_address: 0x00400000 region_size: 446464 process_identifier: 2532 process_handle: 0x000002d4		3221225497
NtAllocateVirtualMemory April 11, 2023, 9:40 a.m.	process_identifier: 2532 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d4		3221225496
NtGetContextThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000002cc	1	0
NtSetContextThread April 11, 2023, 9:40 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245310 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002cc process_identifier: 2532	1	0
NtResumeThread April 11, 2023, 9:40 a.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2532	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Hesv.4!c
MicroWorld-eScan	Gen:Variant.MSILHeracles.37619
FireEye	Generic.mg.d5bbe92d4a8b9014
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Artemis!D5BBE92D4A8B
Malwarebytes	Backdoor.Quasar.Generic
VIPRE	Gen:Variant.MSILHeracles.37619
CrowdStrike	win/malicious_confidence_100% (W)
Alibaba	TrojanSpy:MSIL/Quasar.28625923
K7GW	Trojan ( 0059cb6d1 )
K7AntiVirus	Trojan ( 0059cb6d1 )
Arcabit	Trojan.MSILHeracles.D92F3
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Hesv.gen
BitDefender	Gen:Variant.MSILHeracles.37619
Avast	Win32:RATX-gen [Trj]
Tencent	Msil.Trojan.Hesv.Uwhl
Emsisoft	Gen:Variant.MSILHeracles.37619 (B)
F-Secure	Trojan.TR/Dropper.MSIL.Gen
TrendMicro	Backdoor.Win32.ASYNCRAT.YXDDJZ
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	TR/Dropper.MSIL.Gen
Gridinsoft	Trojan.Win32.AsyncRAT.bot
Microsoft	Trojan:MSIL/AgentTesla.LQL!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Quasar.gen
GData	MSIL.Backdoor.ASyncRAT.OWCIW7
AhnLab-V3	Trojan/Win.Generic.C5390455
Acronis	suspicious
BitDefenderTheta	Gen:NN.ZemsilF.36132.om0@aOPXssh
ALYac	Gen:Variant.MSILHeracles.37619
MAX	malware (ai score=85)
Cylance	unsafe
TrendMicro-HouseCall	Backdoor.Win32.ASYNCRAT.YXDDJZ
Rising	Malware.Obfus/MSIL@AI.95 (RDM.MSIL2:gc7eTdsJg3F/8vfBScEkOg)
Ikarus	Win32.Outbreak
MaxSecure	Trojan.Malware.300983.susgen
AVG	Win32:RATX-gen [Trj]
DeepInstinct	MALICIOUS

vsdhfvzgsfvzshfszhdfrff.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All