Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 21, 2024, 7:14 a.m.	March 21, 2024, 7:25 a.m.

Size	354.5KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`960eb4d74f0f0c05c4c43ce1e98bf571`
SHA256	`b03aa6bdff66cb4a9114ebb3615f07af455b474f7af998cd35ba47f84bbf05b1`
CRC32	`5248E634`
ssdeep	`6144:43kc+V5W0MPeogbh0HWE0J98gBzl6e/u:u4MG+eSgBzlZ`
PDB Path	Blinsson.pdb
Yara	Craxs_RAT - Craxs RAT PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

cry.exe "C:\Users\test22\AppData\Local\Temp\cry.exe"
1688
- RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2068

Name	Response	Post-Analysis Lookup
t.me	A 149.154.167.99	149.154.167.99
steamcommunity.com	A 118.214.72.32	104.76.78.101

IP Address	Status	Action
116.202.5.172	Active	Moloch
118.214.72.32	Active	Moloch
149.154.167.99	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 116.202.5.172:443 -> 192.168.56.103:49167	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 149.154.167.99:443 -> 192.168.56.103:49171	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49169 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49169 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49169 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49164 -> 118.214.72.32:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49170 -> 149.154.167.99:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49170 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity
TCP 192.168.56.103:49169 -> 149.154.167.99:443	2041933	ET INFO Observed Telegram Domain (t .me in TLS SNI)	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49164 118.214.72.32:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA	unknown=US, unknown=Washington, unknown=Private Organization, serialNumber=602 290 773, C=US, ST=Washington, L=Bellevue, O=Valve Corp, CN=store.steampowered.com	10:20:2b:ee:30:69:cc:b6:ac:5e:47:04:71:ca:b0:75:78:51:58:f5

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 21, 2024, 7:15 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 21, 2024, 7:15 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 21, 2024, 7:14 a.m.			0	0
IsDebuggerPresent March 21, 2024, 7:14 a.m.			0	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

Blinsson.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 21, 2024, 7:14 a.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 21, 2024, 7:15 a.m.	stacktrace: regasm+0x13474 @ 0x413474 regasm+0x15237 @ 0x415237 regasm+0x1588c @ 0x41588c BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757f33ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x778d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x778d9ea5 exception.instruction_r: 8b 43 08 03 47 08 c7 45 f0 01 00 00 00 89 46 08 exception.symbol: regasm+0xe74f exception.instruction: mov eax, dword ptr [ebx + 8] exception.module: RegAsm.exe exception.exception_code: 0xc0000005 exception.offset: 59215 exception.address: 0x40e74f registers.esp: 4039704 registers.edi: 4040104 registers.eax: 0 registers.ebp: 4039732 registers.edx: 1934616285 registers.ebx: 1 registers.esi: 4040092 registers.ecx: 4040104	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET https://steamcommunity.com/profiles/76561199654112719

Performs some HTTP requests (1 event)

request

GET https://steamcommunity.com/profiles/76561199654112719

Allocates read-write-execute memory (usually to unpack itself) (34 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 851968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 2097152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02470000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x002cd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 1688 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024b9000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 2068 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006d0000 allocation_type: 12289 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74471000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74451000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x743e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:15 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 21, 2024, 7:15 a.m.	process_identifier: 2068 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73481000 process_handle: 0xffffffff	1

Executes one or more WMI queries (1 event)

wmi

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00058000', u'virtual_address': u'0x00002000', u'entropy': 7.311688284392754, u'name': u'.text', u'virtual_size': u'0x00057e54'}

entropy

7.31168828439

description

A section with a high entropy has been found

entropy

0.994350282486

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://t.me/r2d0s
url	https://steamcommunity.com/profiles/76561199654112719

Yara rule detected in process memory (16 events)

description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero

Communicates with host for which no DNS query was performed (1 event)

host

116.202.5.172

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 2068 region_size: 2375680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 21, 2024, 7:14 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $D%.\%K}\%K}\%K}3SÕ}R%K}3Sá}%K}U]È}Y%K}U]Ø}P%K}Ü\J\|_%K}\%J}/%K}3Sà}w%K}3SÖ}]%K}Rich\%K}PEL%ùeà" èlU@@$Õ@ÀSXÀSX à#°ð#-l.textæè `.rdata<¡¢ì@@.data¸.!°@À.rsrc°à#@@.relocæNð#P @B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x00000200	1	1
WriteProcessMemory March 21, 2024, 7:14 a.m.	buffer: 0 HXà#Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0063e000 process_identifier: 2068 process_handle: 0x00000200	1	1
WriteProcessMemory March 21, 2024, 7:14 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2068 process_handle: 0x00000200	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 21, 2024, 7:14 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $D%.\%K}\%K}\%K}3SÕ}R%K}3Sá}%K}U]È}Y%K}U]Ø}P%K}Ü\J\|_%K}\%J}/%K}3Sà}w%K}3SÖ}]%K}Rich\%K}PEL%ùeà" èlU@@$Õ@ÀSXÀSX à#°ð#-l.textæè `.rdata<¡¢ì@@.data¸.!°@À.rsrc°à#@@.relocæNð#P @B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x00000200	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

Network activity contains more than one unique useragent (2 events)

process	RegAsm.exe				useragent
process	RegAsm.exe				useragent	Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1688 called NtSetContextThread to modify thread in remote process 2068
NtSetContextThread March 21, 2024, 7:14 a.m.	registers.eip: 2005598660 registers.esp: 4063036 registers.edi: 0 registers.eax: 4281708 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001fc process_identifier: 2068	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1688 resumed a thread in remote process 2068
NtResumeThread March 21, 2024, 7:14 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2068	1	0	0

