Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	March 22, 2023, 5:26 p.m.	March 22, 2023, 5:30 p.m.

Size	1.4MB
Type	PE32 executable (GUI) Intel 80386, for MS Windows
MD5	`54f8a4c3864f17466705a15a2ef2a06f`
SHA256	`d7140018b6ca4711fc2630b815d6aa869dcf472b12ae67d588738eba1765633b`
CRC32	`5992CC52`
ssdeep	`24576:AGU0HpRGUYHKaPUM0Hqy69NgA+iVvRuPpND5TqJ6y5eXt7dRbr5hMS6S:bpEUIvU0N9jkpjweXt77X5yjS`
Yara	UPX_Zero - UPX packed file Malicious_Library_Zero - Malicious_Library Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen OS_Processor_Check_Zero - OS Processor Check Credential_User_Data_Check_Zero - Credential User Data Check SQLite_cookies_Check_Zero - SQLite Cookie Check... select Trojan_PWS_Stealer_1_Zero - Trojan.PWS.Stealer Zero Malicious_Packer_Zero - Malicious Packer IsPE32 - (no description) PE_Header_Zero - PE File Signature

handdiy_6.exe "C:\Users\test22\AppData\Local\Temp\handdiy_6.exe"
1516
- cmd.exe cmd.exe /c taskkill /f /im chrome.exe
  2280
  - taskkill.exe taskkill /f /im chrome.exe
    2340
- chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
  2680
  - chrome.exe "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2ec6e00,0x7fef2ec6e10,0x7fef2ec6e20
    2732

Name	Response	Post-Analysis Lookup
iplogger.com	A 148.251.234.93	148.251.234.93
www.ippfinfo.top	A 178.18.252.110	178.18.252.110

IP Address	Status	Action
148.251.234.93	Active	Moloch
164.124.101.2	Active	Moloch
178.18.252.110	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2023883	ET DNS Query to a *.top domain - Likely Hostile	Potentially Bad Traffic
TCP 148.251.234.93:443 -> 192.168.56.103:49165	2029340	ET INFO TLS Handshake Failure	Potentially Bad Traffic
TCP 192.168.56.103:49164 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49161 -> 178.18.252.110:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.103:49163 -> 148.251.234.93:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.103:49161 178.18.252.110:443	C=CN, O=TrustAsia Technologies, Inc., CN=TrustAsia RSA DV TLS CA G2	CN=www.ippfinfo.top	d3:a0:ee:8d:57:c1:a8:45:01:49:11:aa:77:a0:96:06:3f:c2:e1:5b

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW March 22, 2023, 5:26 p.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW March 22, 2023, 5:26 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (21 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:27 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:27 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:27 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:27 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:27 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:27 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0
IsDebuggerPresent March 22, 2023, 5:26 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW March 22, 2023, 5:26 p.m.	buffer: ERROR: The process "chrome.exe" not found. console_handle: 0x0000000b	1	1	0

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\86.0.4240.111\Locales
registry	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.deryosx

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

ZIP

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 22, 2023, 5:27 p.m.	stacktrace: 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x67006f registers.r14: 263189320 registers.r15: 83481184 registers.rcx: 1260 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 263188576 registers.rsp: 263188280 registers.r11: 263192192 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1252 registers.r12: 263188936 registers.rbp: 263188432 registers.rdi: 12321248 registers.rax: 11010048 registers.r13: 83490720	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 22, 2023, 5:27 p.m.

stacktrace:

0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f
0x67006f

exception.symbol:
exception.exception_code: 0xc0000005
exception.address: 0x67006f
registers.r14: 263189320
registers.r15: 83481184
registers.rcx: 1260
registers.rsi: 17302540
registers.r10: 0
registers.rbx: 263188576
registers.rsp: 263188280
registers.r11: 263192192
registers.r8: 2004779404
registers.r9: 0
registers.rdx: 1252
registers.r12: 263188936
registers.rbp: 263188432
registers.rdi: 12321248
registers.rax: 11010048
registers.r13: 83490720

Performs some HTTP requests (1 event)

request

GET https://www.ippfinfo.top/

An application raised an exception which may be indicative of an exploit crash (2 events)

