Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	July 25, 2023, 7:36 a.m.	July 25, 2023, 7:48 a.m.

Size	516.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`682d6744626bc028880d22ceb3f313a2`
SHA256	`723a40b5d10baf215da246cb02dbb7b5eee5e2a53efe6eef08414094f3e12563`
CRC32	`0954CA7C`
ssdeep	`12288:bZfX/w60A3WQziQdkWJwGpLIKPGz7JiZlO8tF5:bZfX/jNz7kWtIIGzNi`
PDB Path	HUYYT77636.pdb
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature ConfuserEx_Zero - Confuser .NET IsPE32 - (no description)

ChromeSetup.exe "C:\Users\test22\AppData\Local\Temp\ChromeSetup.exe"
292
- CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2152

Name	Response	Post-Analysis Lookup
pekonomie.duckdns.org	A 134.19.179.171	134.19.179.171

IP Address	Status	Action
134.19.179.171	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:52760 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.103:50800 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 25, 2023, 7:36 a.m.			0	0
IsDebuggerPresent July 25, 2023, 7:36 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

HUYYT77636.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 25, 2023, 7:36 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

pekonomie.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (28 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f31000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f32000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00630000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00522000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0053c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00750000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00751000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00752000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00753000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00754000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00755000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00555000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0055b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00557000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00756000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00546000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00757000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0054a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:36 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00547000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:37 a.m.	process_identifier: 292 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00758000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:37 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0052a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:37 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:37 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:37 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 25, 2023, 7:37 a.m.	process_identifier: 292 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0075d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00080600', u'virtual_address': u'0x00002000', u'entropy': 7.966355312405801, u'name': u'.text', u'virtual_size': u'0x00080454'}

entropy

7.96635531241

description

A section with a high entropy has been found

entropy

0.996120271581

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 25, 2023, 7:37 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (23 events)

description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Win Backdoor RemcosRAT	rule	Win_Backdoor_RemcosRAT
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	browser info stealer	rule	infoStealer_browser_Zero
description	Escalate priviledges	rule	Escalate_priviledges
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications use DNS	rule	Network_DNS
description	Take ScreenShot	rule	ScreenShot
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	Run a KeyLogger	rule	KeyLogger
description	File Downloader	rule	Network_Downloader

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory July 25, 2023, 7:37 a.m.	process_identifier: 2152 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000022c	1	0	0

Potential code injection by writing to the memory of another process (5 events)

Time & API	Arguments	Status	Return
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<ä%xèvxèvxèvÌt{vkèvÌtyvßèvÌtxvfèvqvyèvæHMvzèvÕ¶wbèvÕ¶wBèvÕ¶wZèvqvaèvxèvBévÍ¶wèvÍ¶uvyèvÍ¶wyèvRichxèvPEL«¬dàl D@HÞðJÐH;àÂ8tÃÃ@ì.textkl `.rdataüxzp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrcðJLþ@@.relocH;Ð<J@B base_address: 0x00400000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ¬ÅE°ÈEªÅE..G\G\G\G\G\G\G\G\G\GG`G`G`G`G`G`G`GGÿÿÿÿ°ÈE¨G¨G¨G¨G¨GG0ËE°ÌEøÚEèGGCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZGþÿÿÿþÿÿÿuÏ!tåa¾e¸Â¢z»^ âÈ¨3¶FEA$¶F½GA0¶FÜDA´E.?AVtype_info@@´E.?AVbad_alloc@std@@´E.?AVbad_array_new_length@std@@´E.?AVlogic_error@std@@´E.?AVlength_error@std@@´E.?AVout_of_range@std@@´E.?AV_Facet_base@std@@´E.?AV_Locimp@locale@std@@´E.?AVfacet@locale@std@@´E.?AU_Crt_new_delete@std@@´E.?AVcodecvt_base@std@@´E.?AUctype_base@std@@´E.?AV?$ctype@D@std@@´E.?AV?$codecvt@DDU_Mbstatet@@@std@@´E.?AVbad_exception@std@@´E.H´E.?AVfailure@ios_base@std@@´E.?AVruntime_error@std@@´E.?AVsystem_error@std@@´E.?AVbad_cast@std@@´E.?AV_System_error@std@@´E.?AVexception@std@@ base_address: 0x00470000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: base_address: 0x00476000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: f5K5§>ñ9:§>Y:§>iê§>íµ:}}P:nõ]õR9R§>§>_²:ß9î 5HW ðz®}°º»áà3@Ó#·DË6;4]Le b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00477000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2152 process_handle: 0x0000022c	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<ä%xèvxèvxèvÌt{vkèvÌtyvßèvÌtxvfèvqvyèvæHMvzèvÕ¶wbèvÕ¶wBèvÕ¶wZèvqvaèvxèvBévÍ¶wèvÍ¶uvyèvÍ¶wyèvRichxèvPEL«¬dàl D@HÞðJÐH;àÂ8tÃÃ@ì.textkl `.rdataüxzp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrcðJLþ@@.relocH;Ð<J@B base_address: 0x00400000 process_identifier: 2152 process_handle: 0x0000022c	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 292 called NtSetContextThread to modify thread in remote process 2152
NtSetContextThread July 25, 2023, 7:37 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4408333 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000228 process_identifier: 2152	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 292 resumed a thread in remote process 2152
NtResumeThread July 25, 2023, 7:37 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2152	1	0	0

