Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Aug. 14, 2024, 12:48 p.m.	Aug. 14, 2024, 12:50 p.m.

Size	2.6MB
Type	Little-endian UTF-16 Unicode text, with very long lines, with no line terminators
MD5	`aec611e3084360058cd20db4700ab825`
SHA256	`01ef47ae1018ff50f719769f273f0f36f224a7d2f29911ebf026712a8c9a9e6e`
CRC32	`6C385FB9`
ssdeep	`48:PG+wsNso7GrHZvvvvvvvvvvvvvvJvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvX:twsOoqsuC5kaAuq`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "LDHiIDaing" C:\Users\test22\AppData\Local\Temp\ud.bat
1648
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\ud.bat
  2124
  - cmd.exe cmd /c C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden C:\\Users\\Public\\Document\\python C:\Users\Public\Document\Lib\sim.py;
    2236
    - powershell.exe C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden C:\\Users\\Public\\Document\\python C:\Users\Public\Document\Lib\sim.py;
      2304

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (6 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 14, 2024, 12:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 12:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 12:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 12:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 14, 2024, 12:48 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 14, 2024, 12:48 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 14, 2024, 12:48 p.m.			0	0

Command line console output was observed (15 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: '■' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: abcdefghycdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghykcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohbQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%b% console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: abcdefghycdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmbg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%b% console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: anohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghykcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdefghyklmnohmoabcdeZg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Zw%aA%eQ%aw%bA%bQ%bg%bw%aA%bQ%bw%YQ%Yg%Yw%ZA%ZQ%Zg%Z% console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: The term 'C:\\Users\\Public\\Document\\python' is not recognized as the name of console_handle: 0x00000023	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: a cmdlet, function, script file, or operable program. Check the spelling of th console_handle: 0x0000002f	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: e name, or if a path was included, verify that the path is correct and try agai console_handle: 0x0000003b	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: n. console_handle: 0x00000047	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: At line:1 char:36 console_handle: 0x00000053	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: + C:\\Users\\Public\\Document\\python <<<< C:\Users\Public\Document\Lib\sim.py console_handle: 0x0000005f	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: + CategoryInfo : ObjectNotFound: (C:\\Users\\Public\\Document\\py console_handle: 0x00000077	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: thon:String) [], CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Aug. 14, 2024, 12:48 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000008f	1	1

Uses Windows APIs to generate a cryptographic key (46 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0062fae0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab3f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab3f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab3f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab3f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab3f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab3f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab178 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab338 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab2f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab478 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 14, 2024, 12:48 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006ab538 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 14, 2024, 12:48 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 137 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02670000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02720000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02622000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02721000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02623000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02624000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02697000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02682000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02695000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02625000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0268c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02626000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0269c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02683000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02684000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02685000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02686000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02687000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02688000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02689000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c70000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c71000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c72000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c73000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c74000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c75000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c76000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c77000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c78000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c79000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c7a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c7b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c7c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c7d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c7e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04c7f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05020000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05021000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05022000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05023000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 14, 2024, 12:48 p.m.	process_identifier: 2304 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05024000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (2 events)

cmdline	cmd /c C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden C:\\Users\\Public\\Document\\python C:\Users\Public\Document\Lib\sim.py;
cmdline	C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden C:\\Users\\Public\\Document\\python C:\Users\Public\Document\Lib\sim.py;

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW Aug. 14, 2024, 12:48 p.m.	thread_identifier: 2240 thread_handle: 0x00000088 process_identifier: 2236 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\cmd.exe track: 1 command_line: cmd /c C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden C:\\Users\\Public\\Document\\python C:\Users\Public\Document\Lib\sim.py; filepath_r: C:\Windows\system32\cmd.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0
CreateProcessInternalW Aug. 14, 2024, 12:48 p.m.	thread_identifier: 2308 thread_handle: 0x00000084 process_identifier: 2304 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe -windowstyle hidden C:\\Users\\Public\\Document\\python C:\Users\Public\Document\Lib\sim.py; filepath_r: C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000088	1	1	0

File has been identified by 5 AntiVirus engines on VirusTotal as malicious (5 events)

Kaspersky	HEUR:Trojan.BAT.Setter.gen
Ikarus	Trojan.BAT.Obfuscated
Google	Detected
ZoneAlarm	HEUR:Trojan.BAT.Setter.gen
huorong	VirTool/BAT.Obfuscator.d

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW Aug. 14, 2024, 12:48 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Creates a suspicious Powershell process (2 events)

option	-windowstyle hidden				value	Attempts to execute command with a hidden window
option	-windowstyle hidden				value	Attempts to execute command with a hidden window

ud.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All