Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Jan. 9, 2024, 8 a.m.	Jan. 9, 2024, 8:09 a.m.

Size	1.4MB
Type	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5	`603c16ec67037039ed079f0d266c6f79`
SHA256	`90f43f41f50f5c7f266f9353d21c3733468bad8644be318d48568415a6d9b89b`
CRC32	`464C04C0`
ssdeep	`24576:mBeC7yTVDTzYRstNzxr45HfuQL2gFbn6eDp6s7Sy9jS8/h5cy1RPXVcXpxP6NMva:mBeC7y5PCfbFD6glz2A5cQRfVcXpGMva`
Yara	PE_Header_Zero - PE File Signature IsPE64 - (no description)

Runtime.exe "C:\Users\test22\AppData\Local\Temp\Runtime.exe"
508
- Runtime.exe C:\Users\test22\AppData\Local\Temp\Runtime.exe
  2436

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW Jan. 9, 2024, 7:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 9, 2024, 7:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 9, 2024, 7:53 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Jan. 9, 2024, 7:54 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Jan. 9, 2024, 8 a.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 8 a.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 7:53 a.m.			0	0
IsDebuggerPresent Jan. 9, 2024, 7:53 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (12 events)

Time & API	Arguments	Status	Return
CryptExportKey Jan. 9, 2024, 8 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000395f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 9, 2024, 8 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000395f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 9, 2024, 8 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000395f40 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 9, 2024, 8 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000396410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 9, 2024, 8 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000396410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 9, 2024, 8 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000396410 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 9, 2024, 7:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000006ff7e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 9, 2024, 7:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000006ff7e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 9, 2024, 7:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000006ff7e0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 9, 2024, 7:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000006ffa80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 9, 2024, 7:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000006ffa80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Jan. 9, 2024, 7:53 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000006ffa80 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 9, 2024, 8 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 278 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 2293760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000780000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef3c6b000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b40000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000bf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef35d4000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93eec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93ef0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f61000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e5d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f62000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f63000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f64000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93e4e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f65000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f6f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe93f70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000006e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 508 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1f16000 process_handle: 0xffffffffffffffff	1

Creates hidden or system file (2 events)

Time & API	Arguments	Status	Return	Repeated
SetFileAttributesW Jan. 9, 2024, 7:54 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\TypeId filepath: C:\Users\test22\AppData\Roaming\TypeId	1	1	0
SetFileAttributesW Jan. 9, 2024, 7:54 a.m.	file_attributes: 2 (FILE_ATTRIBUTE_HIDDEN) filepath_r: C:\Users\test22\AppData\Roaming\TypeId\IsSecuritySafeCritical.exe filepath: C:\Users\test22\AppData\Roaming\TypeId\IsSecuritySafeCritical.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x0016d600', u'virtual_address': u'0x00002000', u'entropy': 7.83083708547233, u'name': u'.text', u'virtual_size': u'0x0016d518'}

entropy

7.83083708547

description

A section with a high entropy has been found

entropy

0.998633413051

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Jan. 9, 2024, 8 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Jan. 9, 2024, 7:53 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 2436 region_size: 737280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000218	1	0	0

Potential code injection by writing to the memory of another process (3 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Jan. 9, 2024, 8 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdøàêð.0ê @ @`@@ p H.textàé ê `.rsrcp ì @@ base_address: 0x0000000000400000 process_identifier: 2436 process_handle: 0x0000000000000218	1	1
WriteProcessMemory Jan. 9, 2024, 8 a.m.	buffer: 8Ph ä#êä4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°DStringFileInfo 000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.0>InternalNameBgzzguktnl.exe&LegalCopyrightLegalTrademarksFOriginalFilenameBgzzguktnl.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00000000004b2000 process_identifier: 2436 process_handle: 0x0000000000000218	1	1
WriteProcessMemory Jan. 9, 2024, 8 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 2436 process_handle: 0x0000000000000218	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Jan. 9, 2024, 8 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdøàêð.0ê @ @`@@ p H.textàé ê `.rsrcp ì @@ base_address: 0x0000000000400000 process_identifier: 2436 process_handle: 0x0000000000000218	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 508 called NtSetContextThread to modify thread in remote process 2436
NtSetContextThread Jan. 9, 2024, 8 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 4194304 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 3275624 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 2003748096 registers.rdx: 8796092887040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000214 process_identifier: 2436	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 508 resumed a thread in remote process 2436
NtResumeThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x0000000000000214 suspend_count: 1 process_identifier: 2436	1	0	0

