Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Jan. 8, 2024, 7:41 a.m.	Jan. 8, 2024, 7:46 a.m.

Size	5.1MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`76c16fdbc68b7df3bc50ecc5a9492e77`
SHA256	`d63d27212f6e489dc2982042e25752db578b49c6c92e376951e84cdcb52ef5cd`
CRC32	`2E8C2276`
ssdeep	`49152:lMHnYA4KPPiLXq5Uk7M1YqM2vvcQESniw+KO4sKa1DDs93LnpRRJVZ:oYE4XqxKrniw+KO4sKa1DQ9bnpPDZ`
PDB Path	history_with_pictures_and_dates.pdb
Yara	IsPE32 - (no description) PE_Header_Zero - PE File Signature Admin_Tool_IN_Zero - Admin Tool Sysinternals Is_DotNET_EXE - (no description) Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

birge_two.exe "C:\Users\test22\AppData\Local\Temp\birge_two.exe"
2564
- InstallUtil.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
  2840

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 8, 2024, 7:41 a.m.			0	0
IsDebuggerPresent Jan. 8, 2024, 7:41 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 8, 2024, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c7b5a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 8, 2024, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c7b5a0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Jan. 8, 2024, 7:42 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00c7b660 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

This executable has a PDB path (1 event)

pdb_path

history_with_pictures_and_dates.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 8, 2024, 7:41 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 52 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f50000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01130000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00802000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00835000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0083b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00837000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:41 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00826000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0082a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00827000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f39000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01131000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01133000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01135000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01136000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01137000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01138000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 16384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01139000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 69632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0113d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0114e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0080c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0114f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01151000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01152000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b4f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f3d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00f3f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01153000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01154000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01155000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2564 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04b41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\Protect544cd51a.dll

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x004f6200', u'virtual_address': u'0x00002000', u'entropy': 7.054055155245687, u'name': u'.text', u'virtual_size': u'0x004f61c4'}

entropy

7.05405515525

description

A section with a high entropy has been found

entropy

0.973462349109

description

Overall entropy of this PE file is high

Yara rule detected in process memory (9 events)

description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

One or more of the buffers contains an embedded PE file (2 events)

buffer	Buffer with sha1: f3399a7e2ec4bdc41f91e7e5b261d3e5b4b1f7b5
buffer	Buffer with sha1: 2441a44b06509975255deafbaa7fd57a83a0bd41

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2840 region_size: 602112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 8, 2024, 7:42 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELlëeàT°@0 @´âPØHãD.text× `.rdata4°6@@.dataÜðÔ@À.relocØØ@B base_address: 0x00400000 process_identifier: 2840 process_handle: 0x000002a0	1	1	0
WriteProcessMemory Jan. 8, 2024, 7:42 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2840 process_handle: 0x000002a0	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 8, 2024, 7:42 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELlëeàT°@0 @´âPØHãD.text× `.rdata4°6@@.dataÜðÔ@À.relocØØ@B base_address: 0x00400000 process_identifier: 2840 process_handle: 0x000002a0	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 called NtSetContextThread to modify thread in remote process 2840
NtSetContextThread Jan. 8, 2024, 7:42 a.m.	registers.eip: 1995571652 registers.esp: 4128516 registers.edi: 0 registers.eax: 4292784 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000029c process_identifier: 2840	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2564 resumed a thread in remote process 2840
NtResumeThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2840	1	0	0

Executed a process and injected code into it, probably while unpacking (28 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 8, 2024, 7:41 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Jan. 8, 2024, 7:41 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Jan. 8, 2024, 7:41 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2564	1	0
NtResumeThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x0000021c suspend_count: 1 process_identifier: 2564	1	0
NtGetContextThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2564	1	0
NtGetContextThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2564	1	0
NtGetContextThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2564	1	0
NtGetContextThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4	1	0
NtGetContextThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4	1	0
NtResumeThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x000000e4 suspend_count: 1 process_identifier: 2564	1	0
CreateProcessInternalW Jan. 8, 2024, 7:42 a.m.	thread_identifier: 2844 thread_handle: 0x0000029c process_identifier: 2840 current_directory: filepath: track: 1 command_line: C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe filepath_r: stack_pivoted: 0 creation_flags: 564 (CREATE_NEW_CONSOLE\|CREATE_NEW_PROCESS_GROUP\|CREATE_SUSPENDED\|NORMAL_PRIORITY_CLASS) inherit_handles: 0 process_handle: 0x000002a0	1	1
NtUnmapViewOfSection Jan. 8, 2024, 7:42 a.m.	base_address: 0x00400000 region_size: 9699328 process_identifier: 2840 process_handle: 0x000002a0		3221225497
NtAllocateVirtualMemory Jan. 8, 2024, 7:42 a.m.	process_identifier: 2840 region_size: 602112 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002a0	1	0
WriteProcessMemory Jan. 8, 2024, 7:42 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELlëeàT°@0 @´âPØHãD.text× `.rdata4°6@@.dataÜðÔ@À.relocØØ@B base_address: 0x00400000 process_identifier: 2840 process_handle: 0x000002a0	1	1
WriteProcessMemory Jan. 8, 2024, 7:42 a.m.	buffer: base_address: 0x00401000 process_identifier: 2840 process_handle: 0x000002a0	1	1
WriteProcessMemory Jan. 8, 2024, 7:42 a.m.	buffer: base_address: 0x0045b000 process_identifier: 2840 process_handle: 0x000002a0	1	1
WriteProcessMemory Jan. 8, 2024, 7:42 a.m.	buffer: base_address: 0x0045f000 process_identifier: 2840 process_handle: 0x000002a0	1	1
WriteProcessMemory Jan. 8, 2024, 7:42 a.m.	buffer: base_address: 0x00481000 process_identifier: 2840 process_handle: 0x000002a0	1	1
NtGetContextThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x0000029c	1	0
WriteProcessMemory Jan. 8, 2024, 7:42 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2840 process_handle: 0x000002a0	1	1
NtSetContextThread Jan. 8, 2024, 7:42 a.m.	registers.eip: 1995571652 registers.esp: 4128516 registers.edi: 0 registers.eax: 4292784 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x0000029c process_identifier: 2840	1	0
NtResumeThread Jan. 8, 2024, 7:42 a.m.	thread_handle: 0x0000029c suspend_count: 1 process_identifier: 2840	1	0

birge_two.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All