Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 12, 2023, 6:30 p.m.	April 12, 2023, 6:34 p.m.

Size	225.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b8fd2b1bf9995f286509982b5aceae14`
SHA256	`3f612991627b057aa05e5d56447615572203833770a0b206c0c1294eceaf7f0b`
CRC32	`9C3342DE`
ssdeep	`6144:jM0eaOG37W9kAzR1llMGhgc7V72aYoATazMFmZZ+PXeoUC8AYqhCVujI:jbOq6yAzR18T0qaYAzwmZZ+PXeoUC8A6`
Yara	UPX_Zero - UPX packed file ConfuserEx_Zero - Confuser .NET Is_DotNET_EXE - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT IsPE32 - (no description) PE_Header_Zero - PE File Signature

644c4dc6bac9156546cca54ce95fa22e5b7df08de5571784085f095a96494a55.exe "C:\Users\test22\AppData\Local\Temp\644c4dc6bac9156546cca54ce95fa22e5b7df08de5571784085f095a96494a55.exe"
2652
cmd.exe "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"' & exit
1216
- schtasks.exe schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"'
  2064
cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\tmp8C1E.tmp.bat""
2088
- timeout.exe timeout 3
  320
- crsi.exe "C:\Users\test22\AppData\Roaming\crsi.exe"
  2444

Name	Response	Post-Analysis Lookup
dnuocc.com

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW April 12, 2023, 6:33 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 12, 2023, 6:30 p.m.			0	0
IsDebuggerPresent April 12, 2023, 6:30 p.m.			0	0
IsDebuggerPresent April 12, 2023, 6:33 p.m.			0	0
IsDebuggerPresent April 12, 2023, 6:33 p.m.			0	0

Command line console output was observed (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW April 12, 2023, 6:33 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1	0
WriteConsoleW April 12, 2023, 6:33 p.m.	buffer: SUCCESS: The scheduled task "crsi" has successfully been created. console_handle: 0x00000007	1	1	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 12, 2023, 6:30 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 164 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 1769472 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00840000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 720896 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00580000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0044b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00447000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 30720 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970400 process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006ae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006af000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02440000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02441000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02442000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02443000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02444000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02445000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009701a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009701c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009701f0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970218 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097844e process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00978442 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00977c00 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097845c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00978480 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00978488 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097848c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00978494 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00978498 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2652 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0097849c process_handle: 0xffffffff		3221225550

Creates a suspicious process (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"'

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Roaming\crsi.exe

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\crsi.exe

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00036e00', u'virtual_address': u'0x00002000', u'entropy': 7.674931477958505, u'name': u'.text', u'virtual_size': u'0x00036cf4'}

entropy

7.67493147796

description

A section with a high entropy has been found

entropy

0.975555555556

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 12, 2023, 6:30 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW April 12, 2023, 6:33 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 51 events)

description	Create a windows service	rule	Create_Service
description	Communication using DGA	rule	Network_DGA
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	Communications over HTTP	rule	Network_HTTP
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Steal credential	rule	local_credential_Steal
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Communications over P2P network	rule	Network_P2P_Win
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Escalate priviledges	rule	Escalate_priviledges
description	File Downloader	rule	Network_Downloader
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	task schedule	rule	schtasks_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"'

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2764 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0	1	0	0
NtAllocateVirtualMemory April 12, 2023, 6:33 p.m.	process_identifier: 2664 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d4	1	0	0

Installs itself for autorun at Windows startup (1 event)

cmdline

schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"'

Manipulates memory of a non-child process indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2652 manipulating memory of non-child process 2764
Process injection	Process 2444 manipulating memory of non-child process 2664
NtUnmapViewOfSection April 12, 2023, 6:30 p.m.	base_address: 0x00400000 region_size: 11010048 process_identifier: 2764 process_handle: 0x000002d0		3221225497	0
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2764 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0	1	0	0
NtUnmapViewOfSection April 12, 2023, 6:33 p.m.	base_address: 0x00400000 region_size: 1989345280 process_identifier: 2664 process_handle: 0x000002d4		3221225497	0
NtAllocateVirtualMemory April 12, 2023, 6:33 p.m.	process_identifier: 2664 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d4	1	0	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2652 called NtSetContextThread to modify thread in remote process 2764
Process injection	Process 2444 called NtSetContextThread to modify thread in remote process 2664
NtSetContextThread April 12, 2023, 6:30 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245310 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c8 process_identifier: 2764	1	0	0
NtSetContextThread April 12, 2023, 6:33 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245310 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d0 process_identifier: 2664	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2652 resumed a thread in remote process 2764
Process injection	Process 2088 resumed a thread in remote process 2444
Process injection	Process 2444 resumed a thread in remote process 2664
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2764	1	0	0
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2444	1	0	0
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2664	1	0	0

Executed a process and injected code into it, probably while unpacking (41 events)

