Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 16, 2021, 6:19 p.m.	March 16, 2021, 6:22 p.m.

Size	2.5MB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`39ad30ee42bfa03acd48190dcb8c068c`
SHA256	`88452c1c250adeb17561ab1a1128e526db7aa7f9b7a0d04c283ca7f7e15bc79b`
CRC32	`3E467407`
ssdeep	`24576:i+N28mcqWWrWWe4rEVJNawmNuWG3yEeujvfcpGhNWYXgyT5Xu:i+N3mCWr6VNaKMEfTfcpGrvgiX`
Yara	PE_Header_Zero - PE File Signature Zero IsPE32 - (no description) IsNET_EXE - (no description) IsWindowsGUI - (no description) IsPacked - Entropy Check

IMG_70_36_361.pdf "C:\Users\test22\AppData\Local\Temp\IMG_70_36_361.pdf"
656
- Powershell.exe "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\IMG_70_36_361.pdf' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'
  3236
- IMG_70_36_361.pdf "C:\Users\test22\AppData\Local\Temp\IMG_70_36_361.pdf"
  3800

Name	Response	Post-Analysis Lookup
edgedl.gvt1.com	A 142.250.34.2	142.250.34.2

IP Address	Status	Action
142.250.34.2	Active	Moloch
164.124.101.2	Active	Moloch
172.217.25.14	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49814 -> 216.58.200.3:443	906200022	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49814 216.58.200.3:443	C=US, O=Google Trust Services, CN=GTS CA 1O1	C=US, ST=California, L=Mountain View, O=Google LLC, CN=upload.video.google.com	3a:64:d0:6c:61:07:6b:6b:27:d2:ca:a4:29:2c:fe:46:60:2e:51:1c

Queries for the computername (10 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 16, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 16, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 16, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 16, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 16, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 16, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 16, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 16, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 16, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 16, 2021, 6:19 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (5 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 16, 2021, 6:19 p.m.			0	0
IsDebuggerPresent March 16, 2021, 6:19 p.m.			0	0
IsDebuggerPresent March 16, 2021, 6:19 p.m.			0	0
IsDebuggerPresent March 16, 2021, 6:19 p.m.			0	0
IsDebuggerPresent March 16, 2021, 6:19 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (45 events)

Time & API	Arguments	Status	Return
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba600 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003baf00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003baf00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003baf00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003baf00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003baf00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003baf00 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003baa80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003baa80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003baa80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba6c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003babc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba280 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x003ba780 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d1410 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d1090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 16, 2021, 6:21 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x008d1090 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 16, 2021, 6:19 p.m.		1	1	0

One or more processes crashed (6 events)

