Summary | ZeroBOX

Category	Machine	Started	Completed
URL	s1_win7_x6401	April 27, 2023, 2:59 p.m.	April 27, 2023, 3 p.m.

URL	https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjN-JPTkH0IKMOeQ4l_fsOCI0QATxLNRGTv3aIkYarV_TKFLYcXIdqvvnC4LaQc8ks-_jONYRiG2iGqGRvuP2lTXQg/messages/@.id==ANk1W0gqsg07ZElmNwBCaGHMBoo/content/parts/@.id==1/raw?appid=YMailNorrin&ymreqid=6053e7f5-407c-91aa-1ce7-e4002b013800&token=uDdRaaIpkxJyV0akyTfVtC7n1FhmsdJB7bDv_XH6K6bCQOXFxgkBkwEAZNsu-_QFvV_5i5_L4E4NWtq013TBfcZCGX32myhohFrRcQRPMX0YejtWOpAjLBddP6PWGYs9&error=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fiframemsg%3Fid%3Ddownload-3341020975

iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjN-JPTkH0IKMOeQ4l_fsOCI0QATxLNRGTv3aIkYarV_TKFLYcXIdqvvnC4LaQc8ks-_jONYRiG2iGqGRvuP2lTXQg/messages/@.id==ANk1W0gqsg07ZElmNwBCaGHMBoo/content/parts/@.id==1/raw?appid=YMailNorrin&ymreqid=6053e7f5-407c-91aa-1ce7-e4002b013800&token=uDdRaaIpkxJyV0akyTfVtC7n1FhmsdJB7bDv_XH6K6bCQOXFxgkBkwEAZNsu-_QFvV_5i5_L4E4NWtq013TBfcZCGX32myhohFrRcQRPMX0YejtWOpAjLBddP6PWGYs9&error=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fiframemsg%3Fid%3Ddownload-3341020975
2620
- iexplore.exe "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2620 CREDAT:145409
  2704

Name	Response	Post-Analysis Lookup
apis.mail.yahoo.com	A 119.161.15.251 CNAME edge.gycpi.b.yahoodns.net A 119.161.15.252 A 119.161.16.11 A 119.161.16.12	119.161.5.247
dl-mail.ymail.com	A 119.161.15.251 A 119.161.5.248 A 119.161.8.11 A 119.161.8.12 CNAME edge.gycpi.b.yahoodns.net	119.161.5.247

IP Address	Status	Action
119.161.15.251	Active	Moloch
119.161.16.11	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49165 -> 119.161.15.251:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49167 -> 119.161.16.11:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49164 -> 119.161.15.251:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49166 -> 119.161.16.11:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49166 119.161.16.11:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Sunnyvale, O=Oath Holdings Inc., CN=*.api.fantasysports.yahoo.com	6e:2f:30:b9:a3:fc:58:90:e8:a6:e6:0f:b5:08:0e:63:1d:59:94:f0
TLSv1 192.168.56.101:49167 119.161.16.11:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Sunnyvale, O=Oath Holdings Inc., CN=*.api.fantasysports.yahoo.com	6e:2f:30:b9:a3:fc:58:90:e8:a6:e6:0f:b5:08:0e:63:1d:59:94:f0
TLSv1 192.168.56.101:49165 119.161.15.251:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Sunnyvale, O=Oath Holdings Inc., CN=*.api.fantasysports.yahoo.com	6e:2f:30:b9:a3:fc:58:90:e8:a6:e6:0f:b5:08:0e:63:1d:59:94:f0
TLSv1 192.168.56.101:49164 119.161.15.251:443	C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA	C=US, ST=California, L=Sunnyvale, O=Oath Holdings Inc., CN=*.api.fantasysports.yahoo.com	6e:2f:30:b9:a3:fc:58:90:e8:a6:e6:0f:b5:08:0e:63:1d:59:94:f0

Performs some HTTP requests (2 events)

request

GET https://dl-mail.ymail.com/ws/download/mailboxes/@.id==VjN-JPTkH0IKMOeQ4l_fsOCI0QATxLNRGTv3aIkYarV_TKFLYcXIdqvvnC4LaQc8ks-_jONYRiG2iGqGRvuP2lTXQg/messages/@.id==ANk1W0gqsg07ZElmNwBCaGHMBoo/content/parts/@.id==1/raw?appid=YMailNorrin&ymreqid=6053e7f5-407c-91aa-1ce7-e4002b013800&token=uDdRaaIpkxJyV0akyTfVtC7n1FhmsdJB7bDv_XH6K6bCQOXFxgkBkwEAZNsu-_QFvV_5i5_L4E4NWtq013TBfcZCGX32myhohFrRcQRPMX0YejtWOpAjLBddP6PWGYs9&error=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fiframemsg%3Fid%3Ddownload-3341020975

request

GET https://apis.mail.yahoo.com/ws/v3/mailboxes/@.id==VjN-JPTkH0IKMOeQ4l_fsOCI0QATxLNRGTv3aIkYarV_TKFLYcXIdqvvnC4LaQc8ks-_jONYRiG2iGqGRvuP2lTXQg/messages/@.id==ANk1W0gqsg07ZElmNwBCaGHMBoo/content/parts/@.id==1/refresh?appid=YMailNorrin&ymreqid=6053e7f5-407c-91aa-1ce7-e4002b013800&error=https%3A%2F%2Fmail.yahoo.com%2Fd%2Fiframemsg%3Fid%3Ddownload-3341020975

Allocates read-write-execute memory (usually to unpack itself) (50 out of 110 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 region_size: 1708032 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002770000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002910000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769cd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefefc4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdcd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769ba000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000000007304c000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000003030000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002910000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769cd000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769d4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefbca5000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefefc4000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fefdcd1000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769ba000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769f2000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2620 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2704 region_size: 12652544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000029c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000035d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000076a21000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory April 27, 2023, 2:59 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000769cd000 process_handle: 0xffffffffffffffff	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2620 CREDAT:145409

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2620 resumed a thread in remote process 2704
NtResumeThread April 27, 2023, 2:59 p.m.	thread_handle: 0x0000000000000330 suspend_count: 1 process_identifier: 2704	1	0	0

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All