Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	May 19, 2021, 1:32 p.m.	May 19, 2021, 1:40 p.m.

Size	472.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`5594e29409269da66e8c7efb5b5e34dd`
SHA256	`1ea23b106e7ea81cd0242927938ded4748e24d326fb0fce08eacb85c4053f294`
CRC32	`96C6C998`
ssdeep	`3072:7RdEDOuO+IQTmQ8VdMPdQArTXN4qbPzbyg/CNI9KorYtJQwYC9w3i8:7RdwOq98YPdQWXtLnz/JK0wYC9w3i8`
Yara	anti_vm_detect - Possibly employs anti-virtualization techniques

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\black.txt.ps1
2208
- MSBuild.exe #cmd
  7636

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.151.125.220	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 19, 2021, 1:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2021, 1:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2021, 1:32 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 19, 2021, 1:32 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 19, 2021, 1:32 p.m.			0	0
IsDebuggerPresent May 19, 2021, 1:32 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 19, 2021, 1:32 p.m.	buffer: True console_handle: 0x00000013	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey May 19, 2021, 1:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d4900 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2021, 1:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d4280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 19, 2021, 1:33 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d4280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 19, 2021, 1:32 p.m.		1	1	0

One or more processes crashed (7 events)

Time & API	Arguments	Status
__exception__ May 19, 2021, 1:32 p.m.	stacktrace: 0x6a17d0 0x6a0ff3 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 53 d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6a1c43 registers.esp: 3141616 registers.edi: 3141640 registers.eax: 0 registers.ebp: 3141652 registers.edx: 195 registers.ebx: 3141908 registers.esi: 39475780 registers.ecx: 0	1
__exception__ May 19, 2021, 1:33 p.m.	stacktrace: system+0x6fa816 @ 0x658ea816 mscorlib+0x32de48 @ 0x6ef0de48 mscorlib+0x3022a6 @ 0x6eee22a6 mscorlib+0x32dd91 @ 0x6ef0dd91 mscorlib+0x32dc4c @ 0x6ef0dc4c mscorlib+0x32db05 @ 0x6ef0db05 mscorlib+0x32d9c8 @ 0x6ef0d9c8 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x4825c CorDllMainForThunk-0x4429f clr+0x10d2d5 @ 0x6fcad2d5 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6fc17d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6fc17dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6fc17e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6fbac3bf DllGetClassObjectInternal+0x48208 CorDllMainForThunk-0x442f3 clr+0x10d281 @ 0x6fcad281 DllGetClassObjectInternal+0x48159 CorDllMainForThunk-0x443a2 clr+0x10d1d2 @ 0x6fcad1d2 DllGetClassObjectInternal+0x47f09 CorDllMainForThunk-0x445f2 clr+0x10cf82 @ 0x6fcacf82 DllGetClassObjectInternal+0x2a4d4 CorDllMainForThunk-0x62027 clr+0xef54d @ 0x6fc8f54d DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6fcba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 38 06 6a 00 ff 76 04 6a 04 8b ce e8 08 7c 82 6e exception.instruction: cmp byte ptr [esi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6a6998 registers.esp: 111472812 registers.edi: 39723540 registers.eax: 39746216 registers.ebp: 111472836 registers.edx: 39746216 registers.ebx: 39698420 registers.esi: 0 registers.ecx: 38937356	1
__exception__ May 19, 2021, 1:33 p.m.	stacktrace: 0x6a79cb 0x6a1561 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 2c ff 50 14 38 00 89 45 cc e9 85 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6ae9b9 registers.esp: 3140352 registers.edi: 3140392 registers.eax: 3 registers.ebp: 3140404 registers.edx: 0 registers.ebx: 39795248 registers.esi: 39933212 registers.ecx: 0	1
__exception__ May 19, 2021, 1:33 p.m.	stacktrace: 0x6a1561 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f exception.instruction: cmp dword ptr [eax + 4], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x6a7aaf registers.esp: 3140412 registers.edi: 39943776 registers.eax: 0 registers.ebp: 3141688 registers.edx: 39943776 registers.ebx: 39795248 registers.esi: 0 registers.ecx: 38937356	1
__exception__ May 19, 2021, 1:33 p.m.	stacktrace: 0x6a8012 0x6a1561 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 7a e6 e0 69 exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x50c0646 registers.esp: 3140356 registers.edi: 0 registers.eax: 40020232 registers.ebp: 3140404 registers.edx: 40020232 registers.ebx: 40019676 registers.esi: 40019652 registers.ecx: 1857964434	1
__exception__ May 19, 2021, 1:33 p.m.	stacktrace: 0x6a8559 0x6a1561 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 79 41 d8 69 89 45 c8 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x50cc96c registers.esp: 3140340 registers.edi: 3140388 registers.eax: 0 registers.ebp: 3140404 registers.edx: 3140308 registers.ebx: 39795248 registers.esi: 0 registers.ecx: 0	1
__exception__ May 19, 2021, 1:33 p.m.	stacktrace: 0x6a8709 0x6a1561 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 b6 2b d8 69 83 78 04 00 0f 84 3b 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x50cdf2f registers.esp: 3140324 registers.edi: 3140388 registers.eax: 0 registers.ebp: 3140404 registers.edx: 3140292 registers.ebx: 39795248 registers.esi: 0 registers.ecx: 0	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, Connection to IP address

