Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 16, 2021, 12:58 p.m.	Oct. 16, 2021, 1:01 p.m.

Size	802.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`c3e635b8e9d4fea44f5c5f9aee4edb3f`
SHA256	`88054d668bc049dd1cb7266182e9ad706c98d313eafecfcbe8b88e5b7ec2a1f0`
CRC32	`8C83EE1A`
ssdeep	`12288:cvf3gaILPlBBVN9rZLH/1FRhpKW+yo19N0Nb:uIjl7drBH/DRjKdCN`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Is_DotNET_EXE - (no description) UPX_Zero - UPX packed file Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT Win32_Trojan_PWS_Net_1_Zero - Win32 Trojan PWS .NET Azorult

Deposit Payment.exe "C:\Users\test22\AppData\Local\Temp\Deposit Payment.exe"
360
- schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aViBmffaUlCax" /XML "C:\Users\test22\AppData\Local\Temp\tmpF5F2.tmp"
  2316
- Deposit Payment.exe "{path}"
  1784

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 16, 2021, 12:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 12:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 12:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 12:59 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 16, 2021, 12:59 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (4 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 16, 2021, 12:58 p.m.			0	0
IsDebuggerPresent Oct. 16, 2021, 12:58 p.m.			0	0
IsDebuggerPresent Oct. 16, 2021, 12:59 p.m.			0	0
IsDebuggerPresent Oct. 16, 2021, 12:59 p.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW Oct. 16, 2021, 12:59 p.m.	buffer: SUCCESS: The scheduled task "Updates\aViBmffaUlCax" has successfully been created. console_handle: 0x00000007	1	1	0

Uses Windows APIs to generate a cryptographic key (3 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 16, 2021, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00520fa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00520be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 16, 2021, 1 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00520be0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 16, 2021, 12:58 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Oct. 16, 2021, 12:59 p.m.	stacktrace: 0xdb17e0 0xdb100b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 43 d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0xdb1c53 registers.esp: 2749360 registers.edi: 2749384 registers.eax: 0 registers.ebp: 2749396 registers.edx: 195 registers.ebx: 2749652 registers.esi: 36999360 registers.ecx: 0	1	0	0
__exception__ Oct. 16, 2021, 1 p.m.	stacktrace: 0xdb6cbc 0xdb156a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 8a 50 b0 6c exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x5329c36 registers.esp: 2748388 registers.edi: 0 registers.eax: 37721220 registers.ebp: 2748436 registers.edx: 37721220 registers.ebx: 37720664 registers.esi: 37720640 registers.ecx: 1907640722	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Oct. 16, 2021, 12:59 p.m.

stacktrace:

0xdb17e0
0xdb100b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 43 d7
exception.instruction: mov eax, dword ptr [ecx]
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0xdb1c53
registers.esp: 2749360
registers.edi: 2749384
registers.eax: 0
registers.ebp: 2749396
registers.edx: 195
registers.ebx: 2749652
registers.esi: 36999360
registers.ecx: 0

__exception__

Oct. 16, 2021, 1 p.m.

stacktrace:

0xdb6cbc
0xdb156a
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72b02652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x72b1264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72b12e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x72bc74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x72bc7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72c51dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72c51e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72c51f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x72c5416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7405f5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x74d37f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x74d34de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77b19ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77b19ea5

exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 8a 50 b0 6c
exception.instruction: cmp byte ptr [edi], al
exception.exception_code: 0xc0000005
exception.symbol:
exception.address: 0x5329c36
registers.esp: 2748388
registers.edi: 0
registers.eax: 37721220
registers.ebp: 2748436
registers.edx: 37721220
registers.ebx: 37720664
registers.esi: 37720640
registers.ecx: 1907640722

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (50 out of 136 events)

Time & API	Arguments	Status	Return
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00340000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a1000 process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x731a2000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00520000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00415000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00417000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00407000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 327680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef58000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x7ef40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00406000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x70062000 process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:58 p.m.	process_identifier: 360 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a25000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a27000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a9f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04a90000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00a2f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f53000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f54000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f55000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04f57000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1	0
NtProtectVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05600178 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056001a0 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x056001c8 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0567c7de process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 11 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0567c7d2 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 72 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05600208 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05648318 process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0564833c process_handle: 0xffffffff		3221225550
NtProtectVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05648344 process_handle: 0xffffffff		3221225550

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Roaming\aViBmffaUlCax.exe

Creates a suspicious process (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aViBmffaUlCax" /XML "C:\Users\test22\AppData\Local\Temp\tmpF5F2.tmp"
cmdline	schtasks.exe /Create /TN "Updates\aViBmffaUlCax" /XML "C:\Users\test22\AppData\Local\Temp\tmpF5F2.tmp"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\aViBmffaUlCax.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Oct. 16, 2021, 12:59 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\aViBmffaUlCax" /XML "C:\Users\test22\AppData\Local\Temp\tmpF5F2.tmp" filepath: schtasks.exe	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x000a3a00', u'virtual_address': u'0x00002000', u'entropy': 7.163111919976913, u'name': u'.text', u'virtual_size': u'0x000a38d0'}

entropy

7.16311191998

description

A section with a high entropy has been found

entropy

0.81608478803

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 16, 2021, 12:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW Oct. 16, 2021, 12:59 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (10 events)

description	Communications smtp	rule	Network_SMTP_dotNet
description	Run a KeyLogger	rule	KeyLogger
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aViBmffaUlCax" /XML "C:\Users\test22\AppData\Local\Temp\tmpF5F2.tmp"
cmdline	schtasks.exe /Create /TN "Updates\aViBmffaUlCax" /XML "C:\Users\test22\AppData\Local\Temp\tmpF5F2.tmp"