Time & API	Arguments	Status
__exception__ March 16, 2021, 6:19 p.m.	stacktrace: 0x7517e0 0x75100b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 28 ff 10 89 45 e0 8b 4d dc e8 43 d7 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x751c53 registers.esp: 3206704 registers.edi: 3206728 registers.eax: 0 registers.ebp: 3206740 registers.edx: 195 registers.ebx: 3206996 registers.esi: 41238440 registers.ecx: 0	1
__exception__ March 16, 2021, 6:21 p.m.	stacktrace: 0x756534 0x75156a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 8e 23 6f 6e 83 78 04 00 0f 84 3c 02 00 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x75e757 registers.esp: 3205420 registers.edi: 3205484 registers.eax: 0 registers.ebp: 3205500 registers.edx: 3205388 registers.ebx: 41400724 registers.esi: 41402924 registers.ecx: 0	1
__exception__ March 16, 2021, 6:21 p.m.	stacktrace: 0x75668b 0x75156a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 8b 01 8b 40 2c ff 50 14 38 00 89 45 cc e9 85 00 exception.instruction: mov eax, dword ptr [ecx] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x50f0c09 registers.esp: 3205448 registers.edi: 3205488 registers.eax: 3 registers.ebp: 3205500 registers.edx: 0 registers.ebx: 41400724 registers.esi: 41596792 registers.ecx: 0	1
__exception__ March 16, 2021, 6:21 p.m.	stacktrace: 0x75156a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 83 7b 04 01 0f 9f c0 0f b6 c0 83 7f 04 01 0f 9f exception.instruction: cmp dword ptr [ebx + 4], 1 exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x75676b registers.esp: 3205508 registers.edi: 41607356 registers.eax: 41607356 registers.ebp: 3206776 registers.edx: 41607356 registers.ebx: 0 registers.esi: 0 registers.ecx: 40706568	1
__exception__ March 16, 2021, 6:21 p.m.	stacktrace: 0x756c50 0x75156a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 39 09 e8 41 dc d5 69 89 45 c8 33 d2 89 55 dc 83 exception.instruction: cmp dword ptr [ecx], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x50f2ea4 registers.esp: 3205436 registers.edi: 3205484 registers.eax: 0 registers.ebp: 3205500 registers.edx: 3205404 registers.ebx: 0 registers.esi: 0 registers.ecx: 0	1
__exception__ March 16, 2021, 6:21 p.m.	stacktrace: 0x756d28 0x75156a DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x6fba2652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x6fbb264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x6fbb2e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x6fc674ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x6fc67610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x6fcf1dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x6fcf1e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x6fcf1f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x6fcf416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x7443f5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x744b7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x744b4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x773d9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x773d9ea5 exception.instruction_r: 38 07 68 ff ff ff 7f 6a 00 8b cf e8 5a b1 dd 69 exception.instruction: cmp byte ptr [edi], al exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x50f3b66 registers.esp: 3205452 registers.edi: 0 registers.eax: 41674456 registers.ebp: 3205500 registers.edx: 41674456 registers.ebx: 41673900 registers.esi: 41673876 registers.ecx: 1857964434	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

POST method with no referer header

suspicious_request

POST https://update.googleapis.com/service/update2?cup2key=10:2515603518&cup2hreq=77bb11fb65419392495407f2143536a7f83fa7d88eef4146583fe0a7d0495a16

Performs some HTTP requests (2 events)

request	HEAD http://edgedl.gvt1.com/edgedl/release2/update2/ALmnr7lDhOvozdF08iOk7Ks_1.3.36.72/GoogleUpdateSetup.exe
request	POST https://update.googleapis.com/service/update2?cup2key=10:2515603518&cup2hreq=77bb11fb65419392495407f2143536a7f83fa7d88eef4146583fe0a7d0495a16

Sends data using the HTTP POST Method (1 event)

request

POST https://update.googleapis.com/service/update2?cup2key=10:2515603518&cup2hreq=77bb11fb65419392495407f2143536a7f83fa7d88eef4146583fe0a7d0495a16

Allocates read-write-execute memory (usually to unpack itself) (50 out of 213 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 1179648 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00560000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6fba2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 1835008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02640000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00382000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0038a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003aa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x003a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73772000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 24576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0039d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0246f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02460000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 656 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x004dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 2228224 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x63971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x63972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02712000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a51000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a52000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02713000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02714000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0278b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02787000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0270b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02785000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02715000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02716000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3236 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0278c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Steals private information from local Internet browsers (6 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\
file	C:\Users\test22\AppData\Local\Chromium\User Data
file	C:\Users\test22\AppData\Local\MapleStudio\ChromePlus\User Data
file	C:\Users\test22\AppData\Local\Yandex\YandexBrowser\User Data

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (1 event)

cmdline

"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\IMG_70_36_361.pdf' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW March 16, 2021, 6:19 p.m.	thread_identifier: 7032 thread_handle: 0x00000284 process_identifier: 3236 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\IMG_70_36_361.pdf' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000278	1	1	0

The binary likely contains encrypted or compressed data indicative of a packer (2 events)

section

{u'size_of_data': u'0x00272c00', u'virtual_address': u'0x00002000', u'entropy': 7.501957465746285, u'name': u'.text', u'virtual_size': u'0x00272b34'}

entropy

7.50195746575

description

A section with a high entropy has been found

entropy

0.973403222675

description

Overall entropy of this PE file is high

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 16, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 16, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 16, 2021, 6:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Potentially malicious URLs were found in the process memory dump (50 out of 516 events)

