Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 13, 2023, 7:17 a.m.	July 13, 2023, 7:19 a.m.

Size	679.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`da4dd59a4f7d449bb43fe614c762ae38`
SHA256	`2dbe70cbbdcaf38adeeb141e74dd76d8c2bf2f3d3ad7d4e9b6ac2b75aac70b53`
CRC32	`9A8B67E9`
ssdeep	`12288:qx93R5AITvJYjXaiUp2zeSQWlnKFwo5oGZrG8CdLD/o7QYjL/IcgEOvytZri:qx93DAqvJ0XcMYsKFwo5l2zGJf/Icv0/`
PDB Path	faTf.pdb
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature IsPE32 - (no description)

wins.exe "C:\Users\test22\AppData\Local\Temp\wins.exe"
1676
- wins.exe "C:\Users\test22\AppData\Local\Temp\wins.exe"
  2500

Name	Response	Post-Analysis Lookup
www.tarolstroy.store	A 91.106.207.17	91.106.207.17
www.730fk.xyz	A 34.149.24.8 A 35.244.161.158	34.149.24.8
www.ambadisuites.com	A 103.235.104.55	103.235.104.55
www.alanyatourism.xyz	A 31.186.11.254 CNAME alanyatourism.xyz	31.186.11.254
www.aamset-paris.com	A 213.171.195.105	213.171.195.105
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
108.170.55.202	Active	Moloch
103.235.104.55	Active	Moloch
164.124.101.2	Active	Moloch
213.171.195.105	Active	Moloch
31.186.11.254	Active	Moloch
34.149.24.8	Active	Moloch
45.33.6.223	Active	Moloch
91.106.207.17	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.103:49168 -> 213.171.195.105:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49171 -> 34.149.24.8:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49174 -> 103.235.104.55:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49173 -> 34.149.24.8:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic
TCP 192.168.56.103:49177 -> 31.186.11.254:80	2031413	ET MALWARE FormBook CnC Checkin (POST) M2	Malware Command and Control Activity Detected
TCP 192.168.56.103:49179 -> 31.186.11.254:80	2031088	ET HUNTING Request to .XYZ Domain with Minimal Headers	Potentially Bad Traffic

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 13, 2023, 7:17 a.m.			0	0
IsDebuggerPresent July 13, 2023, 7:17 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

faTf.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 13, 2023, 7:17 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.tarolstroy.store/qm18/?xs=tYbfVfqRpdwQJ/YJuVYmyuISTDSHLEnDniy2NKZKgIv4fPjbo9CoucMX+KvaGEkPto8yDaPVXY4DfYfGNv37QRxsTZWK/du1jcc6Ng8=&7_Tgr=8F27_b
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.aamset-paris.com/qm18/?xs=7X6yuSlu+dj6VbT/HVTP3sWDLGeGVibSxR+wMAjD3OxW5b3fRHJrY5KvZj4pHfXU1KvsFeR8UWVvxmvaZ57ytJibuesW4OAEDl3ofUc=&7_Tgr=8F27_b
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.730fk.xyz/qm18/?xs=cS0MUmEuziINzum9OR3H3Euew837JAcIMkWGfSRnR2f7lAx+oHNoxC8gZ6/Im1YEedzL0fYD6ipq0E7DEb+QJjS1oWgfM4LU+yKhVMM=&7_Tgr=8F27_b
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.ambadisuites.com/qm18/?xs=twXCj9A/PBdHHBdbgfhfoKfy0OvMxBrR7XgKnX6RRfPX7TPrrS+E6KrIgDtMBZNbiGs0TPR0LnIhOu0L+1GkXKnNk0tJIaTniUgBoks=&7_Tgr=8F27_b

Performs some HTTP requests (10 events)

request	POST http://www.tarolstroy.store/qm18/
request	GET http://www.tarolstroy.store/qm18/?xs=tYbfVfqRpdwQJ/YJuVYmyuISTDSHLEnDniy2NKZKgIv4fPjbo9CoucMX+KvaGEkPto8yDaPVXY4DfYfGNv37QRxsTZWK/du1jcc6Ng8=&7_Tgr=8F27_b
request	GET http://www.sqlite.org/2020/sqlite-dll-win32-x86-3320000.zip
request	POST http://www.aamset-paris.com/qm18/
request	GET http://www.aamset-paris.com/qm18/?xs=7X6yuSlu+dj6VbT/HVTP3sWDLGeGVibSxR+wMAjD3OxW5b3fRHJrY5KvZj4pHfXU1KvsFeR8UWVvxmvaZ57ytJibuesW4OAEDl3ofUc=&7_Tgr=8F27_b
request	POST http://www.730fk.xyz/qm18/
request	GET http://www.730fk.xyz/qm18/?xs=cS0MUmEuziINzum9OR3H3Euew837JAcIMkWGfSRnR2f7lAx+oHNoxC8gZ6/Im1YEedzL0fYD6ipq0E7DEb+QJjS1oWgfM4LU+yKhVMM=&7_Tgr=8F27_b
request	POST http://www.ambadisuites.com/qm18/
request	GET http://www.ambadisuites.com/qm18/?xs=twXCj9A/PBdHHBdbgfhfoKfy0OvMxBrR7XgKnX6RRfPX7TPrrS+E6KrIgDtMBZNbiGs0TPR0LnIhOu0L+1GkXKnNk0tJIaTniUgBoks=&7_Tgr=8F27_b
request	POST http://www.alanyatourism.xyz/qm18/

