Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Feb. 12, 2025, 1:18 p.m.	Feb. 12, 2025, 1:22 p.m.

Size	3.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`4b42f7281d23b4eb76b55fb6f1012ce3`
SHA256	`c625e328ac87109508ca10a03e2eb91e5bc961d00a4f3d03ffe800cda739e880`
CRC32	`5652ECD2`
ssdeep	`49152:N7rOkJmp0SPBrDT/SfCLjw5PzYCnVLnqZk9EoqFtgmG1GzDGfXhfprlX9Hw6YL5x:N7SmQ0OBrD+f8wNVrq2+ow64WfRnZU/`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

L5shRfh.exe "C:\Users\test22\AppData\Local\Temp\L5shRfh.exe"
1460

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 12, 2025, 1:18 p.m.			0	0
IsDebuggerPresent Feb. 12, 2025, 1:18 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 12, 2025, 1:18 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 12, 2025, 1:18 p.m.	stacktrace: exception.instruction_r: 8b 31 85 f6 eb 08 8d bd d5 04 00 00 eb 12 64 8b exception.instruction: mov esi, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27b7b1c registers.esp: 1764724 registers.edi: 41646241 registers.eax: 1971261501 registers.ebp: 41646104 registers.edx: 41646343 registers.ebx: 0 registers.esi: 2939456477 registers.ecx: 2981103205	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (23 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00350000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00370000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00c60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00462000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0047c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00570000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00571000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0049b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0046a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00572000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00590000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0048a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00573000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00574000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 1460 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027b7000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x002fdc00', u'virtual_address': u'0x00016000', u'entropy': 7.999934106985304, u'name': u'.rdata', u'virtual_size': u'0x002fdc00'}

entropy

7.99993410699

description

A section with a high entropy has been found

entropy

0.98016

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (2 events)

url	https://github.com/LimerBoy/StormKitty
url	http://www.newtonsoft.com/jsonschema

Yara rule detected in process memory (21 events)

description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Escalate priviledges	rule	Escalate_priviledges
description	task schedule	rule	schtasks_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Detection of Virtual Appliances through the use of WMI for use of evasion.	rule	WMI_VM_Detect
description	Checks if being debugged	rule	anti_dbg
description	Disable AntiVirus	rule	disable_antivirus
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Run a KeyLogger	rule	KeyLogger
description	Remote Administration toolkit using webcam	rule	RAT_WebCam

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 2128 region_size: 3162112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 manipulating memory of non-child process 2128
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 2128 region_size: 3162112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 injected into non-child 2128
WriteProcessMemory Feb. 12, 2025, 1:18 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõ¦gàÊ/é/ 0@ @0`¸è/S0÷ 0 H.textÉ/ Ê/ `.rsrc÷ 0Ì/@@.reloc 0Ú/@B base_address: 0x00400000 process_identifier: 2128 process_handle: 0x00000200	1	1	0
WriteProcessMemory Feb. 12, 2025, 1:18 p.m.	buffer: P8h 0Ôt0 Ô4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription,FileVersion6.0.6<InternalNameClientAny.exe&LegalCopyrightLegalTrademarksDOriginalFilenameClientAny.exe"ProductName0ProductVersion6.0.68Assembly Version6.0.6.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <assemblyIdentity version="1.0.7.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- A list of the Windows versions that this application has been tested on and is designed to work with. Uncomment the appropriate elements and Windows will automatically select the most compatible environment. --> <!-- Windows Vista --> <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />--> <!-- Windows 7 --> <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />--> <!-- Windows 8 --> <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />--> <!-- Windows 8.1 --> <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />--> <!-- Windows 10 --> <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />--> </application> </compatibility> <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. --> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) --> <!-- <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="" /> </dependentAssembly> </dependency> --> </assembly> base_address: 0x00700000 process_identifier: 2128 process_handle: 0x00000200	1	1	0
WriteProcessMemory Feb. 12, 2025, 1:18 p.m.	buffer: à/9 base_address: 0x00702000 process_identifier: 2128 process_handle: 0x00000200	1	1	0
WriteProcessMemory Feb. 12, 2025, 1:18 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2128 process_handle: 0x00000200	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 injected into non-child 2128
WriteProcessMemory Feb. 12, 2025, 1:18 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõ¦gàÊ/é/ 0@ @0`¸è/S0÷ 0 H.textÉ/ Ê/ `.rsrc÷ 0Ì/@@.reloc 0Ú/@B base_address: 0x00400000 process_identifier: 2128 process_handle: 0x00000200	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 called NtSetContextThread to modify thread in remote process 2128
NtSetContextThread Feb. 12, 2025, 1:18 p.m.	registers.eip: 2005598660 registers.esp: 3733780 registers.edi: 0 registers.eax: 7334158 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000204 process_identifier: 2128	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1460 resumed a thread in remote process 2128
NtResumeThread Feb. 12, 2025, 1:18 p.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2128	1	0	0