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 1784 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ac	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 16, 2021, 12:59 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

Deposit Payment.exe tried to sleep 10912883 seconds, actually delayed analysis time by 10912883 seconds

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\oopxV

reg_value

C:\Users\test22\AppData\Roaming\oopxV\oopxV.exe

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpF5F2.tmp

Harvests credentials from local FTP client softwares (1 event)

file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory Oct. 16, 2021, 12:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELñeaàPnn @ À@nSH H.texttN P `.rsrcHR@@.reloc X@B base_address: 0x00400000 process_identifier: 1784 process_handle: 0x000003ac	1	1
WriteProcessMemory Oct. 16, 2021, 12:59 p.m.	buffer: 8Ph ´Xê´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p(InternalNameVfqhSVFqRsVSmkhuKotvgSUVYVqLykkIlDk.exe(LegalCopyright x(OriginalFilenameVfqhSVFqRsVSmkhuKotvgSUVYVqLykkIlDk.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 1784 process_handle: 0x000003ac	1	1
WriteProcessMemory Oct. 16, 2021, 12:59 p.m.	buffer: `p> base_address: 0x0043a000 process_identifier: 1784 process_handle: 0x000003ac	1	1
WriteProcessMemory Oct. 16, 2021, 12:59 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1784 process_handle: 0x000003ac	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory Oct. 16, 2021, 12:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELñeaàPnn @ À@nSH H.texttN P `.rsrcHR@@.reloc X@B base_address: 0x00400000 process_identifier: 1784 process_handle: 0x000003ac	1	1	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 360 called NtSetContextThread to modify thread in remote process 1784
NtSetContextThread Oct. 16, 2021, 12:59 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4419182 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003b0 process_identifier: 1784	1	0	0

Attempts to remove evidence of file being downloaded from the Internet (1 event)

file	C:\Users\test22\AppData\Roaming\oopxV\oopxV.exe:Zone.Identifier

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 360 resumed a thread in remote process 1784
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 1784	1	0	0

Executed a process and injected code into it, probably while unpacking (32 events)

Time & API	Arguments	Status	Return
NtResumeThread Oct. 16, 2021, 12:58 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 360	1	0
NtResumeThread Oct. 16, 2021, 12:58 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 360	1	0
NtResumeThread Oct. 16, 2021, 12:58 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 360	1	0
NtResumeThread Oct. 16, 2021, 12:58 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 360	1	0
NtGetContextThread Oct. 16, 2021, 12:58 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Oct. 16, 2021, 12:58 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 360	1	0
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x00000288 suspend_count: 1 process_identifier: 360	1	0
NtGetContextThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 360	1	0
CreateProcessInternalW Oct. 16, 2021, 12:59 p.m.	thread_identifier: 2544 thread_handle: 0x00000430 process_identifier: 2316 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aViBmffaUlCax" /XML "C:\Users\test22\AppData\Local\Temp\tmpF5F2.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000438	1	1
CreateProcessInternalW Oct. 16, 2021, 12:59 p.m.	thread_identifier: 1624 thread_handle: 0x000003b0 process_identifier: 1784 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\Deposit Payment.exe track: 1 command_line: "{path}" filepath_r: C:\Users\test22\AppData\Local\Temp\Deposit Payment.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003ac	1	1
NtGetContextThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x000003b0	1	0
NtAllocateVirtualMemory Oct. 16, 2021, 12:59 p.m.	process_identifier: 1784 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003ac	1	0
WriteProcessMemory Oct. 16, 2021, 12:59 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELñeaàPnn @ À@nSH H.texttN P `.rsrcHR@@.reloc X@B base_address: 0x00400000 process_identifier: 1784 process_handle: 0x000003ac	1	1
WriteProcessMemory Oct. 16, 2021, 12:59 p.m.	buffer: base_address: 0x00402000 process_identifier: 1784 process_handle: 0x000003ac	1	1
WriteProcessMemory Oct. 16, 2021, 12:59 p.m.	buffer: 8Ph ´Xê´4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°StringFileInfoð000004b0,FileDescription 0FileVersion0.0.0.0p(InternalNameVfqhSVFqRsVSmkhuKotvgSUVYVqLykkIlDk.exe(LegalCopyright x(OriginalFilenameVfqhSVFqRsVSmkhuKotvgSUVYVqLykkIlDk.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 1784 process_handle: 0x000003ac	1	1
WriteProcessMemory Oct. 16, 2021, 12:59 p.m.	buffer: `p> base_address: 0x0043a000 process_identifier: 1784 process_handle: 0x000003ac	1	1
WriteProcessMemory Oct. 16, 2021, 12:59 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1784 process_handle: 0x000003ac	1	1
NtSetContextThread Oct. 16, 2021, 12:59 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4419182 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003b0 process_identifier: 1784	1	0
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x000003b0 suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x00000424 suspend_count: 1 process_identifier: 360	1	0
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x0000019c suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x00000314 suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x0000039c suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread Oct. 16, 2021, 12:59 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread Oct. 16, 2021, 1 p.m.	thread_handle: 0x00000350 suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread Oct. 16, 2021, 1 p.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 1784	1	0
NtResumeThread Oct. 16, 2021, 1 p.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 1784	1	0

Deposit Payment.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All