Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	Feb. 28, 2025, 9:52 a.m.	Feb. 28, 2025, 10:06 a.m.

Size	350.5KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`b60779fb424958088a559fdfd6f535c2`
SHA256	`098c4fe0de1df5b46cf4c825e8eba1893138c751968fcf9fe009a6991e9b1221`
CRC32	`7A42438E`
ssdeep	`6144:eB2ofI2u6ukzPZnu3eb+JZAZBefgAvVGfvu5fp4Dcl/OMeNfsrjDM:eB2of9uNKPZnu3eqJS+fg4Q+5f2olRen`
Yara	Malicious_Library_Zero - Malicious_Library PE_Header_Zero - PE File Signature Is_DotNET_EXE - (no description) IsPE32 - (no description)

mAtJWNv.exe "C:\Users\test22\AppData\Local\Temp\mAtJWNv.exe"
2544

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Feb. 28, 2025, 9:52 a.m.			0	0
IsDebuggerPresent Feb. 28, 2025, 9:52 a.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Feb. 28, 2025, 9:52 a.m.		1	1	0

The executable contains unknown PE section names indicative of a packer (could be a false positive) (1 event)

section

.css

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ Feb. 28, 2025, 9:52 a.m.	stacktrace: exception.instruction_r: 8b 31 85 f6 eb 08 8d bd d5 04 00 00 eb 12 64 8b exception.instruction: mov esi, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x24bd9b0 registers.esp: 3994296 registers.edi: 38524725 registers.eax: 1968967741 registers.ebp: 38524588 registers.edx: 38524827 registers.ebx: 0 registers.esi: 2939456477 registers.ecx: 2977981689	1	0	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Allocates read-write-execute memory (usually to unpack itself) (26 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00790000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 2031616 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00d30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00ee0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00402000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00920000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0043b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00437000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00435000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0040a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0041d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00921000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00922000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00426000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 40960 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00923000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0092f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0042a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00427000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00931000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2544 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024bd000 process_handle: 0xffffffff	1

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00024e00', u'virtual_address': u'0x0003a000', u'entropy': 7.997197232460732, u'name': u'.css', u'virtual_size': u'0x00024c28'}

entropy

7.99719723246

description

A section with a high entropy has been found

entropy

0.422031473534

description

Overall entropy of this PE file is high

Potentially malicious URLs were found in the process memory dump (4 events)

url	https://t.me/l793oy
url	https://5.75.210.149/
url	http://localhost
url	https://steamcommunity.com/profiles/76561199829660832

Yara rule detected in process memory (19 events)

description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	ftp clients info stealer	rule	infoStealer_ftpClients_Zero
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Win32 PWS Loki	rule	Win32_PWS_Loki_m_Zero

Allocates execute permission to another process indicative of possible code injection (1 event)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2616 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f8	1	0	0

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 manipulating memory of non-child process 2616
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2616 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f8	1	0	0

Potential code injection by writing to the memory of another process (6 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 injected into non-child 2616
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELú»gàÂ`r@hþ@p¨&(&ÐìÀxÐ.text¾ÀÂ `.rdataÀ1à2Æ@@.data` ø@À.00cfgP@@.CRT`@@.rsrc¨p@@.relocÐ@B base_address: 0x00400000 process_identifier: 2616 process_handle: 0x000001f8	1	1	0
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: ÝÏA base_address: 0x00425000 process_identifier: 2616 process_handle: 0x000001f8	1	1	0
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: ó@ base_address: 0x00426000 process_identifier: 2616 process_handle: 0x000001f8	1	1	0
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: 0 H`pC<?xml version="1.0" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false'/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00427000 process_identifier: 2616 process_handle: 0x000001f8	1	1	0
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2616 process_handle: 0x000001f8	1	1	0

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 injected into non-child 2616
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELú»gàÂ`r@hþ@p¨&(&ÐìÀxÐ.text¾ÀÂ `.rdataÀ1à2Æ@@.data` ø@À.00cfgP@@.CRT`@@.rsrc¨p@@.relocÐ@B base_address: 0x00400000 process_identifier: 2616 process_handle: 0x000001f8	1	1	0

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 called NtSetContextThread to modify thread in remote process 2616
NtSetContextThread Feb. 28, 2025, 9:52 a.m.	registers.eip: 1995571652 registers.esp: 3800948 registers.edi: 0 registers.eax: 4289040 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001f4 process_identifier: 2616	1	0	0

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	https://5.75.210.149/

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2544 resumed a thread in remote process 2616
NtResumeThread Feb. 28, 2025, 9:52 a.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2616	1	0	0

