Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 23, 2024, 10:49 a.m.	Sept. 23, 2024, 11:04 a.m.

Size	313.5KB
Type	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4e97e36dd5e4fae769cb1ade01d9be99`
SHA256	`9545cb95accf9eb43999ff192849f2c8c2ef8286c3fc1232d3750cbcd9c8dc4e`
CRC32	`0F1179C3`
ssdeep	`6144:49SiPY2r9uh6YdytMe6J5jiqsGN9r0u2iIRBd0VlzC7El8GzgsJFkci:wZPYg9uhbc6JRLN9IiKaVltl8g1kc`
PDB Path	c:\rje\tg\71\obj\Release\Fcs.pdb
Yara	PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

66f011901da27_crypted.exe#111 "C:\Users\test22\AppData\Local\Temp\66f011901da27_crypted.exe#111"
1188
- RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2228

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
193.233.255.77	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 23, 2024, 10:49 a.m.			0	0
IsDebuggerPresent Sept. 23, 2024, 10:49 a.m.			0	0
IsDebuggerPresent Sept. 23, 2024, 10:49 a.m.			0	0
IsDebuggerPresent Sept. 23, 2024, 10:49 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (14 events)

Time & API	Arguments	Status	Return
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005647f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005647f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005647f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005647f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564870 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00564770 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c3030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Sept. 23, 2024, 10:49 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005c31b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

c:\rje\tg\71\obj\Release\Fcs.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 23, 2024, 10:49 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 71 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 458752 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005e0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00582000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 1188 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x745a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x007b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744d2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cbb000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00870000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e8a000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x729d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72831000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e0f000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73de1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6e09e000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x726db000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x009a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fc1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72601000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x725f1000 process_handle: 0xffffffff	1

Creates hidden or system file (4 events)

Time & API	Arguments	Return
NtCreateFile Sept. 23, 2024, 10:49 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile Sept. 23, 2024, 10:49 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile Sept. 23, 2024, 10:49 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525
NtCreateFile Sept. 23, 2024, 10:49 a.m.	create_disposition: 2 (FILE_CREATE) file_handle: 0x00000000 filepath: C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 desired_access: 0x00100001 (FILE_READ_DATA\|FILE_LIST_DIRECTORY\|SYNCHRONIZE) file_attributes: 4 (FILE_ATTRIBUTE_SYSTEM) filepath_r: \??\C:\Users\test22\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3832866432-4053218753-3017428901-1001 create_options: 16417 (FILE_DIRECTORY_FILE\|FILE_SYNCHRONOUS_IO_NONALERT\|FILE_OPEN_FOR_BACKUP_INTENT) status_info: 4294967295 () share_access: 3 (FILE_SHARE_READ\|FILE_SHARE_WRITE)	3221225525

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0004dc00', u'virtual_address': u'0x00002000', u'entropy': 7.995935480224529, u'name': u'.text', u'virtual_size': u'0x0004dbc4'}

entropy

7.99593548022

description

A section with a high entropy has been found

entropy

0.993610223642

description

Overall entropy of this PE file is high

Yara rule detected in process memory (11 events)

description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	RedLine stealer	rule	RedLine_Stealer_m_Zero
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

193.233.255.77

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Sept. 23, 2024, 10:49 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¾r½õà0ìÐº @ @Ì¹O ÄÉ°¹ H.textê ì `.rsrcÄÉ Ìð@@.reloc¼@B base_address: 0x00400000 process_identifier: 2228 process_handle: 0x00000204	1	1
WriteProcessMemory Sept. 23, 2024, 10:49 a.m.	buffer: ° : base_address: 0x00450000 process_identifier: 2228 process_handle: 0x00000204	1	1
WriteProcessMemory Sept. 23, 2024, 10:49 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2228 process_handle: 0x00000204	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Sept. 23, 2024, 10:49 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¾r½õà0ìÐº @ @Ì¹O ÄÉ°¹ H.textê ì `.rsrcÄÉ Ìð@@.reloc¼@B base_address: 0x00400000 process_identifier: 2228 process_handle: 0x00000204	1	1	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1188 called NtSetContextThread to modify thread in remote process 2228
NtSetContextThread Sept. 23, 2024, 10:49 a.m.	registers.eip: 2005598660 registers.esp: 2162340 registers.edi: 0 registers.eax: 4373022 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000002c process_identifier: 2228	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1188 resumed a thread in remote process 2228
NtResumeThread Sept. 23, 2024, 10:49 a.m.	thread_handle: 0x0000002c suspend_count: 1 process_identifier: 2228	1	0	0

