Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Aug. 14, 2023, 7:42 a.m.	Aug. 14, 2023, 7:50 a.m.

Size	441.0KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`1188a953c9f36b374ca3714c9de1763e`
SHA256	`20d45ab8062d59db6229e293a604f37e2760519894d07380288f0f8f5e2b5c95`
CRC32	`94D39753`
ssdeep	`6144:p7kv6HlSjbx+NOspNKz9l2jwawmz4FBFqF1V0KrKi:1TSncN/0T2kawmz4FBoF1V0KW`
PDB Path	BNMKLP987.pdb
Yara	Is_DotNET_EXE - (no description) PE_Header_Zero - PE File Signature ConfuserEx_Zero - Confuser .NET IsPE32 - (no description)

wininit.exe "C:\Users\test22\AppData\Local\Temp\wininit.exe"
2656
- CasPol.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"
  2772

Name	Response	Post-Analysis Lookup
www.applechiofficial.com	CNAME applechiofficial.com A 217.144.104.212	217.144.104.212
www.acdaiucdac.com	CNAME acdaiucdac.com A 165.140.70.70	165.140.70.70
www.playcups.life	A 203.161.58.192	203.161.58.192
www.maytag36.com	CNAME 342284.parkingcrew.net A 13.248.148.254 A 76.223.26.96	76.223.26.96
www.cosmicearthgoddess.com	A 74.208.236.61	74.208.236.61
www.yh66985.com	A 154.215.247.58	154.215.247.58
www.promptyum.com	A 52.20.84.62	52.20.84.62
www.grmlfgsz.click	A 104.21.75.162 A 172.67.178.188	172.67.178.188
www.sisbom.online
www.selfstorage.koeln	CNAME selfstorage.koeln A 81.169.145.157	81.169.145.157
www.workationdelsol.com	CNAME workationdelsol.com A 81.169.145.159	81.169.145.159
www.sqlite.org	A 45.33.6.223	45.33.6.223

IP Address	Status	Action
104.21.75.162	Active	Moloch
13.248.148.254	Active	Moloch
154.215.247.58	Active	Moloch
164.124.101.2	Active	Moloch
165.140.70.70	Active	Moloch
203.161.58.192	Active	Moloch
217.144.104.212	Active	Moloch
45.33.6.223	Active	Moloch
52.20.84.62	Active	Moloch
74.208.236.61	Active	Moloch
81.169.145.157	Active	Moloch
81.169.145.159	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 14, 2023, 7:42 a.m.			0	0
IsDebuggerPresent Aug. 14, 2023, 7:42 a.m.			0	0

This executable has a PDB path (1 event)

pdb_path

BNMKLP987.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 14, 2023, 7:42 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (10 events)

suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.maytag36.com/pta7/?fnA=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&kMqzI-=yuAc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.selfstorage.koeln/pta7/?fnA=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&kMqzI-=yuAc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.cosmicearthgoddess.com/pta7/?fnA=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&kMqzI-=yuAc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.yh66985.com/pta7/?fnA=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&kMqzI-=yuAc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.playcups.life/pta7/?fnA=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&kMqzI-=yuAc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.promptyum.com/pta7/?fnA=51fXUovDvl40Gay+bBOuV4csAD2CR1Bn3rNklAoym8RSa3YWX1JZVvP1mooqhecBmHsju7ND43XQhJhW/MWm8p48YIEfLWeZ5rDjg9Q=&kMqzI-=yuAc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.applechiofficial.com/pta7/?fnA=3tLz2GELRqgUNEe3Tg6pYXQ6INf+7Y5kvPosXVoeGK7Pb7+bWmhYMZiQ8dlF92mvy5mXj5zMlug3M8Fw5MW69FZ659FzjUfEuZ9BwIA=&kMqzI-=yuAc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.acdaiucdac.com/pta7/?fnA=43v7Ny/HipLC1/i8/EHFbQWk+eiIQ/u53GN7wShSu/utS8xmabSGaVvVJrZKwfQ4W1iMjfgim/Qvgf/YMs2AzVLD8F/JP8IFS4Qjg6E=&kMqzI-=yuAc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.workationdelsol.com/pta7/?fnA=KwcplsCPI1RgA9llBgRI7UZiW4SpOPY+6KzEsYVNfDztjut0HKme+ulBSzhiqB8GHLrJm3E5Mws5yZIdMQ67aG0FcK0zVEj9Psx/60M=&kMqzI-=yuAc
suspicious_features	GET method with no useragent header	suspicious_request	GET http://www.grmlfgsz.click/pta7/?fnA=ZUw0DE2tTfMrS/vGgTqiPtR9iLDJ7ITJFCKtS8euE2iaohDcpFUZC4QpBbwyViCfiPHxoQAr+wVp68on4xa7Qrqk1k7DdBy37sJAI4o=&kMqzI-=yuAc