Sends data using the HTTP POST Method (5 events)

request	POST http://www.tarolstroy.store/qm18/
request	POST http://www.aamset-paris.com/qm18/
request	POST http://www.730fk.xyz/qm18/
request	POST http://www.ambadisuites.com/qm18/
request	POST http://www.alanyatourism.xyz/qm18/

Allocates read-write-execute memory (usually to unpack itself) (32 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 524288 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x005a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ec0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0064b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0060a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0062a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00627000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0060c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0061e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 1676 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01e7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 2500 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x008c0000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (3 events)

section

{u'size_of_data': u'0x000a7a00', u'virtual_address': u'0x00002000', u'entropy': 7.734289612621782, u'name': u'.text', u'virtual_size': u'0x000a7840'}

entropy

7.73428961262

description

A section with a high entropy has been found

section

{u'size_of_data': u'0x00002000', u'virtual_address': u'0x000aa000', u'entropy': 7.375942499085904, u'name': u'.rsrc', u'virtual_size': u'0x00001e60'}

entropy

7.37594249909

description

A section with a high entropy has been found

entropy

0.999263622975

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 13, 2023, 7:17 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Communicates with host for which no DNS query was performed (1 event)

host

108.170.55.202

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 2500 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c8	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 13, 2023, 7:17 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}õ}õ}Ò»Íö}Ò»Ïô}Ò»Îô}Richõ}PEL2¹LàÖàð@ð@.textÔÖ ` base_address: 0x00400000 process_identifier: 2500 process_handle: 0x000002c8	1	1	0
WriteProcessMemory July 13, 2023, 7:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2500 process_handle: 0x000002c8	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 13, 2023, 7:17 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}õ}õ}Ò»Íö}Ò»Ïô}Ò»Îô}Richõ}PEL2¹LàÖàð@ð@.textÔÖ ` base_address: 0x00400000 process_identifier: 2500 process_handle: 0x000002c8	1	1	0

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Elastic	malicious (high confidence)
Sangfor	Suspicious.Win32.Save.a
CrowdStrike	win/malicious_confidence_90% (D)
Symantec	Scr.Malcode!gdn34
Cynet	Malicious (score: 100)
APEX	Malicious
Kaspersky	VHO:Trojan.MSIL.Taskun.gen
Avast	CrypterX-gen [Trj]
McAfee-GW-Edition	BehavesLike.Win32.Generic.jc
SentinelOne	Static AI - Suspicious PE
ZoneAlarm	VHO:Trojan.MSIL.Taskun.gen
Rising	Malware.Obfus/MSIL@AI.84 (RDM.MSIL2:9tS3154es87aKBgmMczC0w)
MaxSecure	Trojan.Malware.300983.susgen
Fortinet	MSIL/Kryptik.AGUH!tr
AVG	CrypterX-gen [Trj]
DeepInstinct	MALICIOUS

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1676 called NtSetContextThread to modify thread in remote process 2500
NtSetContextThread July 13, 2023, 7:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c4 process_identifier: 2500	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 1676 resumed a thread in remote process 2500
NtResumeThread July 13, 2023, 7:17 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2500	1	0	0

Executed a process and injected code into it, probably while unpacking (12 events)

Time & API	Arguments	Status	Return
NtResumeThread July 13, 2023, 7:17 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1676	1	0
NtResumeThread July 13, 2023, 7:17 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 1676	1	0
NtResumeThread July 13, 2023, 7:17 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 1676	1	0
NtResumeThread July 13, 2023, 7:17 a.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 1676	1	0
CreateProcessInternalW July 13, 2023, 7:17 a.m.	thread_identifier: 2504 thread_handle: 0x000002c4 process_identifier: 2500 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\wins.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\wins.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000002c8	1	1
NtGetContextThread July 13, 2023, 7:17 a.m.	thread_handle: 0x000002c4	1	0
NtAllocateVirtualMemory July 13, 2023, 7:17 a.m.	process_identifier: 2500 region_size: 192512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000002c8	1	0
WriteProcessMemory July 13, 2023, 7:17 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿáÀº´ Í!¸LÍ!This program cannot be run in DOS mode. $±lÁõ}õ}õ}Ò»Íö}Ò»Ïô}Ò»Îô}Richõ}PEL2¹LàÖàð@ð@.textÔÖ ` base_address: 0x00400000 process_identifier: 2500 process_handle: 0x000002c8	1	1
WriteProcessMemory July 13, 2023, 7:17 a.m.	buffer: base_address: 0x00401000 process_identifier: 2500 process_handle: 0x000002c8	1	1
WriteProcessMemory July 13, 2023, 7:17 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2500 process_handle: 0x000002c8	1	1
NtSetContextThread July 13, 2023, 7:17 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199136 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002c4 process_identifier: 2500	1	0
NtResumeThread July 13, 2023, 7:17 a.m.	thread_handle: 0x000002c4 suspend_count: 1 process_identifier: 2500	1	0

wins.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All