Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Jan. 13, 2022, 2:29 p.m.	Jan. 13, 2022, 2:31 p.m.

Size	3.7MB
Type	PE32 executable (DLL) (console) Intel 80386, for MS Windows
MD5	`131e44350f5385da5709499eca72e62b`
SHA256	`acae4043770a4a0410ce193c20b114acbf61abdc38ce1b25d25e7babaa1fab42`
CRC32	`5FD779BD`
ssdeep	`49152:XO14I8DxeTklSScVOmAQZbQA5SePbvDLpRuU+70AXVC/0uE3a6+LyZECFSWlm:XOOdfDcVVjvDLk70MVTuEq6++`
PDB Path	jscript9.pdb
Yara	Malicious_Packer_Zero - Malicious Packer PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware IsPE32 - (no description) Win32_Trojan_Gen_2_0904B0_Zero - Win32 Trojan Gen Malicious_Library_Zero - Malicious_Library IsDLL - (no description) UPX_Zero - UPX packed file IAmTheKing_Family - IAmTheKing Family Win32_Trojan_Gen_1_0904B0_Zero - Win32 Trojan Emotet

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,DllCanUnloadNow
2100
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,DllRegisterServer
2304
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,DllUnregisterServer
2412
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,DllGetClassObject
1336
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsAddRef
2568
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsBoolToBoolean
2504
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsBooleanToBool
2876
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCallFunction
2176
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCollectGarbage
2312
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsConstructObject
1088
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsConvertValueToBoolean
2968
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsConvertValueToNumber
2232
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsConvertValueToObject
2424
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsConvertValueToString
1860
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateArray
2776
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateContext
1340
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateError
2488
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateExternalObject
2716
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateExternalType
3136
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateFunction
3236
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateObject
3356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateRangeError
3480
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateReferenceError
3612
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateRuntime
3728
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateSyntaxError
3824
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateTypeError
3948
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateTypedExternalObject
4048
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsCreateURIError
3124
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsDefineProperty
3260
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsDeleteIndexedProperty
3444
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsDeleteProperty
3632
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsDisableRuntimeExecution
3640
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsDisposeRuntime
3932
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsDoubleToNumber
2468
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsEnableRuntimeExecution
3216
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsEnumerateHeap
3492
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsEquals
3772
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetAndClearException
3920
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetCurrentContext
3980
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetDefaultTypeDescription
3464
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetExtensionAllowed
3880
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetExternalData
3352
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetExternalType
3272
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetFalseValue
3684
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetGlobalObject
3512
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetIndexedProperty
3296
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetNullValue
3456
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetOwnPropertyDescriptor
4172
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetOwnPropertyNames
4296
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetProperty
4416
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetPropertyIdFromName
4548
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetPropertyNameFromId
4668
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetPrototype
4764
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetRuntime
4860
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetRuntimeMemoryLimit
4988
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetRuntimeMemoryUsage
5104
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetStringLength
4188
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetTrueValue
4356
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetUndefinedValue
4520
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsGetValueType
4612
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsHasException
4876
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsHasExternalData
5004
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsHasIndexedProperty
4996
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsHasProperty
4412
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsIdle
4648
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsIntToNumber
4888
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsIsEnumeratingHeap
3712
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsIsRuntimeExecutionDisabled
4288
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsNumberToDouble
4784
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsParseScript
5100
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsParseSerializedScript
4544
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsPointerToString
4116
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsPreventExtension
4800
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsRelease
4180
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsRunScript
4896
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsRunSerializedScript
5184
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsSerializeScript
5308
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsSetCurrentContext
5424
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsSetException
5524
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsSetExternalData
5648
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsSetIndexedProperty
5772
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsSetProperty
5872
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsSetPrototype
5996
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsSetRuntimeBeforeCollectCallback
6120
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsSetRuntimeMemoryAllocationCallback
5196
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsSetRuntimeMemoryLimit
5368
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsStartDebugging
5600
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsStartProfiling
5684
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsStopProfiling
5844
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsStrictEquals
6044
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsStringToPointer
5160
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsValueToVariant
5472
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsVarAddRef
5768
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsVarRelease
6060
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsVarToExtension
5292
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsVarToScriptDirect
5580
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,JsVariantToValue
6020
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\jscript9.dll,
5176