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

134.19.179.171:31490

Executed a process and injected code into it, probably while unpacking (21 events)

Time & API	Arguments	Status	Return
NtResumeThread July 25, 2023, 7:36 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 292	1	0
NtResumeThread July 25, 2023, 7:36 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 292	1	0
NtResumeThread July 25, 2023, 7:36 a.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 292	1	0
NtResumeThread July 25, 2023, 7:36 a.m.	thread_handle: 0x000001fc suspend_count: 1 process_identifier: 292	1	0
NtGetContextThread July 25, 2023, 7:36 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread July 25, 2023, 7:36 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread July 25, 2023, 7:36 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 292	1	0
CreateProcessInternalW July 25, 2023, 7:37 a.m.	thread_identifier: 2156 thread_handle: 0x00000228 process_identifier: 2152 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000022c	1	1
NtGetContextThread July 25, 2023, 7:37 a.m.	thread_handle: 0x00000228	1	0
NtAllocateVirtualMemory July 25, 2023, 7:37 a.m.	process_identifier: 2152 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000022c	1	0
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $<ä%xèvxèvxèvÌt{vkèvÌtyvßèvÌtxvfèvqvyèvæHMvzèvÕ¶wbèvÕ¶wBèvÕ¶wZèvqvaèvxèvBévÍ¶wèvÍ¶uvyèvÍ¶wyèvRichxèvPEL«¬dàl D@HÞðJÐH;àÂ8tÃÃ@ì.textkl `.rdataüxzp@@.data]ê@À.tls `ø@À.gfids0pú@@.rsrcðJLþ@@.relocH;Ð<J@B base_address: 0x00400000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: base_address: 0x00401000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: base_address: 0x00458000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿ Copyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.ÿÿÿÿ ¬ÅE°ÈEªÅE..G\G\G\G\G\G\G\G\G\GG`G`G`G`G`G`G`GGÿÿÿÿ°ÈE¨G¨G¨G¨G¨GG0ËE°ÌEøÚEèGGCPSTPDT°GðGÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZGþÿÿÿþÿÿÿuÏ!tåa¾e¸Â¢z»^ âÈ¨3¶FEA$¶F½GA0¶FÜDA´E.?AVtype_info@@´E.?AVbad_alloc@std@@´E.?AVbad_array_new_length@std@@´E.?AVlogic_error@std@@´E.?AVlength_error@std@@´E.?AVout_of_range@std@@´E.?AV_Facet_base@std@@´E.?AV_Locimp@locale@std@@´E.?AVfacet@locale@std@@´E.?AU_Crt_new_delete@std@@´E.?AVcodecvt_base@std@@´E.?AUctype_base@std@@´E.?AV?$ctype@D@std@@´E.?AV?$codecvt@DDU_Mbstatet@@@std@@´E.?AVbad_exception@std@@´E.H´E.?AVfailure@ios_base@std@@´E.?AVruntime_error@std@@´E.?AVsystem_error@std@@´E.?AVbad_cast@std@@´E.?AV_System_error@std@@´E.?AVexception@std@@ base_address: 0x00470000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: base_address: 0x00476000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: f5K5§>ñ9:§>Y:§>iê§>íµ:}}P:nõ]õR9R§>§>_²:ß9î 5HW ðz®}°º»áà3@Ó#·DË6;4]Le b Er4NPNWN]TUZ[ äøää äö_^îØØäüûüû í9<8;ú` ¢§µ¶³´±²¯°¸ Y base_address: 0x00477000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: base_address: 0x00478000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: base_address: 0x0047d000 process_identifier: 2152 process_handle: 0x0000022c	1	1
WriteProcessMemory July 25, 2023, 7:37 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2152 process_handle: 0x0000022c	1	1
NtSetContextThread July 25, 2023, 7:37 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4408333 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000228 process_identifier: 2152	1	0
NtResumeThread July 25, 2023, 7:37 a.m.	thread_handle: 0x00000228 suspend_count: 1 process_identifier: 2152	1	0

ChromeSetup.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All