Performs some HTTP requests (21 events)

request	POST http://www.maytag36.com/pta7/
request	GET http://www.maytag36.com/pta7/?fnA=I+8B7hWWd8/aZc0LyOI98FU2kxxJYUgzWPkNKI3Xu1M4KTmr5ikbSLVEKd5DC7LZ6l0Rcp22A4fkoHEesbNwOWp7sSOEDutN8WpeiG4=&kMqzI-=yuAc
request	GET http://www.sqlite.org/2019/sqlite-dll-win32-x86-3270000.zip
request	POST http://www.selfstorage.koeln/pta7/
request	GET http://www.selfstorage.koeln/pta7/?fnA=nRxaeJY0qwDQ0+6frQxSN5E2QFq7X4AyNJuuilycF0k/wVU2rXenu/JIKS0/EAOQo/d8R3vVu9XtC/4/t+jNl01+sEHp/xYpCFlSqjU=&kMqzI-=yuAc
request	POST http://www.cosmicearthgoddess.com/pta7/
request	GET http://www.cosmicearthgoddess.com/pta7/?fnA=13fhjxEBwouEnUsG2Zptbc3oT5vv/DEuG4iFtfSUwau/qJ9Hv2KIb5nyZ/MG0WCg1U40rxerqpJjqyPhopVWfuMIqg+QB/xDsz3LaOk=&kMqzI-=yuAc
request	POST http://www.yh66985.com/pta7/
request	GET http://www.yh66985.com/pta7/?fnA=r0Znjcl108fWq3DW2uMZlKkUpEOS0il4WTIwHqnkDlhXNTmyDe2k/moWxs1adkJw8OOtkgeu00hRWSJDuXN3qGN9obJjMdXlYosByRw=&kMqzI-=yuAc
request	POST http://www.playcups.life/pta7/
request	GET http://www.playcups.life/pta7/?fnA=owQQ/LdvYhr1hQA44RH9bUiltN1V9/nW3nzbuZ7AnukoApd9+FtfvWC4rKSj4oUCaFCHPCKOWRRPvWiBpKGkSpFpDTHalZsc88EWemY=&kMqzI-=yuAc
request	POST http://www.promptyum.com/pta7/
request	GET http://www.promptyum.com/pta7/?fnA=51fXUovDvl40Gay+bBOuV4csAD2CR1Bn3rNklAoym8RSa3YWX1JZVvP1mooqhecBmHsju7ND43XQhJhW/MWm8p48YIEfLWeZ5rDjg9Q=&kMqzI-=yuAc
request	POST http://www.applechiofficial.com/pta7/
request	GET http://www.applechiofficial.com/pta7/?fnA=3tLz2GELRqgUNEe3Tg6pYXQ6INf+7Y5kvPosXVoeGK7Pb7+bWmhYMZiQ8dlF92mvy5mXj5zMlug3M8Fw5MW69FZ659FzjUfEuZ9BwIA=&kMqzI-=yuAc
request	POST http://www.acdaiucdac.com/pta7/
request	GET http://www.acdaiucdac.com/pta7/?fnA=43v7Ny/HipLC1/i8/EHFbQWk+eiIQ/u53GN7wShSu/utS8xmabSGaVvVJrZKwfQ4W1iMjfgim/Qvgf/YMs2AzVLD8F/JP8IFS4Qjg6E=&kMqzI-=yuAc
request	POST http://www.workationdelsol.com/pta7/
request	GET http://www.workationdelsol.com/pta7/?fnA=KwcplsCPI1RgA9llBgRI7UZiW4SpOPY+6KzEsYVNfDztjut0HKme+ulBSzhiqB8GHLrJm3E5Mws5yZIdMQ67aG0FcK0zVEj9Psx/60M=&kMqzI-=yuAc
request	POST http://www.grmlfgsz.click/pta7/
request	GET http://www.grmlfgsz.click/pta7/?fnA=ZUw0DE2tTfMrS/vGgTqiPtR9iLDJ7ITJFCKtS8euE2iaohDcpFUZC4QpBbwyViCfiPHxoQAr+wVp68on4xa7Qrqk1k7DdBy37sJAI4o=&kMqzI-=yuAc