suspicious_request

POST http://103.151.125.220/mastermana/black/inc/70e30b90838689.php

Performs some HTTP requests (1 event)

request

POST http://103.151.125.220/mastermana/black/inc/70e30b90838689.php

Sends data using the HTTP POST Method (1 event)

request

POST http://103.151.125.220/mastermana/black/inc/70e30b90838689.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 104 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02699000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02981000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02982000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029601a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029601c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029647ae process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029647a2 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b3c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b60 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b68 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b6c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b74 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b78 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b7c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b80 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b88 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b8c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b94 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b98 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962b9c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962ba4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962ba8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962bac process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962bb4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962bb8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962bbc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962bc4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962bc8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962bcc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962bd0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962bd8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962bdc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962be0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962be8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02962bec process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 2208 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02983000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 7636 region_size: 1245184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x006a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 7636 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 7636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 7636 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 7636 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ca0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses May 19, 2021, 1:32 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 19, 2021, 1:32 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Communicates with host for which no DNS query was performed (2 events)

host	103.151.125.220
host	172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 7636 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000370	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation May 19, 2021, 1:32 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

MSBuild.exe tried to sleep 16369212 seconds, actually delayed analysis time by 16369212 seconds

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory May 19, 2021, 1:32 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÇî¢`àXîw @ À@wS0 H.textôW X `.rsrc0Z@@.reloc `@B base_address: 0x00400000 process_identifier: 7636 process_handle: 0x00000370	1	1
WriteProcessMemory May 19, 2021, 1:32 p.m.	buffer: 8Ph @ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d!InternalNamejoJdBBVVAxYHVBwfHBBTrncWzlTo.exe(LegalCopyright l!OriginalFilenamejoJdBBVVAxYHVBwfHBBTrncWzlTo.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 7636 process_handle: 0x00000370	1	1
WriteProcessMemory May 19, 2021, 1:32 p.m.	buffer: pð7 base_address: 0x0043a000 process_identifier: 7636 process_handle: 0x00000370	1	1
WriteProcessMemory May 19, 2021, 1:32 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 7636 process_handle: 0x00000370	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory May 19, 2021, 1:32 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÇî¢`àXîw @ À@wS0 H.textôW X `.rsrc0Z@@.reloc `@B base_address: 0x00400000 process_identifier: 7636 process_handle: 0x00000370	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW May 19, 2021, 1:33 p.m.	thread_identifier: 0 callback_function: 0x00791512 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	55968597	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2208 called NtSetContextThread to modify thread in remote process 7636
NtSetContextThread May 19, 2021, 1:32 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421614 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000368 process_identifier: 7636	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

#cmd

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2208 resumed a thread in remote process 7636
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 7636	1	0	0

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x000003d0 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 2208	1	0
CreateProcessInternalW May 19, 2021, 1:32 p.m.	thread_identifier: 7400 thread_handle: 0x00000368 process_identifier: 7636 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: #cmd filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000370	1	1
NtGetContextThread May 19, 2021, 1:32 p.m.	thread_handle: 0x00000368	1	0
NtAllocateVirtualMemory May 19, 2021, 1:32 p.m.	process_identifier: 7636 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000370	1	0
WriteProcessMemory May 19, 2021, 1:32 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÇî¢`àXîw @ À@wS0 H.textôW X `.rsrc0Z@@.reloc `@B base_address: 0x00400000 process_identifier: 7636 process_handle: 0x00000370	1	1
WriteProcessMemory May 19, 2021, 1:32 p.m.	buffer: base_address: 0x00402000 process_identifier: 7636 process_handle: 0x00000370	1	1
WriteProcessMemory May 19, 2021, 1:32 p.m.	buffer: 8Ph @ê4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°üStringFileInfoØ000004b0,FileDescription 0FileVersion0.0.0.0d!InternalNamejoJdBBVVAxYHVBwfHBBTrncWzlTo.exe(LegalCopyright l!OriginalFilenamejoJdBBVVAxYHVBwfHBBTrncWzlTo.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 7636 process_handle: 0x00000370	1	1
WriteProcessMemory May 19, 2021, 1:32 p.m.	buffer: pð7 base_address: 0x0043a000 process_identifier: 7636 process_handle: 0x00000370	1	1
WriteProcessMemory May 19, 2021, 1:32 p.m.	buffer: @ base_address: 0xfffde008 process_identifier: 7636 process_handle: 0x00000370	1	1
NtSetContextThread May 19, 2021, 1:32 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421614 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000368 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x00000368 suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 2208	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x0000052c suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x0000035c suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:32 p.m.	thread_handle: 0x0000040c suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:33 p.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:33 p.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 7636	1	0
NtResumeThread May 19, 2021, 1:33 p.m.	thread_handle: 0x00000418 suspend_count: 1 process_identifier: 7636	1	0

black.txt

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All