url	http://go2.microsoft.com/fwlink/?LinkId=131738
url	http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
url	http://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
url	http://microsoft.com0
url	http://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
url	http://www.microsoft.com/pkiops/docs/primarycps.htm0
url	http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
url	http://beta.visualstudio.net/net/sdk/feedback.asp
url	http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
url	http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
url	http://www.microsoft.com/PKI/docs/CPS/default.htm0
url	http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
url	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
url	http://crl.comodo.net/TrustedCertificateServices.crl0
url	http://users.ocsp.d-trust.net03
url	http://crl.ssc.lt/root-b/cacrl.crl0
url	http://crl.securetrust.com/STCA.crl0
url	http://crl.securetrust.com/SGCA.crl0
url	http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
url	http://www.ssc.lt/cps03
url	http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
url	http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
url	http://www.microsoft.com/pki/certs/TrustListPCA.crt0
url	https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
url	http://www.pkioverheid.nl/policies/root-policy0
url	http://cps.chambersign.org/cps/chambersroot.html0
url	http://www.e-szigno.hu/SZSZ/0
url	http://www.entrust.net/CRL/Client1.crl0
url	http://crl.chambersign.org/publicnotaryroot.crl0
url	http://crl.comodo.net/AAACertificateServices.crl0
url	http://www.certplus.com/CRL/class3.crl0
url	http://logo.verisign.com/vslogo.gif0
url	http://www.acabogacia.org/doc0
url	http://www.disig.sk/ca/crl/ca_disig.crl0
url	https://www.catcert.net/verarrel
url	http://www.sk.ee/cps/0
url	http://www.quovadis.bm0
url	https://www.catcert.net/verarrel05
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
url	http://crl.chambersign.org/chambersroot.crl0
url	http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
url	http://crl.globalsign.net/root-r2.crl0
url	http://certificates.starfieldtech.com/repository/1604
url	http://www.d-trust.net0
url	http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
url	http://crl.ssc.lt/root-a/cacrl.crl0
url	http://crl.usertrust.com/UTN-DATACorpSGC.crl0
url	http://www.certicamara.com/certicamaraca.crl0
url	http://www.d-trust.net/crl/d-trust_root_class_2_ca_2007.crl0

Yara rule detected in process memory (50 out of 159 events)

description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications smtp	rule	network_smtp_dotNet
description	Communications over P2P network	rule	network_p2p_win
description	Communications over HTTP	rule	network_http
description	File downloader/dropper	rule	network_dropper
description	Communications over FTP	rule	network_ftp
description	Communications over RAW socket	rule	network_tcp_socket
description	Communications use DNS	rule	network_dns
description	Communication using dga	rule	network_dga
description	Escalade priviledges	rule	escalate_priv
description	Take screenshot	rule	screenshot
description	Run a keylogger	rule	keylogger
description	Steal credential	rule	cred_local
description	Record Audio	rule	sniff_audio
description	APC queue tasks migration	rule	migrate_apc
description	Malware can spread east-west file	rule	spreading_file
description	Malware can spread east-west using share drive	rule	spreading_share
description	Create or check mutex	rule	win_mutex
description	Affect system registries	rule	win_registry
description	Affect system token	rule	win_token
description	Affect private profile	rule	win_private_profile
description	Affect private profile	rule	win_files_operation
description	Match Winsock 2 API library declaration	rule	Str_Win32_Winsock2_Library
description	Match Windows Inet API library declaration	rule	Str_Win32_Wininet_Library
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	Code injection with CreateRemoteThread in a remote process	rule	inject_thread
description	Create a windows service	rule	create_service
description	Create a COM server	rule	create_com_service
description	Communications over UDP network	rule	network_udp_sock
description	Listen for incoming communication	rule	network_tcp_listen
description	Communications smtp	rule	network_smtp_dotNet

Terminates another process (4 events)

Time & API	Arguments	Status
NtTerminateProcess March 16, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 8780 process_handle: 0x00000294
NtTerminateProcess March 16, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 8780 process_handle: 0x00000294	1
NtTerminateProcess March 16, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 656 process_handle: 0x00000230
NtTerminateProcess March 16, 2021, 6:19 p.m.	status_code: 0xffffffff process_identifier: 656 process_handle: 0x00000230	1