Executed a process and injected code into it, probably while unpacking (13 events)

Time & API	Arguments	Status	Return
NtResumeThread Feb. 12, 2025, 1:18 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1460	1	0
NtResumeThread Feb. 12, 2025, 1:18 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1460	1	0
NtResumeThread Feb. 12, 2025, 1:18 p.m.	thread_handle: 0x00000188 suspend_count: 1 process_identifier: 1460	1	0
CreateProcessInternalW Feb. 12, 2025, 1:18 p.m.	thread_identifier: 2132 thread_handle: 0x00000204 process_identifier: 2128 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\L5shRfh.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\L5shRfh.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000200	1	1
NtGetContextThread Feb. 12, 2025, 1:18 p.m.	thread_handle: 0x00000204	1	0
NtAllocateVirtualMemory Feb. 12, 2025, 1:18 p.m.	process_identifier: 2128 region_size: 3162112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000200	1	0
WriteProcessMemory Feb. 12, 2025, 1:18 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELõ¦gàÊ/é/ 0@ @0`¸è/S0÷ 0 H.textÉ/ Ê/ `.rsrc÷ 0Ì/@@.reloc 0Ú/@B base_address: 0x00400000 process_identifier: 2128 process_handle: 0x00000200	1	1
WriteProcessMemory Feb. 12, 2025, 1:18 p.m.	buffer: base_address: 0x00402000 process_identifier: 2128 process_handle: 0x00000200	1	1
WriteProcessMemory Feb. 12, 2025, 1:18 p.m.	buffer: P8h 0Ôt0 Ô4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°4StringFileInfo000004b0Comments"CompanyNameFileDescription,FileVersion6.0.6<InternalNameClientAny.exe&LegalCopyrightLegalTrademarksDOriginalFilenameClientAny.exe"ProductName0ProductVersion6.0.68Assembly Version6.0.6.0ï»¿<?xml version="1.0" encoding="utf-8"?> <assembly manifestVersion="1.0" xmlns="urn:schemas-microsoft-com:asm.v1"> <assemblyIdentity version="1.0.7.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false" /> </requestedPrivileges> </security> </trustInfo> <compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> <application> <!-- A list of the Windows versions that this application has been tested on and is designed to work with. Uncomment the appropriate elements and Windows will automatically select the most compatible environment. --> <!-- Windows Vista --> <!--<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}" />--> <!-- Windows 7 --> <!--<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}" />--> <!-- Windows 8 --> <!--<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}" />--> <!-- Windows 8.1 --> <!--<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}" />--> <!-- Windows 10 --> <!--<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}" />--> </application> </compatibility> <!-- Indicates that the application is DPI-aware and will not be automatically scaled by Windows at higher DPIs. Windows Presentation Foundation (WPF) applications are automatically DPI-aware and do not need to opt in. Windows Forms applications targeting .NET Framework 4.6 that opt into this setting, should also set the 'EnableWindowsFormsHighDpiAutoResizing' setting to 'true' in their app.config. --> <application xmlns="urn:schemas-microsoft-com:asm.v3"> <windowsSettings> <dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware> <dpiAwareness xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">PerMonitorV2, PerMonitor</dpiAwareness> <longPathAware xmlns="http://schemas.microsoft.com/SMI/2016/WindowsSettings">true</longPathAware> </windowsSettings> </application> <!-- Enable themes for Windows common controls and dialogs (Windows XP and later) --> <!-- <dependency> <dependentAssembly> <assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="" publicKeyToken="6595b64144ccf1df" language="" /> </dependentAssembly> </dependency> --> </assembly> base_address: 0x00700000 process_identifier: 2128 process_handle: 0x00000200	1	1
WriteProcessMemory Feb. 12, 2025, 1:18 p.m.	buffer: à/9 base_address: 0x00702000 process_identifier: 2128 process_handle: 0x00000200	1	1
WriteProcessMemory Feb. 12, 2025, 1:18 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2128 process_handle: 0x00000200	1	1
NtSetContextThread Feb. 12, 2025, 1:18 p.m.	registers.eip: 2005598660 registers.esp: 3733780 registers.edi: 0 registers.eax: 7334158 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000204 process_identifier: 2128	1	0
NtResumeThread Feb. 12, 2025, 1:18 p.m.	thread_handle: 0x00000204 suspend_count: 1 process_identifier: 2128	1	0

