Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	March 31, 2025, 12:07 p.m.	March 31, 2025, 12:22 p.m.

Size	1.3MB
Type	ASCII text, with very long lines, with CRLF line terminators
MD5	`642647cf863119977d7bd52e848e0cfe`
SHA256	`7eb324d64219307096ea286640458671dc964fb218395d775dc5fe5e7f339e00`
CRC32	`F6F645FD`
ssdeep	`24576:9/OLuXkd8CEp3qX7+72VjDacVozozgfvugmBxOv1uC:IHd6qXakmiBKV`
Yara	hide_executable_file - Hide executable file

powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy unrestricted -File C:\Users\test22\AppData\Local\Temp\pdf.ps1
2544
- tmpF8C7.exe "C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe"
  2704
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe"
    2904
  - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\gFnEPEuEhX.exe"
    2960
  - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmp581D.tmp"
    3000
  - tmpF8C7.exe "C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe"
    800
    - process.exe "C:\ProgramData\Tencent\process.exe"
      148
      - schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmpB0BD.tmp"
        2784
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\gFnEPEuEhX.exe"
        2612
      - powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Tencent\process.exe"
        2716
      - process.exe "C:\ProgramData\Tencent\process.exe"
        1796
        
        recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\test22\AppData\Local\Temp\vyfeuhxwjibvrjt"
        2760
        
        recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\test22\AppData\Local\Temp\fasonaiqxqtibpizyt"
        2084
        
        recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\test22\AppData\Local\Temp\quyhostrlzlneeedpehqj"
        3008
        
        recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\test22\AppData\Local\Temp\ndzrljywndhla"
        2664
        
        recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\test22\AppData\Local\Temp\xgeklcjyjlzycrsr"
        828
        
        recover.exe C:\Windows\SysWOW64\recover.exe /stext "C:\Users\test22\AppData\Local\Temp\hajumutsxtrdnxgvappx"
        2696

Name	Response	Post-Analysis Lookup
geoplugin.net	A 178.237.33.50	178.237.33.50

IP Address	Status	Action
103.28.89.34	Active	Moloch
164.124.101.2	Active	Moloch
178.237.33.50	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 192.168.56.101:49182 -> 103.28.89.34:10101	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49180 -> 103.28.89.34:10101	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49183 -> 103.28.89.34:10101	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	Malware Command and Control Activity Detected
TCP 192.168.56.101:49184 -> 103.28.89.34:10101	2036594	ET JA3 Hash - Remcos 3.x/4.x TLS Connection	Malware Command and Control Activity Detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.3 192.168.56.101:49182 103.28.89.34:10101	None	None	None
TLS 1.3 192.168.56.101:49183 103.28.89.34:10101	None	None	None
TLS 1.3 192.168.56.101:49180 103.28.89.34:10101	None	None	None
TLS 1.3 192.168.56.101:49184 103.28.89.34:10101	None	None	None

Queries for the computername (30 events)

Time & API	Arguments	Status	Return
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameA March 31, 2025, 12:08 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (10 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent March 31, 2025, 12:07 p.m.			0	0
IsDebuggerPresent March 31, 2025, 12:07 p.m.			0	0
IsDebuggerPresent March 31, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 31, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 31, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 31, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 31, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 31, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 31, 2025, 12:08 p.m.			0	0
IsDebuggerPresent March 31, 2025, 12:08 p.m.			0	0

Command line console output was observed (38 events)

Time & API	Arguments	Status	Return
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Local\Temp\tmpF console_handle: 0x00000053	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: 8C7.exe console_handle: 0x0000005f	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\gFnEPEu console_handle: 0x00000053	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: EhX.exe console_handle: 0x0000005f	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: SUCCESS: The scheduled task "Updates\gFnEPEuEhX" has successfully been created. console_handle: 0x00000007	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: Cannot create a file when that file already exists. console_handle: 0x0000000b	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\Users\test22\AppData\Roaming\gFnEPEu console_handle: 0x00000053	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: EhX.exe console_handle: 0x0000005f	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000006b	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: mmandNotFoundException console_handle: 0x00000077	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000083	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: The term 'Add-MpPreference' is not recognized as the name of a cmdlet, function console_handle: 0x00000023	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: , script file, or operable program. Check the spelling of the name, or if a pat console_handle: 0x0000002f	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: h was included, verify that the path is correct and try again. console_handle: 0x0000003b	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: At line:1 char:17 console_handle: 0x00000047	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + Add-MpPreference <<<< -ExclusionPath C:\ProgramData\Tencent\process.exe console_handle: 0x00000053	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + CategoryInfo : ObjectNotFound: (Add-MpPreference:String) [], Co console_handle: 0x0000005f	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: mmandNotFoundException console_handle: 0x0000006b	1	1
WriteConsoleW March 31, 2025, 12:08 p.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000077	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 186 events)

