From 7538cc3398236cff41e53767c18423f14c64d99f Mon Sep 17 00:00:00 2001
From: mether049 <cstt17009@g.nihon-u.ac.jp>
Date: Sun, 1 Mar 2020 03:43:34 +0900
Subject: [PATCH] Update detecting_ph_process.md

---
 detecting_ph_process.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/detecting_ph_process.md b/detecting_ph_process.md
index 128c692..9c7520b 100644
--- a/detecting_ph_process.md
+++ b/detecting_ph_process.md
@@ -139,7 +139,7 @@ PS> eqllib query -f my-sysmon-data.json --source "Microsoft Sysmon"  $eql | Conv
 ```
 eqllib query -f my-sysmon-data.json --source "Microsoft Sysmon" "process where pid=7356"
 ```
-![](https://github.com/mether049/malware/blob/master/Trickbot/img/Identification%20of%20Hollowed%20out%20processes/eql1.PNG)
+![](https://github.com/mether049/malware/blob/master/Trickbot/img/Identification%20of%20Hollowed%20out%20processes/eql2.PNG?raw=true)
 
 ```
 eqllib query -f my-sysmon-data.json --source "Microsoft Sysmon" "process where pid=11228"