File has been identified by 29 AntiVirus engines on VirusTotal as malicious (29 events)

Lionic	Trojan.Win32.Generic.4!c
Skyhigh	BehavesLike.Win32.Generic.fc
Cylance	Unsafe
Sangfor	Suspicious.Win32.Save.pkr
CrowdStrike	win/malicious_confidence_100% (D)
VirIT	Trojan.Win32.MSIL_Heur.A
Symantec	ML.Attribute.HighConfidence
Elastic	malicious (high confidence)
APEX	Malicious
Avast	PWSX-gen [Trj]
ClamAV	Win.Packed.Zusy-10023527-0
Kaspersky	UDS:DangerousObject.Multi.Generic
Rising	Trojan.Agent!8.B1E (CLOUD)
McAfeeD	Real Protect-LS!B60779FB4249
Trapmine	suspicious.low.ml.score
Sophos	Mal/Generic-S
SentinelOne	Static AI - Malicious PE
FireEye	Generic.mg.b60779fb42495808
Google	Detected
Antiy-AVL	RiskWare[Obfuscator]/MSIL.Reactor.a
Kingsoft	malware.kb.c.996
Microsoft	Trojan:Win32/Wacatac.B!ml
AhnLab-V3	Trojan/Win.Generic.C5720127
McAfee	Artemis!B60779FB4249
DeepInstinct	MALICIOUS
Malwarebytes	MachineLearning/Anomalous.100%
Ikarus	Trojan.MSIL.Agent
huorong	Trojan/MSIL.Agent.vl
AVG	PWSX-gen [Trj]

Executed a process and injected code into it, probably while unpacking (17 events)

Time & API	Arguments	Status	Return
NtResumeThread Feb. 28, 2025, 9:52 a.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Feb. 28, 2025, 9:52 a.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread Feb. 28, 2025, 9:52 a.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2544	1	0
CreateProcessInternalW Feb. 28, 2025, 9:52 a.m.	thread_identifier: 2620 thread_handle: 0x000001f4 process_identifier: 2616 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\mAtJWNv.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\mAtJWNv.exe stack_pivoted: 0 creation_flags: 4 (CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000001f8	1	1
NtGetContextThread Feb. 28, 2025, 9:52 a.m.	thread_handle: 0x000001f4	1	0
NtAllocateVirtualMemory Feb. 28, 2025, 9:52 a.m.	process_identifier: 2616 region_size: 167936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000001f8	1	0
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: MZx@xº´ Í!¸LÍ!This program cannot be run in DOS mode.$PELú»gàÂ`r@hþ@p¨&(&ÐìÀxÐ.text¾ÀÂ `.rdataÀ1à2Æ@@.data` ø@À.00cfgP@@.CRT`@@.rsrc¨p@@.relocÐ@B base_address: 0x00400000 process_identifier: 2616 process_handle: 0x000001f8	1	1
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: base_address: 0x00401000 process_identifier: 2616 process_handle: 0x000001f8	1	1
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: base_address: 0x0041e000 process_identifier: 2616 process_handle: 0x000001f8	1	1
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: base_address: 0x00422000 process_identifier: 2616 process_handle: 0x000001f8	1	1
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: ÝÏA base_address: 0x00425000 process_identifier: 2616 process_handle: 0x000001f8	1	1
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: ó@ base_address: 0x00426000 process_identifier: 2616 process_handle: 0x000001f8	1	1
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: 0 H`pC<?xml version="1.0" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <trustInfo> <security> <requestedPrivileges> <requestedExecutionLevel level='asInvoker' uiAccess='false'/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00427000 process_identifier: 2616 process_handle: 0x000001f8	1	1
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: base_address: 0x00428000 process_identifier: 2616 process_handle: 0x000001f8	1	1
WriteProcessMemory Feb. 28, 2025, 9:52 a.m.	buffer: @ base_address: 0xfffde008 process_identifier: 2616 process_handle: 0x000001f8	1	1
NtSetContextThread Feb. 28, 2025, 9:52 a.m.	registers.eip: 1995571652 registers.esp: 3800948 registers.edi: 0 registers.eax: 4289040 registers.ebp: 0 registers.edx: 0 registers.ebx: -139264 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000001f4 process_identifier: 2616	1	0
NtResumeThread Feb. 28, 2025, 9:52 a.m.	thread_handle: 0x000001f4 suspend_count: 1 process_identifier: 2616	1	0

mAtJWNv.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All