Time & API	Arguments	Status	Return
CryptExportKey March 31, 2025, 12:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x060017f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:07 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x060017f0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040dec0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e2c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e180 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e1c0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e040 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e340 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0040e400 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0020c6d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey March 31, 2025, 12:08 p.m.	buffer: <INVALID POINTER> crypto_handle: 0x0020cdd8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Tries to locate where the browsers are installed (2 events)

file	C:\Program Files\Google\Chrome\Application\Chrome.exe
file	C:\Program Files (x86)\Mozilla Firefox\nss3.dll

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx March 31, 2025, 12:07 p.m.		1	1	0

One or more processes crashed (1 event)

Time & API	Arguments	Status	Return	Repeated
__exception__ March 31, 2025, 12:08 p.m.	stacktrace: CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x722b1194 LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72182ba1 0xabd925 0xabbea2 DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72181838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72181737 mscorlib+0x2d3711 @ 0x71413711 mscorlib+0x308f2d @ 0x71448f2d 0xab4efa 0xab243f DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72181838 LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72181737 mscorlib+0x2d36ad @ 0x714136ad mscorlib+0x308f2d @ 0x71448f2d mscorlib+0x2cb060 @ 0x7140b060 0xab03a6 0xab008b DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652 DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95 DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610 CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4 CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67 CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a _CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a _CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x741af5a3 CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16 _CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3 RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0xe0434f4e exception.offset: 46887 exception.address: 0x7597b727 registers.esp: 2876640 registers.edi: 0 registers.eax: 2876640 registers.ebp: 2876720 registers.edx: 0 registers.ebx: 7948128 registers.esi: 7379072 registers.ecx: 365551265	1	0	0

Time & API

Arguments

Status

Return

Repeated

__exception__

March 31, 2025, 12:08 p.m.

stacktrace:

CopyPDBs+0x1b552 DllCanUnloadNowInternal-0x25a85 clr+0x1b1194 @ 0x722b1194
LogHelp_TerminateOnAssert+0x14061 GetPrivateContextsPerfCounters-0x53e1 clr+0x82ba1 @ 0x72182ba1
0xabd925
0xabbea2
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72181838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72181737
mscorlib+0x2d3711 @ 0x71413711
mscorlib+0x308f2d @ 0x71448f2d
0xab4efa
0xab243f
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
LogHelp_TerminateOnAssert+0x12cf8 GetPrivateContextsPerfCounters-0x674a clr+0x81838 @ 0x72181838
LogHelp_TerminateOnAssert+0x12bf7 GetPrivateContextsPerfCounters-0x684b clr+0x81737 @ 0x72181737
mscorlib+0x2d36ad @ 0x714136ad
mscorlib+0x308f2d @ 0x71448f2d
mscorlib+0x2cb060 @ 0x7140b060
0xab03a6
0xab008b
DllUnregisterServerInternal-0x7aa2 clr+0x2652 @ 0x72102652
DllRegisterServerInternal+0x243 CoUninitializeEE-0xd1f5 clr+0x1264f @ 0x7211264f
DllRegisterServerInternal+0xa89 CoUninitializeEE-0xc9af clr+0x12e95 @ 0x72112e95
DllGetClassObjectInternal+0x2473 CorDllMainForThunk-0x8a088 clr+0xc74ec @ 0x721c74ec
DllGetClassObjectInternal+0x2597 CorDllMainForThunk-0x89f64 clr+0xc7610 @ 0x721c7610
CorDllMainForThunk+0x850 _CorExeMain-0x238a clr+0x151dc4 @ 0x72251dc4
CorDllMainForThunk+0x8f3 _CorExeMain-0x22e7 clr+0x151e67 @ 0x72251e67
CorDllMainForThunk+0xa06 _CorExeMain-0x21d4 clr+0x151f7a @ 0x72251f7a
_CorExeMain+0x1c ClrCreateManagedInstance-0x35cd clr+0x15416a @ 0x7225416a
_CorExeMain+0x71 GetFileVersion-0x293a mscoreei+0xf5a3 @ 0x741af5a3
CreateConfigStream+0x13f GetProcessExecutableHeap-0xad6 mscoree+0x7f16 @ 0x73fa7f16
_CorExeMain+0x8 CreateConfigStream-0x2ff4 mscoree+0x4de3 @ 0x73fa4de3
RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x76f49ed2
RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x76f49ea5

exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b
exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727
exception.instruction: leave
exception.module: KERNELBASE.dll
exception.exception_code: 0xe0434f4e
exception.offset: 46887
exception.address: 0x7597b727
registers.esp: 2876640
registers.edi: 0
registers.eax: 2876640
registers.ebp: 2876720
registers.edx: 0
registers.ebx: 7948128
registers.esi: 7379072
registers.ecx: 365551265