Executed a process and injected code into it, probably while unpacking (23 events)

Time & API	Arguments	Status	Return
NtResumeThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x00000000000000c4 suspend_count: 1 process_identifier: 508	1	0
NtResumeThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x0000000000000134 suspend_count: 1 process_identifier: 508	1	0
NtResumeThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x0000000000000178 suspend_count: 1 process_identifier: 508	1	0
NtResumeThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x00000000000001f8 suspend_count: 1 process_identifier: 508	1	0
NtGetContextThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 508	1	0
NtGetContextThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x00000000000000c8	1	0
NtGetContextThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x00000000000000c8	1	0
NtResumeThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 508	1	0
CreateProcessInternalW Jan. 9, 2024, 8 a.m.	thread_identifier: 2440 thread_handle: 0x0000000000000214 process_identifier: 2436 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: C:\Users\test22\AppData\Local\Temp\Runtime.exe filepath_r: stack_pivoted: 0 creation_flags: 12 (CREATE_SUSPENDED\|DETACHED_PROCESS) inherit_handles: 1 process_handle: 0x0000000000000218	1	1
NtUnmapViewOfSection Jan. 9, 2024, 8 a.m.	base_address: 0x0000000000400000 region_size: 14614528 process_identifier: 2436 process_handle: 0x0000000000000218		-1073741799
NtAllocateVirtualMemory Jan. 9, 2024, 8 a.m.	process_identifier: 2436 region_size: 737280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000000000000218	1	0
WriteProcessMemory Jan. 9, 2024, 8 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PEdøàêð.0ê @ @`@@ p H.textàé ê `.rsrcp ì @@ base_address: 0x0000000000400000 process_identifier: 2436 process_handle: 0x0000000000000218	1	1
WriteProcessMemory Jan. 9, 2024, 8 a.m.	buffer: base_address: 0x0000000000402000 process_identifier: 2436 process_handle: 0x0000000000000218	1	1
WriteProcessMemory Jan. 9, 2024, 8 a.m.	buffer: 8Ph ä#êä4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°DStringFileInfo 000004b0Comments"CompanyNameFileDescription0FileVersion1.0.0.0>InternalNameBgzzguktnl.exe&LegalCopyrightLegalTrademarksFOriginalFilenameBgzzguktnl.exe"ProductName4ProductVersion1.0.0.08Assembly Version1.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00000000004b2000 process_identifier: 2436 process_handle: 0x0000000000000218	1	1
NtGetContextThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x0000000000000214	1	0
WriteProcessMemory Jan. 9, 2024, 8 a.m.	buffer: @ base_address: 0x000007fffffdf010 process_identifier: 2436 process_handle: 0x0000000000000218	1	1
NtSetContextThread Jan. 9, 2024, 8 a.m.	registers.r14: 0 registers.r15: 0 registers.rcx: 4194304 registers.rsi: 0 registers.r10: 0 registers.rbx: 0 registers.rsp: 3275624 registers.r11: 0 registers.r8: 0 registers.r9: 0 registers.rip: 2003748096 registers.rdx: 8796092887040 registers.r12: 0 registers.rbp: 0 registers.rdi: 0 registers.rax: 0 registers.r13: 0 thread_handle: 0x0000000000000214 process_identifier: 2436	1	0
NtResumeThread Jan. 9, 2024, 8 a.m.	thread_handle: 0x0000000000000214 suspend_count: 1 process_identifier: 2436	1	0
NtResumeThread Jan. 9, 2024, 7:53 a.m.	thread_handle: 0x00000000000000c8 suspend_count: 1 process_identifier: 2436	1	0
NtResumeThread Jan. 9, 2024, 7:53 a.m.	thread_handle: 0x0000000000000138 suspend_count: 1 process_identifier: 2436	1	0
NtResumeThread Jan. 9, 2024, 7:53 a.m.	thread_handle: 0x0000000000000184 suspend_count: 1 process_identifier: 2436	1	0

Runtime.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All