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

This executable has a PDB path (1 event)

pdb_path

jscript9.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Jan. 13, 2022, 2:02 p.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.didat

The file contains an unknown PE resource name possibly indicative of a packer (2 events)

resource name	MUI
resource name	WEVT_TEMPLATE

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Jan. 13, 2022, 2:02 p.m.	stacktrace: CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75e8d08c TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75e8964b TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75e74d6b TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75e76f7c CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75e7e825 TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75e76002 TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75e75fe8 TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75e749e3 TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75e75a20 RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x77869a91 LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77888f10 RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77888e5c ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75097a25 rundll32+0x135c @ 0xe0135c rundll32+0x1901 @ 0xe01901 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5 exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25 exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4 exception.instruction: call dword ptr [ecx + 0xc] exception.module: MSCTF.dll exception.exception_code: 0xc0000005 exception.offset: 278260 exception.address: 0x75ea3ef4 registers.esp: 2685332 registers.edi: 0 registers.eax: 14611040 registers.ebp: 2685360 registers.edx: 1 registers.ebx: 0 registers.esi: 6022832 registers.ecx: 1948989140	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Jan. 13, 2022, 2:02 p.m.

stacktrace:

CtfImeIsIME+0x36fd DllUnregisterServer-0xf9d9 msctf+0x2d08c @ 0x75e8d08c
TF_GetGlobalCompartment+0x3dfd CtfImeIsIME-0x344 msctf+0x2964b @ 0x75e8964b
TF_GetInputScope+0xf65 CtfImeDestroyThreadMgr-0x25ae msctf+0x14d6b @ 0x75e74d6b
TF_GetInputScope+0x3176 CtfImeDestroyThreadMgr-0x39d msctf+0x16f7c @ 0x75e76f7c
CtfImeDestroyInputContext+0x280 TF_CanUninitialize-0x1c msctf+0x1e825 @ 0x75e7e825
TF_GetInputScope+0x21fc CtfImeDestroyThreadMgr-0x1317 msctf+0x16002 @ 0x75e76002
TF_GetInputScope+0x21e2 CtfImeDestroyThreadMgr-0x1331 msctf+0x15fe8 @ 0x75e75fe8
TF_GetInputScope+0xbdd CtfImeDestroyThreadMgr-0x2936 msctf+0x149e3 @ 0x75e749e3
TF_GetInputScope+0x1c1a CtfImeDestroyThreadMgr-0x18f9 msctf+0x15a20 @ 0x75e75a20
RtlIsCurrentThreadAttachExempt+0x5f TpCheckTerminateWorker-0x37 ntdll+0x39a91 @ 0x77869a91
LdrShutdownProcess+0x97 RtlDetectHeapLeaks-0x1bb ntdll+0x58f10 @ 0x77888f10
RtlExitUserProcess+0x74 LdrShutdownProcess-0x1d ntdll+0x58e5c @ 0x77888e5c
ExitProcess+0x15 TerminateThread-0xa kernel32+0x17a25 @ 0x75097a25
rundll32+0x135c @ 0xe0135c
rundll32+0x1901 @ 0xe01901
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x750933ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77869ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77869ea5

exception.instruction_r: ff 51 0c 8b 45 fc 89 be 8c 04 00 00 3b c7 74 25
exception.symbol: TF_GetCompatibleKeyboardLayout+0x5885 TF_IsCtfmonRunning-0xfd3 msctf+0x43ef4
exception.instruction: call dword ptr [ecx + 0xc]
exception.module: MSCTF.dll
exception.exception_code: 0xc0000005
exception.offset: 278260
exception.address: 0x75ea3ef4
registers.esp: 2685332
registers.edi: 0
registers.eax: 14611040
registers.ebp: 2685360
registers.edx: 1
registers.ebx: 0
registers.esi: 6022832
registers.ecx: 1948989140

Allocates read-write-execute memory (usually to unpack itself) (50 out of 82 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2412 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2412 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2568 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2312 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 1088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 1088 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2232 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 1860 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2776 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 2716 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3136 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3356 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3480 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3948 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3124 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3444 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3632 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3640 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3932 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3464 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3512 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 3456 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 4172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 4172 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 4296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 4296 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 4668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Jan. 13, 2022, 2:02 p.m.	process_identifier: 4668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74283000 process_handle: 0xffffffff	1

jscript9.dll

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All