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

HTTP traffic contains suspicious features which may be indicative of malware related traffic (1 event)

suspicious_features

GET method with no useragent header

suspicious_request

GET http://geoplugin.net/json.gp

Performs some HTTP requests (1 event)

request

GET http://geoplugin.net/json.gp

Allocates read-write-execute memory (usually to unpack itself) (50 out of 633 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026db000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ef000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026b9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05650000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2544 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05651000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 262144 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00430000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a1000 process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x727a2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 1441792 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x020c0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x021e0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00562000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00595000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0059b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00597000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00810000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0056a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0058a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00587000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00811000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x732e2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00586000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:07 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00812000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00813000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00814000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00815000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0057e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00816000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00817000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00818000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00819000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081d000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081e000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2704 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0081f000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2904 region_size: 983040 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a30000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eb21000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0277a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2904 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x6eb22000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a31000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2904 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a32000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 2904 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ea000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

A process attempted to delay the analysis task. (1 event)

description

process.exe tried to sleep 229 seconds, actually delayed analysis time by 229 seconds

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (6 events)

Time & API	Arguments	Status	Return
GetDiskFreeSpaceW March 31, 2025, 12:08 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 31, 2025, 12:08 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 31, 2025, 12:08 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 31, 2025, 12:08 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 31, 2025, 12:08 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1
GetDiskFreeSpaceW March 31, 2025, 12:08 p.m.	number_of_free_clusters: 8362495 sectors_per_cluster: 8362495 bytes_per_sector: 512 root_path: C: total_number_of_clusters: 8362495	1	1

Steals private information from local Internet browsers (50 out of 142 events)

file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\WidevineCdm\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\FileTypePolicies\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 39
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 38
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 35
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 34
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 37
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 36
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 31
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 30
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 33
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 32
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateTransparency\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Web Data-wal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\PnaclTranslationCache\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 28
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 29
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 22
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 23
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 20
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 21
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 26
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 27
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 24
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 25
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SwReporter\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Default\Login Data-journal
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Crashpad\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 59
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 58
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 53
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 52
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 51
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 50
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 57
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 56
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 55
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\Profile 54
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\BrowserMetrics\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\pnacl\Web Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\SSLErrorAssistant\Login Data
file	C:\Users\test22\AppData\Local\Google\Chrome\User Data\CertificateRevocation\Login Data

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (10 events)

cmdline	schtasks.exe /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmpB0BD.tmp"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\gFnEPEuEhX.exe"
cmdline	schtasks.exe /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmp581D.tmp"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\gFnEPEuEhX.exe"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Tencent\process.exe"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmpB0BD.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmp581D.tmp"
cmdline	powershell Add-MpPreference -ExclusionPath "C:\ProgramData\Tencent\process.exe"
cmdline	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe"

Drops an executable to the user AppData folder (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe

A process created a hidden window (6 events)

Time & API	Arguments	Status	Return
ShellExecuteExW March 31, 2025, 12:08 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe" filepath: powershell	1	1
ShellExecuteExW March 31, 2025, 12:08 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\gFnEPEuEhX.exe" filepath: powershell	1	1
ShellExecuteExW March 31, 2025, 12:08 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmp581D.tmp" filepath: schtasks.exe	1	1
ShellExecuteExW March 31, 2025, 12:08 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\ProgramData\Tencent\process.exe" filepath: powershell	1	1
ShellExecuteExW March 31, 2025, 12:08 p.m.	show_type: 0 filepath_r: powershell parameters: Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\gFnEPEuEhX.exe" filepath: powershell	1	1
ShellExecuteExW March 31, 2025, 12:08 p.m.	show_type: 0 filepath_r: schtasks.exe parameters: /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmpB0BD.tmp" filepath: schtasks.exe	1	1

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (3 events)

Time & API	Arguments	Status	Return
Process32NextW March 31, 2025, 12:08 p.m.	snapshot_handle: 0x00000124 process_name: process.exe process_identifier: 1796	1	1
Process32NextW March 31, 2025, 12:08 p.m.	snapshot_handle: 0x00000124 process_name: taskhost.exe process_identifier: 1108	1	1
Process32NextW March 31, 2025, 12:08 p.m.	snapshot_handle: 0x00000124 process_name: recover.exe process_identifier: 828	1	1