Sends data using the HTTP POST Method (10 events)

request	POST http://www.maytag36.com/pta7/
request	POST http://www.selfstorage.koeln/pta7/
request	POST http://www.cosmicearthgoddess.com/pta7/
request	POST http://www.yh66985.com/pta7/
request	POST http://www.playcups.life/pta7/
request	POST http://www.promptyum.com/pta7/
request	POST http://www.applechiofficial.com/pta7/
request	POST http://www.acdaiucdac.com/pta7/
request	POST http://www.workationdelsol.com/pta7/
request	POST http://www.grmlfgsz.click/pta7/

Allocates read-write-execute memory (usually to unpack itself) (29 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00770000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00660000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00670000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b33000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b34000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b35000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b36000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b37000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b38000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b3a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b3b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b3c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00b3e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2772 region_size: 3158016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00960000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00044600', u'virtual_address': u'0x00002000', u'entropy': 7.925550998957093, u'name': u'.text', u'virtual_size': u'0x000445a4'}

entropy

7.92555099896

description

A section with a high entropy has been found

entropy

0.620885357548

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 14, 2023, 7:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Aug. 14, 2023, 7:42 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (7 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2772 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000224	1	0	0

Potential code injection by writing to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 14, 2023, 7:42 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELüöFàöÐ@@.texttõö ` base_address: 0x00400000 process_identifier: 2772 process_handle: 0x00000224	1	1	0
WriteProcessMemory Aug. 14, 2023, 7:42 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2772 process_handle: 0x00000224	1	1	0

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Aug. 14, 2023, 7:42 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELüöFàöÐ@@.texttõö ` base_address: 0x00400000 process_identifier: 2772 process_handle: 0x00000224	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2656 called NtSetContextThread to modify thread in remote process 2772
NtSetContextThread Aug. 14, 2023, 7:42 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199888 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2772	1	0	0

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2656 resumed a thread in remote process 2772
NtResumeThread Aug. 14, 2023, 7:42 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2772	1	0	0

Executed a process and injected code into it, probably while unpacking (15 events)

Time & API	Arguments	Status	Return
NtResumeThread Aug. 14, 2023, 7:42 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Aug. 14, 2023, 7:42 a.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Aug. 14, 2023, 7:42 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 2656	1	0
NtResumeThread Aug. 14, 2023, 7:42 a.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2656	1	0
NtGetContextThread Aug. 14, 2023, 7:42 a.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Aug. 14, 2023, 7:42 a.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Aug. 14, 2023, 7:42 a.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2656	1	0
CreateProcessInternalW Aug. 14, 2023, 7:42 a.m.	thread_identifier: 2776 thread_handle: 0x00000220 process_identifier: 2772 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe track: 1 command_line: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe" filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000224	1	1
NtGetContextThread Aug. 14, 2023, 7:42 a.m.	thread_handle: 0x00000220	1	0
NtAllocateVirtualMemory Aug. 14, 2023, 7:42 a.m.	process_identifier: 2772 region_size: 200704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000224	1	0
WriteProcessMemory Aug. 14, 2023, 7:42 a.m.	buffer: MZERèXè ÈÀ<ÁÀ(ÿá¸º´ Í!¸LÍ!This program cannot be run in DOS mode. $y =`gó=`gó=`gó¦¨ó:`gó¦ªó<`gó¦«ó<`góRich=`góPELüöFàöÐ@@.texttõö ` base_address: 0x00400000 process_identifier: 2772 process_handle: 0x00000224	1	1
WriteProcessMemory Aug. 14, 2023, 7:42 a.m.	buffer: base_address: 0x00401000 process_identifier: 2772 process_handle: 0x00000224	1	1
WriteProcessMemory Aug. 14, 2023, 7:42 a.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2772 process_handle: 0x00000224	1	1
NtSetContextThread Aug. 14, 2023, 7:42 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4199888 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000220 process_identifier: 2772	1	0
NtResumeThread Aug. 14, 2023, 7:42 a.m.	thread_handle: 0x00000220 suspend_count: 1 process_identifier: 2772	1	0

wininit.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All