File has been identified by 28 AntiVirus engines on VirusTotal as malicious (28 events)

Bkav	W32.AIDetectMalware.CS
Cylance	Unsafe
CrowdStrike	win/malicious_confidence_60% (D)
K7GW	Trojan ( 005ba5051 )
K7AntiVirus	Trojan ( 005ba5051 )
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/GenKryptik.HBNC
APEX	Malicious
Avast	PWSX-gen [Trj]
ClamAV	Win.Packed.Pwsx-10035189-0
Rising	Malware.Obfus/MSIL@AI.90 (RDM.MSIL2:BAYDaTM1ugt510PjVqr4Zg)
FireEye	Generic.mg.4e97e36dd5e4fae7
Webroot	W32.Trojan.FL
Google	Detected
Kingsoft	MSIL.Trojan.Stelpak.gen
Gridinsoft	Trojan.Win32.Packed.dd!ni
Microsoft	Trojan:Win32/Wacatac.B!ml
Varist	W32/MSIL_Agent.ILW.gen!Eldorado
AhnLab-V3	Trojan/Win.Vidar.C5672959
DeepInstinct	MALICIOUS
Malwarebytes	Generic.Malware/Suspicious
Ikarus	Trojan-Spy.LummaStealer
Tencent	Msil.Trojan.Genkryptik.Fkjl
huorong	Trojan/MSIL.Agent.li
Fortinet	MSIL/Kryptik.AMFU!tr
AVG	PWSX-gen [Trj]

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

193.233.255.77:1891

Executed a process and injected code into it, probably while unpacking (16 events)

Time & API	Arguments	Status	Return
NtResumeThread Sept. 23, 2024, 10:49 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 1188	1	0
NtResumeThread Sept. 23, 2024, 10:49 a.m.	thread_handle: 0x00000158 suspend_count: 1 process_identifier: 1188	1	0
NtResumeThread Sept. 23, 2024, 10:49 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1188	1	0
CreateProcessInternalW Sept. 23, 2024, 10:49 a.m.	thread_identifier: 2232 thread_handle: 0x0000002c process_identifier: 2228 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe track: 1 command_line: filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000204	1	1
NtGetContextThread Sept. 23, 2024, 10:49 a.m.	thread_handle: 0x0000002c	1	0
NtAllocateVirtualMemory Sept. 23, 2024, 10:49 a.m.	process_identifier: 2228 region_size: 335872 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000204	1	0
WriteProcessMemory Sept. 23, 2024, 10:49 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEL¾r½õà0ìÐº @ @Ì¹O ÄÉ°¹ H.textê ì `.rsrcÄÉ Ìð@@.reloc¼@B base_address: 0x00400000 process_identifier: 2228 process_handle: 0x00000204	1	1
WriteProcessMemory Sept. 23, 2024, 10:49 a.m.	buffer: base_address: 0x00402000 process_identifier: 2228 process_handle: 0x00000204	1	1
WriteProcessMemory Sept. 23, 2024, 10:49 a.m.	buffer: base_address: 0x00432000 process_identifier: 2228 process_handle: 0x00000204	1	1
WriteProcessMemory Sept. 23, 2024, 10:49 a.m.	buffer: ° : base_address: 0x00450000 process_identifier: 2228 process_handle: 0x00000204	1	1
WriteProcessMemory Sept. 23, 2024, 10:49 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2228 process_handle: 0x00000204	1	1
NtSetContextThread Sept. 23, 2024, 10:49 a.m.	registers.eip: 2005598660 registers.esp: 2162340 registers.edi: 0 registers.eax: 4373022 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000002c process_identifier: 2228	1	0
NtResumeThread Sept. 23, 2024, 10:49 a.m.	thread_handle: 0x0000002c suspend_count: 1 process_identifier: 2228	1	0
NtResumeThread Sept. 23, 2024, 10:49 a.m.	thread_handle: 0x0000017c suspend_count: 1 process_identifier: 2228	1	0
NtResumeThread Sept. 23, 2024, 10:49 a.m.	thread_handle: 0x000001ec suspend_count: 1 process_identifier: 2228	1	0
NtResumeThread Sept. 23, 2024, 10:49 a.m.	thread_handle: 0x00000238 suspend_count: 1 process_identifier: 2228	1	0

66f011901da27_crypted.exe#111

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All