Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	June 2, 2021, 9:36 a.m.	June 2, 2021, 9:38 a.m.

Size	470.8KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`bf6117d4fad0497d063372f909130b52`
SHA256	`9aaebcf0df8cf361b10e071e4feec5c859dd110c2f5be32a1154442d8106f274`
CRC32	`AC4A967E`
ssdeep	`6144:mRdZLsMCMpPeJujdp6vfbRFFVLv4c1CQWhfkC9w3i8:SLsMCMpmJujd0bRFFVLv4c1CQnj`
Yara	None matched

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\22.txt.ps1
2952
- MSBuild.exe #cmd
  8780

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
103.114.107.28	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (4 events)

Time & API	Arguments	Status	Return
GetComputerNameW June 2, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW June 2, 2021, 9:36 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent June 2, 2021, 9:36 a.m.			0	0
IsDebuggerPresent June 2, 2021, 9:36 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW June 2, 2021, 9:36 a.m.	buffer: True console_handle: 0x00000013	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey June 2, 2021, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x008759b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 2, 2021, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00875070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey June 2, 2021, 9:37 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00875070 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx June 2, 2021, 9:36 a.m.		1	1	0

One or more processes crashed (7 events)

Time & API	Arguments	Status
__exception__ June 2, 2021, 9:36 a.m.	stacktrace: 0xb11760 0xb10f83 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 c3 d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb11bd3 registers.esp: 3928704 registers.edi: 3928728 registers.eax: 0 registers.ebp: 3928740 registers.edx: 195 registers.ebx: 3928996 registers.esi: 38977792 registers.ecx: 0	1
__exception__ June 2, 2021, 9:37 a.m.	stacktrace: system+0x6fa816 @ 0x658ea816 mscorlib+0x32de48 @ 0x6ef0de48 mscorlib+0x3022a6 @ 0x6eee22a6 mscorlib+0x32dd91 @ 0x6ef0dd91 mscorlib+0x32dc4c @ 0x6ef0dc4c mscorlib+0x32db05 @ 0x6ef0db05 mscorlib+0x32d9c8 @ 0x6ef0d9c8 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x4825c CorDllMainForThunk-0x4429f clr+0x10d2d5 @ 0x6fcad2d5 LogHelp_TerminateOnAssert+0x920d GetPrivateContextsPerfCounters-0x10235 clr+0x77d4d @ 0x6fc17d4d LogHelp_TerminateOnAssert+0x927b GetPrivateContextsPerfCounters-0x101c7 clr+0x77dbb @ 0x6fc17dbb LogHelp_TerminateOnAssert+0x9348 GetPrivateContextsPerfCounters-0x100fa clr+0x77e88 @ 0x6fc17e88 DllUnregisterServerInternal+0x22cb DllRegisterServerInternal-0x604d clr+0xc3bf @ 0x6fbac3bf DllGetClassObjectInternal+0x48208 CorDllMainForThunk-0x442f3 clr+0x10d281 @ 0x6fcad281 DllGetClassObjectInternal+0x48159 CorDllMainForThunk-0x443a2 clr+0x10d1d2 @ 0x6fcad1d2 DllGetClassObjectInternal+0x47f09 CorDllMainForThunk-0x445f2 clr+0x10cf82 @ 0x6fcacf82 DllGetClassObjectInternal+0x2a4d4 CorDllMainForThunk-0x62027 clr+0xef54d @ 0x6fc8f54d DllGetClassObjectInternal+0x55056 CorDllMainForThunk-0x374a5 clr+0x11a0cf @ 0x6fcba0cf BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x757333ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 38 06 6a 00 ff 76 04 6a 04 8b ce e8 28 77 3b 6e exception.instruction: cmp byte ptr [esi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb16e78 registers.esp: 104853356 registers.edi: 39198792 registers.eax: 39221424 registers.ebp: 104853380 registers.edx: 39221424 registers.ebx: 39174132 registers.esi: 0 registers.ecx: 38413068	1
__exception__ June 2, 2021, 9:37 a.m.	stacktrace: 0xb17cd8 0xb114f1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 e1 ab b8 69 89 45 c8 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c5f04 registers.esp: 3927484 registers.edi: 3927532 registers.eax: 0 registers.ebp: 3927548 registers.edx: 3927452 registers.ebx: 39172548 registers.esi: 39223364 registers.ecx: 0	1
__exception__ June 2, 2021, 9:37 a.m.	stacktrace: 0xb17dec 0xb114f1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 1e 8b b8 69 83 78 04 00 0f 84 3c 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c7fc7 registers.esp: 3927468 registers.edi: 3927532 registers.eax: 0 registers.ebp: 3927548 registers.edx: 3927436 registers.ebx: 39172548 registers.esi: 39223364 registers.ecx: 0	1
__exception__ June 2, 2021, 9:37 a.m.	stacktrace: 0xb17f4c 0xb114f1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 2c ff 50 14 38 00 89 45 cc e9 85 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52c8859 registers.esp: 3927496 registers.edi: 3927536 registers.eax: 3 registers.ebp: 3927548 registers.edx: 0 registers.ebx: 39172548 registers.esi: 39641376 registers.ecx: 0	1
__exception__ June 2, 2021, 9:37 a.m.	stacktrace: 0xb114f1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 83 78 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f exception.instruction: cmp dword ptr [eax + 4], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xb18036 registers.esp: 3927556 registers.edi: 39652132 registers.eax: 0 registers.ebp: 3928776 registers.edx: 39652132 registers.ebx: 39172548 registers.esi: 0 registers.ecx: 38413068	1
__exception__ June 2, 2021, 9:37 a.m.	stacktrace: 0xb184af 0xb114f1 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7387f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 9a 35 c0 69 exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x52cb726 registers.esp: 3927500 registers.edi: 0 registers.eax: 39672720 registers.ebp: 3927548 registers.edx: 39672720 registers.ebx: 39672164 registers.esi: 39672140 registers.ecx: 1857964434	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header, Connection to IP address