Time & API	Arguments	Status	Return	Repeated
Application Crash	Process chrome.exe with pid 2680 crashed
__exception__ March 22, 2023, 5:27 p.m.	stacktrace: 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f 0x67006f exception.symbol: exception.exception_code: 0xc0000005 exception.address: 0x67006f registers.r14: 263189320 registers.r15: 83481184 registers.rcx: 1260 registers.rsi: 17302540 registers.r10: 0 registers.rbx: 263188576 registers.rsp: 263188280 registers.r11: 263192192 registers.r8: 2004779404 registers.r9: 0 registers.rdx: 1252 registers.r12: 263188936 registers.rbp: 263188432 registers.rdi: 12321248 registers.rax: 11010048 registers.r13: 83490720	1	0	0

Steals private information from local Internet browsers (26 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports\1ff2a31e-0fd2-4401-b65c-73cbeedea8ff.dmp
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-641B0212-A78.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-active.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Local State
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CrashpadMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics-spare.pma
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\First Run
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\reports
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\metadata
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3

Foreign language identified in PE resource (4 events)

name

ZIP

language

LANG_CHINESE

filetype

Zip archive data, at least v1.0 to extract

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162fd0

size

0x0000c2c1

name

RT_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162180

size

0x00000ca8

name

RT_GROUP_ICON

language

LANG_CHINESE

filetype

data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162e28

size

0x00000014

name

RT_VERSION

language

LANG_CHINESE

filetype

PGP symmetric key encrypted data - Plaintext or unencrypted data

sublanguage

SUBLANG_CHINESE_SIMPLIFIED

offset

0x00162e40

size

0x0000018c

Creates executable files on the filesystem (6 events)

file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\aes.js
file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\jquery-3.3.1.min.js
file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\pad-nopadding.js
file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\content.js
file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\background.js
file	C:\Program Files\nndannfdnoaiphfcbbpgkhodebpoiocf\js\mode-ecb.js

Creates a suspicious process (1 event)

cmdline

cmd.exe /c taskkill /f /im chrome.exe

Executes one or more WMI queries (1 event)

wmi	SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "chrome.exe")

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x0000d600', u'virtual_address': u'0x00162000', u'entropy': 7.77533940732828, u'name': u'.rsrc', u'virtual_size': u'0x0000d418'}

entropy

7.77533940733

description

A section with a high entropy has been found

Checks for the Locally Unique Identifier on the system for a suspicious privilege (17 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeTrustedCredManAccessPrivilege	1	1
LookupPrivilegeValueW March 22, 2023, 5:26 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Queries for potentially installed applications (7 events)

Time & API	Arguments	Status	Return
RegOpenKeyExW March 22, 2023, 5:26 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW March 22, 2023, 5:26 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW March 22, 2023, 5:26 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW March 22, 2023, 5:26 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x000004e4 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0
RegOpenKeyExW March 22, 2023, 5:26 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW March 22, 2023, 5:26 p.m.	regkey_r: SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000001 key_handle: 0x00000000 options: 0 access: 0x00000001 regkey: HKEY_CURRENT_USER\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome		2
RegOpenKeyExW March 22, 2023, 5:26 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome base_handle: 0x80000002 key_handle: 0x00000528 options: 0 access: 0x00000001 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome	1	0

Terminates another process (2 events)

Time & API	Arguments	Status	Return	Repeated
NtTerminateProcess March 22, 2023, 5:27 p.m.	status_code: 0xc0000005 process_identifier: 2680 process_handle: 0x00000000000000bc		0	0
NtTerminateProcess March 22, 2023, 5:27 p.m.	status_code: 0xc0000005 process_identifier: 2680 process_handle: 0x00000000000000bc	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	cmd.exe /c taskkill /f /im chrome.exe
cmdline	taskkill /f /im chrome.exe

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F81F111D0E5AB58D396F7BF525577FD30FDC95AA\Blob

One or more non-whitelisted processes were created (2 events)

parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\test22\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=86.0.4240.111 --initial-client-data=0xb0,0xb4,0xb8,0x84,0xbc,0x7fef2ec6e00,0x7fef2ec6e10,0x7fef2ec6e20
parent_process	chrome.exe				martian_process	"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,9537438294468187669,16199427910675155431,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1060 /prefetch:2

Resumed a suspended thread in a remote process potentially indicative of process injection (23 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2732 resumed a thread in remote process 2680
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0
NtResumeThread March 22, 2023, 5:27 p.m.	thread_handle: 0x0000000000000118 suspend_count: 2 process_identifier: 2680	1	0	0

handdiy_6.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All