One or more of the buffers contains an embedded PE file (3 events)

buffer	Buffer with sha1: 66138688f07cf913ebea1b99cb50aa9be5d01132
buffer	Buffer with sha1: cd4ea5c8abbb691b0ab704c99d18a75277d2884b
buffer	Buffer with sha1: ce696e2a467318fb557d1c2b4b3ecd89193ca833

Communicates with host for which no DNS query was performed (1 event)

host

172.217.25.14

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 8780 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c		3221225496	0
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3800 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000298	1	0	0

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation March 16, 2021, 6:19 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

IMG_70_36_361.pdf tried to sleep 13641050 seconds, actually delayed analysis time by 13641050 seconds

Harvests credentials from local FTP client softwares (5 events)

file	C:\Users\test22\AppData\Roaming\FTPGetter\servers.xml
file	C:\Users\test22\AppData\Roaming\Ipswitch\WS_FTP\Sites\ws_ftp.ini
file	C:\Users\test22\AppData\Roaming\FileZilla\recentservers.xml
registry	HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
registry	HKEY_CURRENT_USER\Software\FTPWare\COREFTP\Sites

Manipulates memory of a non-child process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 656 manipulating memory of non-child process 8780
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 8780 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c		3221225496	0

Potential code injection by writing to the memory of another process (4 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 16, 2021, 6:19 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELe:0`àX>v @ À@èuSX H.textDV X `.rsrcXZ@@.reloc `@B base_address: 0x00400000 process_identifier: 3800 process_handle: 0x00000298	1	1
WriteProcessMemory March 16, 2021, 6:19 p.m.	buffer: 8Ph ÄhêÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x,InternalNameZrXCRGpxpVakSFYHISJpmJBAIXbCIpozmudbvNd.exe(LegalCopyright ,OriginalFilenameZrXCRGpxpVakSFYHISJpmJBAIXbCIpozmudbvNd.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 3800 process_handle: 0x00000298	1	1
WriteProcessMemory March 16, 2021, 6:19 p.m.	buffer: p@6 base_address: 0x0043a000 process_identifier: 3800 process_handle: 0x00000298	1	1
WriteProcessMemory March 16, 2021, 6:19 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3800 process_handle: 0x00000298	1	1

Code injection by writing an executable or DLL to the memory of another process (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 16, 2021, 6:19 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELe:0`àX>v @ À@èuSX H.textDV X `.rsrcXZ@@.reloc `@B base_address: 0x00400000 process_identifier: 3800 process_handle: 0x00000298	1	1	0

Harvests credentials from local email clients (5 events)

file	C:\Users\test22\AppData\Roaming\Thunderbird\profiles.ini
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Messaging Subsystem\Profiles\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
registry	HKEY_CURRENT_USER\Software\RimArts\B2\Settings
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 656 called NtSetContextThread to modify thread in remote process 3800
NtSetContextThread March 16, 2021, 6:19 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421182 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000294 process_identifier: 3800	1	0	0

Found URLs in memory pointing to an IP address rather than a domain (potentially indicative of Command & Control traffic) (1 event)

url	http://127.0.0.1

url	https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hash%%torpass%https://www.theonionrouter.com/dist.torproject.org/torbrowser/

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 656 resumed a thread in remote process 3800
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 3800	1	0	0

Creates a suspicious Powershell process (1 event)

option

-executionpolicy bypass

value

Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

File has been identified by 20 AntiVirus engines on VirusTotal as malicious (20 events)

DrWeb	Trojan.PackedNET.568
FireEye	Generic.mg.39ad30ee42bfa03a
Cylance	Unsafe
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.d87810
BitDefenderTheta	Gen:NN.ZemsilF.34608.Ho0@aiF2DWl
APEX	Malicious
Avast	Win32:PWSX-gen [Trj]
Sophos	ML/PE-A
SentinelOne	Static AI - Malicious PE
ESET-NOD32	a variant of MSIL/Kryptik.ZXO
eGambit	Unsafe.AI_Score_97%
Microsoft	Trojan:Win32/Wacatac.B!ml
Cynet	Malicious (score: 100)
Malwarebytes	Malware.AI.4224824953
Rising	Trojan.Kryptik!8.8 (CLOUD)
AVG	Win32:PWSX-gen [Trj]
Panda	Trj/GdSda.A
CrowdStrike	win/malicious_confidence_90% (W)
Qihoo-360	HEUR/QVM03.0.EB78.Malware.Gen