suspicious_request

POST http://103.114.107.28/me/web22/inc/4e9ab3daa297f6.php

Performs some HTTP requests (1 event)

request

POST http://103.114.107.28/me/web22/inc/4e9ab3daa297f6.php

Sends data using the HTTP POST Method (1 event)

request

POST http://103.114.107.28/me/web22/inc/4e9ab3daa297f6.php

Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0274f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02659000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049a1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0265a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04980178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049801a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049801c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049847ae process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049847a2 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04980208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b3c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b60 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b68 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b6c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b74 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b78 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b7c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b80 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b88 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b8c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b94 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b98 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982b9c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982ba4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982ba8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982bac process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982bb4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982bb8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982bbc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982bc4 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982bc8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982bcc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982bd0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982bd8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982bdc process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982be0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982be8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04982bec process_handle: 0xffffffff		3221225550
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 2952 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x049a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 8780 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 8780 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ad0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 8780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 8780 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 8780 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022b0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

Symantec	ML.Attribute.HighConfidence
Kaspersky	HEUR:Trojan.PowerShell.Generic
ZoneAlarm	HEUR:Trojan.PowerShell.Generic

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses June 2, 2021, 9:36 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW June 2, 2021, 9:36 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (11 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Communicates with host for which no DNS query was performed (2 events)

host	103.114.107.28
host	172.217.25.14

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 8780 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000374	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation June 2, 2021, 9:36 a.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

MSBuild.exe tried to sleep 16369212 seconds, actually delayed analysis time by 16369212 seconds

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory June 2, 2021, 9:36 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚµ«`àV^u @ À@uS H.textdU V `.rsrc X@@.reloc \@B base_address: 0x00400000 process_identifier: 8780 process_handle: 0x00000374	1	1
WriteProcessMemory June 2, 2021, 9:36 a.m.	buffer: 0HXÄÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x,InternalNameDIUPvZUjQojWjfYHYPfJTcIDFrrHspVsTzlaVcN.exe(LegalCopyright ,OriginalFilenameDIUPvZUjQojWjfYHYPfJTcIDFrrHspVsTzlaVcN.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 base_address: 0x00438000 process_identifier: 8780 process_handle: 0x00000374	1	1
WriteProcessMemory June 2, 2021, 9:36 a.m.	buffer: p`5 base_address: 0x0043a000 process_identifier: 8780 process_handle: 0x00000374	1	1
WriteProcessMemory June 2, 2021, 9:36 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 8780 process_handle: 0x00000374	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory June 2, 2021, 9:36 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚµ«`àV^u @ À@uS H.textdU V `.rsrc X@@.reloc \@B base_address: 0x00400000 process_identifier: 8780 process_handle: 0x00000374	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExW June 2, 2021, 9:37 a.m.	thread_identifier: 0 callback_function: 0x00ad1512 hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	44630671	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2952 called NtSetContextThread to modify thread in remote process 8780
NtSetContextThread June 2, 2021, 9:36 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4420958 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000370 process_identifier: 8780	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

#cmd

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2952 resumed a thread in remote process 8780
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x00000370 suspend_count: 1 process_identifier: 8780	1	0	0

Executed a process and injected code into it, probably while unpacking (26 events)

Time & API	Arguments	Status	Return
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x000003d4 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x0000036c suspend_count: 1 process_identifier: 2952	1	0
CreateProcessInternalW June 2, 2021, 9:36 a.m.	thread_identifier: 6096 thread_handle: 0x00000370 process_identifier: 8780 current_directory: filepath: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe track: 1 command_line: #cmd filepath_r: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000374	1	1
NtGetContextThread June 2, 2021, 9:36 a.m.	thread_handle: 0x00000370	1	0
NtAllocateVirtualMemory June 2, 2021, 9:36 a.m.	process_identifier: 8780 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000374	1	0
WriteProcessMemory June 2, 2021, 9:36 a.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELÚµ«`àV^u @ À@uS H.textdU V `.rsrc X@@.reloc \@B base_address: 0x00400000 process_identifier: 8780 process_handle: 0x00000374	1	1
WriteProcessMemory June 2, 2021, 9:36 a.m.	buffer: base_address: 0x00402000 process_identifier: 8780 process_handle: 0x00000374	1	1
WriteProcessMemory June 2, 2021, 9:36 a.m.	buffer: 0HXÄÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x,InternalNameDIUPvZUjQojWjfYHYPfJTcIDFrrHspVsTzlaVcN.exe(LegalCopyright ,OriginalFilenameDIUPvZUjQojWjfYHYPfJTcIDFrrHspVsTzlaVcN.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0 base_address: 0x00438000 process_identifier: 8780 process_handle: 0x00000374	1	1
WriteProcessMemory June 2, 2021, 9:36 a.m.	buffer: p`5 base_address: 0x0043a000 process_identifier: 8780 process_handle: 0x00000374	1	1
WriteProcessMemory June 2, 2021, 9:36 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 8780 process_handle: 0x00000374	1	1
NtSetContextThread June 2, 2021, 9:36 a.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4420958 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000370 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x00000370 suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 2952	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x00000194 suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x00000320 suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x00000340 suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x000003a4 suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x00000534 suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:36 a.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:37 a.m.	thread_handle: 0x0000034c suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:37 a.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 8780	1	0
NtResumeThread June 2, 2021, 9:37 a.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 8780	1	0

22.txt.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All