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
NtResumeThread March 21, 2024, 7:14 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1688	1	0
NtResumeThread March 21, 2024, 7:14 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 1688	1	0
NtResumeThread March 21, 2024, 7:14 a.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 1688	1	0
CreateProcessInternalW March 21, 2024, 7:14 a.m.	thread_identifier: 2072 thread_handle: 0x000001fc process_identifier: 2068 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000200	1	1
NtGetContextThread March 21, 2024, 7:14 a.m.	thread_handle: 0x000001fc	1	0
NtAllocateVirtualMemory March 21, 2024, 7:14 a.m.	process_identifier: 2068 region_size: 2375680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200	1	0
WriteProcessMemory March 21, 2024, 7:14 a.m.	buffer: MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $D%.\%K}\%K}\%K}3SÕ}R%K}3Sá}%K}U]È}Y%K}U]Ø}P%K}Ü\J\|_%K}\%J}/%K}3Sà}w%K}3SÖ}]%K}Rich\%K}PEL%ùeà" èlU@@$Õ@ÀSXÀSX à#°ð#-l.textæè `.rdata<¡¢ì@@.data¸.!°@À.rsrc°à#@@.relocæNð#P @B base_address: 0x00400000 process_identifier: 2068 process_handle: 0x00000200	1	1
WriteProcessMemory March 21, 2024, 7:14 a.m.	buffer: base_address: 0x00401000 process_identifier: 2068 process_handle: 0x00000200	1	1
WriteProcessMemory March 21, 2024, 7:14 a.m.	buffer: base_address: 0x00420000 process_identifier: 2068 process_handle: 0x00000200	1	1
WriteProcessMemory March 21, 2024, 7:14 a.m.	buffer: base_address: 0x0042b000 process_identifier: 2068 process_handle: 0x00000200	1	1
WriteProcessMemory March 21, 2024, 7:14 a.m.	buffer: 0 HXà#Vä<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> </assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING base_address: 0x0063e000 process_identifier: 2068 process_handle: 0x00000200	1	1
WriteProcessMemory March 21, 2024, 7:14 a.m.	buffer: base_address: 0x0063f000 process_identifier: 2068 process_handle: 0x00000200	1	1
WriteProcessMemory March 21, 2024, 7:14 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2068 process_handle: 0x00000200	1	1
NtSetContextThread March 21, 2024, 7:14 a.m.	registers.eip: 2005598660 registers.esp: 4063036 registers.edi: 0 registers.eax: 4281708 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001fc process_identifier: 2068	1	0
NtResumeThread March 21, 2024, 7:14 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 2068	1	0

File has been identified by 51 AntiVirus engines on VirusTotal as malicious (50 out of 51 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Stealer.12!c
Elastic	malicious (high confidence)
Skyhigh	Artemis!Trojan
ALYac	Gen:Variant.Lazy.497624
VIPRE	Gen:Variant.Lazy.497624
Sangfor	Suspicious.Win32.Save.a
K7AntiVirus	Riskware ( 00584baa1 )
BitDefender	Trojan.GenericKD.72060659
K7GW	Riskware ( 00584baa1 )
Arcabit	Trojan.Lazy.D797D8
VirIT	Trojan.Win32.Genus.VJV
Symantec	Trojan Horse
ESET-NOD32	a variant of MSIL/Kryptik.AKRF
APEX	Malicious
McAfee	Artemis!960EB4D74F0F
Avast	Win32:PWSX-gen [Trj]
ClamAV	Win.Packed.Zusy-10023527-0
Kaspersky	HEUR:Trojan-Spy.MSIL.Stealer.gen
Alibaba	Trojan:MSIL/Kryptik.099acbd2
MicroWorld-eScan	Trojan.GenericKD.72060659
Rising	Malware.Obfus/MSIL@AI.87 (RDM.MSIL2:VjJA7wn8GMqWy5QX2yZqtg)
Emsisoft	Gen:Variant.Zusy.541393 (B)
F-Secure	Trojan.TR/AD.Nekark.pxwup
DrWeb	Trojan.PWS.Steam.37182
TrendMicro	Trojan.Win32.SMOKELOADER.YXECTZ
FireEye	Generic.mg.960eb4d74f0f0c05
Sophos	Troj/MSIL-TCZ
Ikarus	Trojan-Spy.RisePro
Google	Detected
Avira	TR/AD.Nekark.pxwup
MAX	malware (ai score=89)
Antiy-AVL	Trojan[Spy]/MSIL.Stealer
Kingsoft	Win32.Troj.Unknown.a
Gridinsoft	Malware.Win32.ZgRAT.tr
Xcitium	Malware@#3g6hbea89mi8g
Microsoft	Trojan:MSIL/PureLogStealer.IDAA!MTB
ZoneAlarm	HEUR:Trojan-Spy.MSIL.Stealer.gen
GData	Gen:Variant.Zusy.541393
Varist	W32/MSIL_Agent.HSN.gen!Eldorado
AhnLab-V3	Trojan/Win.LummaStealer.C5602645
BitDefenderTheta	Gen:NN.ZemsilF.36802.wm0@aC4Rw6f
DeepInstinct	MALICIOUS
Malwarebytes	Spyware.Stealer.MSIL
Panda	Trj/Chgt.AD
TrendMicro-HouseCall	Trojan.Win32.SMOKELOADER.YXECTZ
SentinelOne	Static AI - Malicious PE
MaxSecure	Trojan.Malware.73709669.susgen
Fortinet	MSIL/Kryptik.AKRF!tr
AVG	Win32:PWSX-gen [Trj]

cry.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All