File has been identified by 47 AntiVirus engines on VirusTotal as malicious (47 events)

Bkav	W32.AIDetectMalware.CS
Lionic	Trojan.Win32.Injuke.16!c
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.pkr
CrowdStrike	win/malicious_confidence_100% (W)
BitDefender	Trojan.GenericKD.75843804
K7GW	Trojan ( 005c0c381 )
Arcabit	Trojan.Marsilia.D28EB0
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
ESET-NOD32	a variant of MSIL/GenKryptik.HGBD
APEX	Malicious
Avast	Win32:Evo-gen [Trj]
Kaspersky	HEUR:Trojan.MSIL.Injuke.gen
Alibaba	Trojan:MSIL/GenKryptik.b192df23
MicroWorld-eScan	Gen:Variant.Jalapeno.19610
Rising	Malware.Obfus/MSIL@AI.88 (RDM.MSIL2:lqKY6yi5IP5ZtZGxpkzc6A)
Emsisoft	Gen:Variant.Jalapeno.19610 (B)
F-Secure	Trojan.TR/Kryptik.nefkp
DrWeb	Trojan.PWS.Lumma.1819
McAfeeD	ti!C625E328AC87
CTX	exe.trojan.msil
Sophos	Troj/MSIL-TGV
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.4b42f7281d23b4eb
Webroot	Win.Trojan.Gen
Google	Detected
Avira	TR/Kryptik.nefkp
Antiy-AVL	Trojan/MSIL.GenKryptik
Kingsoft	MSIL.Trojan.Injuke.gen
Gridinsoft	Trojan.Win32.Kryptik.oa!s1
Microsoft	Trojan:MSIL/Dapato.AMDG!MTB
ViRobot	Trojan.Win.Z.Genkryptik.3218752
GData	Win32.Trojan.Kryptik.JPLATW
Varist	W32/MSIL_Kryptik.LZC.gen!Eldorado
AhnLab-V3	Trojan/Win.Generic.C5718144
McAfee	Artemis!4B42F7281D23
DeepInstinct	MALICIOUS
Malwarebytes	Trojan.MalPack
Ikarus	Trojan-Spy.FormBook
Panda	Trj/Chgt.AD
Tencent	Malware.Win32.Gencirc.10c0db2b
huorong	Trojan/MSIL.Agent.vl
Fortinet	MSIL/GenKryptik.HGBD!tr
AVG	Win32:Evo-gen [Trj]
Paloalto	generic.ml
alibabacloud	Trojan:MSIL/Fareit.Gen

L5shRfh.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All