Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 25, 2023, 5:52 p.m.	Nov. 25, 2023, 6:09 p.m.

Size	977.0KB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`b4ce50927cd3a7ab60d2d6522070cd69`
SHA256	`78622732081a2280320cbd61ae9c1cf51061ad534b537cf6010144e41e29bb67`
CRC32	`EFE4708F`
ssdeep	`24576:egdqyM2EJ0JNUkDCfruOh+bTDcogbqQJqvuM4F8gv43VwT:4DKSk2frus+bTDcogUsCwT`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

Wlssejinnvz.exe "C:\Users\test22\AppData\Local\Temp\Wlssejinnvz.exe"
2060
- Wlssejinnvz.exe C:\Users\test22\AppData\Local\Temp\Wlssejinnvz.exe
  2540

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
131.153.76.130	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (3 events)

Time & API	Arguments	Status	Return
GetComputerNameW Nov. 25, 2023, 6:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 25, 2023, 6:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Nov. 25, 2023, 6:01 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 25, 2023, 5:45 p.m.			0	0
IsDebuggerPresent Nov. 25, 2023, 5:45 p.m.			0	0
IsDebuggerPresent Nov. 25, 2023, 6 p.m.			0	0
IsDebuggerPresent Nov. 25, 2023, 6 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (15 events)

Time & API	Arguments	Status	Return
CryptExportKey Nov. 25, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000500f30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000500f30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000500f30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b440350 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b440350 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b440350 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b4404a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b4404a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 5:45 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b4404a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 6:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000034c440 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 6:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000034c440 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 6:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000034c440 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 6:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000034c6e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 6:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000034c6e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Nov. 25, 2023, 6:01 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000034c6e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 25, 2023, 5:45 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 249 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000007d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3571000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c0b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000021b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000022b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3572000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3572000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3572000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3572000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3572000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3572000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3572000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3572000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3572000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3572000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3572000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3574000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3574000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3574000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3574000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ddc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ea6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dcc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93deb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dda000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ded000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93dc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ddd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 20480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Nov. 25, 2023, 5:45 p.m.	process_identifier: 2060 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Nov. 25, 2023, 6:01 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\NextChannelSink filepath: C:\Users\test22\AppData\Roaming\NextChannelSink	1	1	0
SetFileAttributesW Nov. 25, 2023, 6:01 p.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\NextChannelSink\TypeId.exe filepath: C:\Users\test22\AppData\Roaming\NextChannelSink\TypeId.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000f3c00', u'virtual_address': u'0x00002000', u'entropy': 7.969959993251591, u'name': u'.text', u'virtual_size': u'0x000f3b04'}

entropy

7.96995999325

description

A section with a high entropy has been found

entropy

0.99846390169

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Nov. 25, 2023, 5:45 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Nov. 25, 2023, 6:01 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

131.153.76.130

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Nov. 25, 2023, 5:46 p.m.	process_identifier: 2540 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000250	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Nov. 25, 2023, 5:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdÈ Æð.0Ô @ `@@ p H.textðÓ Ô `.rsrcpÖ @@ base_address: 0x0000000000400000 process_identifier: 2540 process_handle: 0x0000000000000250	1	1
WriteProcessMemory Nov. 25, 2023, 5:46 p.m.	buffer: 8Ph äêä4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°DStringFileInfo 000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.0>InternalNameByhgvwgxzj.exe&LegalCopyrightLegalTrademarksFOriginalFilenameByhgvwgxzj.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00000000004b0000 process_identifier: 2540 process_handle: 0x0000000000000250	1	1
WriteProcessMemory Nov. 25, 2023, 5:46 p.m.	buffer: @ base_address: 0x000007fffffdc010 process_identifier: 2540 process_handle: 0x0000000000000250	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Nov. 25, 2023, 5:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdÈ Æð.0Ô @ `@@ p H.textðÓ Ô `.rsrcpÖ @@ base_address: 0x0000000000400000 process_identifier: 2540 process_handle: 0x0000000000000250	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2060 called NtSetContextThread to modify thread in remote process 2540
NtSetContextThread Nov. 25, 2023, 5:46 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 4194304 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1308680 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 2003748096 registers.rdx: 8796092874752 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000254 process_identifier: 2540	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2060 resumed a thread in remote process 2540
NtResumeThread Nov. 25, 2023, 5:46 p.m.	thread_handle: 0x0000000000000254 suspend_count: 1 process_identifier: 2540	1	0	0

Executed a process and injected code into it, probably while unpacking (20 events)

Time & API	Arguments	Status	Return
NtResumeThread Nov. 25, 2023, 5:45 p.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Nov. 25, 2023, 5:45 p.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Nov. 25, 2023, 5:45 p.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 2060	1	0
NtResumeThread Nov. 25, 2023, 5:45 p.m.	thread_handle: 0x0000000000000230 suspend_count: 1 process_identifier: 2060	1	0
NtGetContextThread Nov. 25, 2023, 5:45 p.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread Nov. 25, 2023, 5:45 p.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread Nov. 25, 2023, 5:45 p.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 2060	1	0
CreateProcessInternalW Nov. 25, 2023, 5:46 p.m.	thread_identifier: 2544 thread_handle: 0x0000000000000254 process_identifier: 2540 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Wlssejinnvz.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x0000000000000250	1	1
NtUnmapViewOfSection Nov. 25, 2023, 5:46 p.m.	base_address: 0x0000000000400000 region_size: 1999372288 process_identifier: 2540 process_handle: 0x0000000000000250		-1073741799
NtAllocateVirtualMemory Nov. 25, 2023, 5:46 p.m.	process_identifier: 2540 region_size: 729088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000250	1	0
WriteProcessMemory Nov. 25, 2023, 5:46 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdÈ Æð.0Ô @ `@@ p H.textðÓ Ô `.rsrcpÖ @@ base_address: 0x0000000000400000 process_identifier: 2540 process_handle: 0x0000000000000250	1	1
WriteProcessMemory Nov. 25, 2023, 5:46 p.m.	buffer: base_address: 0x0000000000402000 process_identifier: 2540 process_handle: 0x0000000000000250	1	1
WriteProcessMemory Nov. 25, 2023, 5:46 p.m.	buffer: 8Ph äêä4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°DStringFileInfo 000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.0>InternalNameByhgvwgxzj.exe&LegalCopyrightLegalTrademarksFOriginalFilenameByhgvwgxzj.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00000000004b0000 process_identifier: 2540 process_handle: 0x0000000000000250	1	1
NtGetContextThread Nov. 25, 2023, 5:46 p.m.	thread_handle: 0x0000000000000254	1	0
WriteProcessMemory Nov. 25, 2023, 5:46 p.m.	buffer: @ base_address: 0x000007fffffdc010 process_identifier: 2540 process_handle: 0x0000000000000250	1	1
NtSetContextThread Nov. 25, 2023, 5:46 p.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 4194304 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 1308680 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 2003748096 registers.rdx: 8796092874752 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000254 process_identifier: 2540	1	0
NtResumeThread Nov. 25, 2023, 5:46 p.m.	thread_handle: 0x0000000000000254 suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Nov. 25, 2023, 6 p.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Nov. 25, 2023, 6 p.m.	thread_handle: 0x000000000000013c suspend_count: 1 process_identifier: 2540	1	0
NtResumeThread Nov. 25, 2023, 6 p.m.	thread_handle: 0x0000000000000180 suspend_count: 1 process_identifier: 2540	1	0

Wlssejinnvz.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All