Time & API	Arguments	Status	Return
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2652	1	0
NtGetContextThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2652	1	0
NtGetContextThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x00000208 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2652	1	0
NtGetContextThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000002a0 suspend_count: 1 process_identifier: 2652	1	0
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000002b4 suspend_count: 1 process_identifier: 2652	1	0
CreateProcessInternalW April 12, 2023, 6:30 p.m.	thread_identifier: 2768 thread_handle: 0x000002c8 process_identifier: 2764 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\644c4dc6bac9156546cca54ce95fa22e5b7df08de5571784085f095a96494a55.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d0	1	1
NtUnmapViewOfSection April 12, 2023, 6:30 p.m.	base_address: 0x00400000 region_size: 11010048 process_identifier: 2764 process_handle: 0x000002d0		3221225497
NtAllocateVirtualMemory April 12, 2023, 6:30 p.m.	process_identifier: 2764 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d0	1	0
NtGetContextThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000002c8	1	0
NtSetContextThread April 12, 2023, 6:30 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245310 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c8 process_identifier: 2764	1	0
NtResumeThread April 12, 2023, 6:30 p.m.	thread_handle: 0x000002c8 suspend_count: 1 process_identifier: 2764	1	0
CreateProcessInternalW April 12, 2023, 6:33 p.m.	thread_identifier: 2068 thread_handle: 0x00000084 process_identifier: 2064 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: schtasks /create /f /sc onlogon /rl highest /tn "crsi" /tr '"C:\Users\test22\AppData\Roaming\crsi.exe"' filepath_r: C:\Windows\system32\schtasks.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1
CreateProcessInternalW April 12, 2023, 6:33 p.m.	thread_identifier: 2188 thread_handle: 0x00000084 process_identifier: 320 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\timeout.exe track: 1 command_line: timeout 3 filepath_r: C:\Windows\system32\timeout.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
CreateProcessInternalW April 12, 2023, 6:33 p.m.	thread_identifier: 2440 thread_handle: 0x00000088 process_identifier: 2444 current_directory: filepath: C:\Users\test22\AppData\Roaming\crsi.exe track: 1 command_line: "C:\Users\test22\AppData\Roaming\crsi.exe" filepath_r: C:\Users\test22\AppData\Roaming\crsi.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2444	1	0
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x000001c8 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x00000200 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x00000214 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2444	1	0
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x000002cc suspend_count: 1 process_identifier: 2444	1	0
CreateProcessInternalW April 12, 2023, 6:33 p.m.	thread_identifier: 2596 thread_handle: 0x000002d0 process_identifier: 2664 current_directory: filepath: track: 1 command_line: C:\Users\test22\AppData\Roaming\crsi.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002d4	1	1
NtUnmapViewOfSection April 12, 2023, 6:33 p.m.	base_address: 0x00400000 region_size: 1989345280 process_identifier: 2664 process_handle: 0x000002d4		3221225497
NtAllocateVirtualMemory April 12, 2023, 6:33 p.m.	process_identifier: 2664 region_size: 73728 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002d4	1	0
NtGetContextThread April 12, 2023, 6:33 p.m.	thread_handle: 0x000002d0	1	0
NtSetContextThread April 12, 2023, 6:33 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4245310 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002d0 process_identifier: 2664	1	0
NtResumeThread April 12, 2023, 6:33 p.m.	thread_handle: 0x000002d0 suspend_count: 1 process_identifier: 2664	1	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectNet.01
Lionic	Trojan.Win32.Hesv.4!c
MicroWorld-eScan	Gen:Variant.MSILHeracles.37619
FireEye	Generic.mg.b8fd2b1bf9995f28
CAT-QuickHeal	Trojan.YakbeexMSIL.ZZ4
McAfee	Artemis!B8FD2B1BF999
Malwarebytes	Backdoor.Quasar.Generic
VIPRE	Gen:Variant.MSILHeracles.37619
Sangfor	Trojan.Win32.Agent.V1er
K7AntiVirus	Trojan ( 0059cb6d1 )
Alibaba	TrojanSpy:MSIL/Quasar.c0ec5356
K7GW	Trojan ( 0059cb6d1 )
Arcabit	Trojan.MSILHeracles.D92F3
VirIT	Trojan.Win32.MSIL_Heur.A
Cyren	W32/MSIL_Agent.FBV.gen!Eldorado
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	multiple detections
Cynet	Malicious (score: 100)
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan.MSIL.Hesv.gen
BitDefender	Gen:Variant.MSILHeracles.37619
Avast	Win32:RATX-gen [Trj]
Tencent	Msil.Trojan.Hesv.Sgil
Emsisoft	Gen:Variant.MSILHeracles.37619 (B)
F-Secure	Trojan.TR/Dropper.MSIL.Gen
DrWeb	Trojan.Inject4.56080
TrendMicro	Backdoor.Win32.ASYNCRAT.YXDDKZ
McAfee-GW-Edition	Artemis!Trojan
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
Avira	TR/Dropper.MSIL.Gen
Gridinsoft	Ransom.Win32.Sabsik.sa
Microsoft	Trojan:MSIL/AgentTesla.LQL!MTB
ViRobot	Trojan.Win.Z.Agent.230912.AM
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Quasar.gen
GData	Gen:Variant.MSILHeracles.37619
Google	Detected
AhnLab-V3	Trojan/Win.Generic.C5390455
Acronis	suspicious
ALYac	Gen:Variant.MSILHeracles.37619
MAX	malware (ai score=80)
Cylance	unsafe
TrendMicro-HouseCall	Backdoor.Win32.ASYNCRAT.YXDDKZ
Rising	Malware.Obfus/MSIL@AI.97 (RDM.MSIL2:JPncos6k66RoiAUo6gYNBw)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	PossibleThreat.ZDS
BitDefenderTheta	Gen:NN.ZemsilF.36132.om0@aSAz4!n
AVG	Win32:RATX-gen [Trj]

644c4dc6bac9156546cca54ce95fa22e5b7df08de5571784085f095a96494a55

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All