Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 26, 2023, 7:41 a.m.	April 26, 2023, 7:43 a.m.

Size	494.3KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`fca51c45c88a92f340faaca0a8e832c8`
SHA256	`41770017c9f44ef476ba05e44fbd19b0df70a21156ff7fa9c9b5b7f4f07a3705`
CRC32	`9F2AF542`
ssdeep	`6144:GzsetYQi0K8xwAXr/fUT7td4HCp6hInogO5cJN2W3MnBJW2WraDOhTKnOF8QAZaR:FeaIfiP3O2sK2WraDOhel0WVvKX5H5N`
Yara	UPX_Zero - UPX packed file OS_Processor_Check_Zero - OS Processor Check IsDLL - (no description) IsPE32 - (no description) PE_Header_Zero - PE File Signature Malicious_Library_Zero - Malicious_Library

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\2.dll,Motd
2556
- wermgr.exe C:\Windows\SysWOW64\wermgr.exe
  2760
  - PING.EXE ping -n 3 yahoo.com
    2836
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\2.dll,
2644

Name	Response	Post-Analysis Lookup
yahoo.com	A 98.137.11.163 A 74.6.231.20 A 74.6.143.26 A 74.6.143.25 A 74.6.231.21 A 98.137.11.164	98.137.11.164

IP Address	Status	Action
164.124.101.2	Active	Moloch
98.137.11.163	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 26, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 26, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 26, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 26, 2023, 7:41 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 26, 2023, 7:41 a.m.			0	0
IsDebuggerPresent April 26, 2023, 7:41 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 26, 2023, 7:41 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.gfids

The file contains an unknown PE resource name possibly indicative of a packer (1 event)

resource name

None

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (19 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73660000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73561000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x734d1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73494000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73562000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73c01000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 region_size: 266240 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00940000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 region_size: 147456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01db0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dca000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01dca000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73be1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73961000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2556 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75bf1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x735f2000 process_handle: 0xffffffff	1

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 26, 2023, 7:41 a.m.	thread_identifier: 2840 thread_handle: 0x0000013c process_identifier: 2836 current_directory: filepath: track: 1 command_line: ping -n 3 yahoo.com filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000140	1	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (41 events)

Time & API	Arguments	Status	Return
Process32FirstW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: [System Process] process_identifier: 0	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: System process_identifier: 4	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: smss.exe process_identifier: 224	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: csrss.exe process_identifier: 304	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: wininit.exe process_identifier: 352	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: csrss.exe process_identifier: 360	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: winlogon.exe process_identifier: 400	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: services.exe process_identifier: 444	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: lsass.exe process_identifier: 460	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: lsm.exe process_identifier: 468	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: svchost.exe process_identifier: 572	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: svchost.exe process_identifier: 652	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: svchost.exe process_identifier: 724	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: svchost.exe process_identifier: 784	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: svchost.exe process_identifier: 832	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: audiodg.exe process_identifier: 900	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: svchost.exe process_identifier: 992	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: svchost.exe process_identifier: 292	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: spoolsv.exe process_identifier: 324	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: svchost.exe process_identifier: 1048	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: srvany.exe process_identifier: 1284	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: KMService.exe process_identifier: 1436	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: conhost.exe process_identifier: 1448	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: taskhost.exe process_identifier: 1600	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: sppsvc.exe process_identifier: 1820	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: svchost.exe process_identifier: 1896	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: dwm.exe process_identifier: 1260	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: explorer.exe process_identifier: 1452	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: pw.exe process_identifier: 988	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: SearchIndexer.exe process_identifier: 1160	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: SearchProtocolHost.exe process_identifier: 936	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: SearchFilterHost.exe process_identifier: 2000	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: mobsync.exe process_identifier: 2284	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: pw.exe process_identifier: 2324	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: taskhost.exe process_identifier: 2364	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000168 process_name: rundll32.exe process_identifier: 2556	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x000001a0 process_name: wermgr.exe process_identifier: 2760	1	1
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x000001a0 process_name: l process_identifier: 1974927360		0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x000001fc process_name: l process_identifier: 1947926528		0
Process32NextW April 26, 2023, 7:42 a.m.	snapshot_handle: 0x000000f4 process_name: svchost.exe process_identifier: 2376	1	1
Process32NextW April 26, 2023, 7:42 a.m.	snapshot_handle: 0x000000f4 process_name: WmiPrvSE.exe process_identifier: 2896	1	1

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 113 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x000001fc process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x000001fc process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x000001fc process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x00000204 process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0
Process32NextW April 26, 2023, 7:41 a.m.	snapshot_handle: 0x0000011c process_name: l process_identifier: 1947926528		0	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

ping -n 3 yahoo.com

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000f1000 process_handle: 0x0000016c	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2760
NtResumeThread April 26, 2023, 7:41 a.m.	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 2760	1	0	0

Generates some ICMP traffic

Executed a process and injected code into it, probably while unpacking (8 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW April 26, 2023, 7:41 a.m.	thread_identifier: 2764 thread_handle: 0x00000168 process_identifier: 2760 current_directory: filepath: track: 1 command_line: C:\Windows\SysWOW64\wermgr.exe filepath_r: stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000016c	1	1
NtMapViewOfSection April 26, 2023, 7:41 a.m.	section_handle: 0x00000174 process_identifier: 2760 commit_size: 0 win32_protect: 64 (PAGE_EXECUTE_READWRITE) buffer: base_address: 0x000f0000 allocation_type: 0 () section_offset: 0 view_size: 147456 process_handle: 0x0000016c	1	0
NtAllocateVirtualMemory April 26, 2023, 7:41 a.m.	process_identifier: 2760 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 4 (PAGE_READWRITE) base_address: 0x00120000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0x0000016c	1	0
WriteProcessMemory April 26, 2023, 7:41 a.m.	buffer: base_address: 0x00120000 process_identifier: 2760 process_handle: 0x0000016c	1	1
NtGetContextThread April 26, 2023, 7:41 a.m.	thread_handle: 0x00000168	1	0
NtResumeThread April 26, 2023, 7:41 a.m.	thread_handle: 0x00000168 suspend_count: 1 process_identifier: 2760	1	0
NtResumeThread April 26, 2023, 7:41 a.m.	thread_handle: 0x00000110 suspend_count: 1 process_identifier: 2760	1	0
CreateProcessInternalW April 26, 2023, 7:41 a.m.	thread_identifier: 2840 thread_handle: 0x0000013c process_identifier: 2836 current_directory: filepath: track: 1 command_line: ping -n 3 yahoo.com filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000140	1	1

2

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All