Executed a process and injected code into it, probably while unpacking (33 events)

Time & API	Arguments	Status	Return
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 656	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 656	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x00000190 suspend_count: 1 process_identifier: 656	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x00000264 suspend_count: 1 process_identifier: 656	1	0
CreateProcessInternalW March 16, 2021, 6:19 p.m.	thread_identifier: 7032 thread_handle: 0x00000284 process_identifier: 3236 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\test22\AppData\Local\Temp\IMG_70_36_361.pdf' 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe' filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) inherit_handles: 1 process_handle: 0x00000278	1	1
CreateProcessInternalW March 16, 2021, 6:19 p.m.	thread_identifier: 6096 thread_handle: 0x00000284 process_identifier: 8780 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\IMG_70_36_361.pdf track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\IMG_70_36_361.pdf stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000028c	1	1
NtGetContextThread March 16, 2021, 6:19 p.m.	thread_handle: 0x00000284	1	0
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 8780 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000028c		3221225496
CreateProcessInternalW March 16, 2021, 6:19 p.m.	thread_identifier: 6952 thread_handle: 0x00000294 process_identifier: 3800 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\IMG_70_36_361.pdf track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\IMG_70_36_361.pdf stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x00000298	1	1
NtGetContextThread March 16, 2021, 6:19 p.m.	thread_handle: 0x00000294	1	0
NtAllocateVirtualMemory March 16, 2021, 6:19 p.m.	process_identifier: 3800 region_size: 245760 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x00000298	1	0
WriteProcessMemory March 16, 2021, 6:19 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $PELe:0`àX>v @ À@èuSX H.textDV X `.rsrcXZ@@.reloc `@B base_address: 0x00400000 process_identifier: 3800 process_handle: 0x00000298	1	1
WriteProcessMemory March 16, 2021, 6:19 p.m.	buffer: base_address: 0x00402000 process_identifier: 3800 process_handle: 0x00000298	1	1
WriteProcessMemory March 16, 2021, 6:19 p.m.	buffer: 8Ph ÄhêÄ4VS_VERSION_INFO½ïþ?DVarFileInfo$Translation°$StringFileInfo000004b0,FileDescription 0FileVersion0.0.0.0x,InternalNameZrXCRGpxpVakSFYHISJpmJBAIXbCIpozmudbvNd.exe(LegalCopyright ,OriginalFilenameZrXCRGpxpVakSFYHISJpmJBAIXbCIpozmudbvNd.exe4ProductVersion0.0.0.08Assembly Version0.0.0.0ï»¿<?xml version="1.0" encoding="UTF-8" standalone="yes"?> <assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/> <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2"> <security> <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3"> <requestedExecutionLevel level="asInvoker" uiAccess="false"/> </requestedPrivileges> </security> </trustInfo> </assembly> base_address: 0x00438000 process_identifier: 3800 process_handle: 0x00000298	1	1
WriteProcessMemory March 16, 2021, 6:19 p.m.	buffer: p@6 base_address: 0x0043a000 process_identifier: 3800 process_handle: 0x00000298	1	1
WriteProcessMemory March 16, 2021, 6:19 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3800 process_handle: 0x00000298	1	1
NtSetContextThread March 16, 2021, 6:19 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4421182 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000294 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x00000294 suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x00000298 suspend_count: 1 process_identifier: 3236	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x000002ec suspend_count: 1 process_identifier: 3236	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x00000448 suspend_count: 1 process_identifier: 3236	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x00000494 suspend_count: 1 process_identifier: 3236	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x0000014c suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x000001c0 suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x0000031c suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x0000033c suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x000003a0 suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:19 p.m.	thread_handle: 0x0000041c suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:20 p.m.	thread_handle: 0x00000358 suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:20 p.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:20 p.m.	thread_handle: 0x00000410 suspend_count: 1 process_identifier: 3800	1	0
NtResumeThread March 16, 2021, 6:21 p.m.	thread_handle: 0x00000454 suspend_count: 1 process_identifier: 3800	1	0

IMG_70_36_361.pdf

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All