File has been identified by 8 AntiVirus engines on VirusTotal as malicious (8 events)

Skyhigh	BehavesLike.PS.Dropper.tn
Symantec	Scr.Malcode!gdn34
ESET-NOD32	a variant of MSIL/Kryptik.ANKQ
Kaspersky	UDS:DangerousObject.Multi.Generic
Microsoft	Trojan:MSIL/AgentTesla!rfn
Tencent	Msil.Trojan-Spy.Noon.Bujl
huorong	Trojan/PS.Encpe.a
alibabacloud	Trojan[spy]:MSIL/AgentTesla.RBS2XJC

Checks for the Locally Unique Identifier on the system for a suspicious privilege (8 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW March 31, 2025, 12:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 31, 2025, 12:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 31, 2025, 12:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 31, 2025, 12:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 31, 2025, 12:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 31, 2025, 12:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 31, 2025, 12:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW March 31, 2025, 12:08 p.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 104 events)

description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Win Backdoor RemcosRAT	rule	Win_Backdoor_RemcosRAT
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Run a KeyLogger	rule	KeyLogger
description	Take ScreenShot	rule	ScreenShot
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Client_SW_User_Data_Stealer	rule	Client_SW_User_Data_Stealer
description	Win Backdoor RemcosRAT	rule	Win_Backdoor_RemcosRAT
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	browser info stealer	rule	infoStealer_browser_Zero
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Google Chrome User Data Check	rule	Chrome_User_Data_Check_Zero
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications use DNS	rule	Network_DNS
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg

Queries for potentially installed applications (2 events)

Time & API	Arguments	Status	Return	Repeated
RegOpenKeyExA March 31, 2025, 12:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian		2	0
RegOpenKeyExA March 31, 2025, 12:08 p.m.	regkey_r: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian base_handle: 0x80000002 key_handle: 0x00000000 options: 0 access: 0x00020019 regkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Trillian		2	0

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	schtasks.exe /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmpB0BD.tmp"
cmdline	schtasks.exe /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmp581D.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmpB0BD.tmp"
cmdline	"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmp581D.tmp"

Communicates with host for which no DNS query was performed (1 event)

host

103.28.89.34

Allocates execute permission to another process indicative of possible code injection (2 events)

Time & API	Arguments	Status	Return	Repeated
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 800 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003cc	1	0	0
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 1796 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x0000040c	1	0	0

Installs itself for autorun at Windows startup (4 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-HP44IR	reg_value	"C:\ProgramData\Tencent\process.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HP44IR	reg_value	"C:\ProgramData\Tencent\process.exe"
reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Rmc-HP44IR	reg_value	"C:\ProgramData\Tencent\process.exe"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-HP44IR	reg_value	"C:\ProgramData\Tencent\process.exe"

Drops a binary and executes it (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe

Harvests information related to installed instant messenger clients (5 events)

file	C:\Users\test22\AppData\Roaming\Digsby\digsby.dat
file	C:\Users\test22\AppData\Roaming\MySpace\IM\users.txt
registry	HKEY_CURRENT_USER\Software\America Online\AIM6\Passwords
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
registry	HKEY_CURRENT_USER\Software\Paltalk

Potential code injection by writing to the memory of another process (12 events)

Time & API	Arguments	Status	Return
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $LjÈe¦6¦6¦6¼W6¦6¼U6£¦6¼T6¦6s"6 ¦6«a6 ¦6Zc£76¦6Zc¢7)¦6Zc¥7¦6s56¦6§6O ¦6¥b¯7l¦6¥bY6 ¦6¥b¤7 ¦6Rich¦6PEL+C¼gàr&dM@ØÜJÐ¬<pæ8Hç¨æ@ü.text[qr `.rdataæv@@.data,^ @À.rsrcÜJL@@.reloc¬<Ð>^@B base_address: 0x00400000 process_identifier: 800 process_handle: 0x000003cc	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿCopyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED. ÿÿÿÿ ßEâEßE..!G6G6G6G6G6G6G6G6G6G!G6G6G6G6G6G6G6G!GÿÿÿÿâE¨"G¨"G¨"G¨"G¨"G!GäEæEìEè!G'GCPSTPDT°"Gð"Gÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'GþÿÿÿþÿÿÿuÿÿÿÿÏ!tåa¾e¸Â¢z»^ âÈ¨3ØØF²HAäØFRKAðØFwHAE.?AVtype_info@@E.?AVbad_alloc@std@@E.?AVbad_array_new_length@std@@E.?AVlogic_error@std@@E.?AVlength_error@std@@E.?AVout_of_range@std@@E.?AVerror_category@std@@E.?AV_Generic_error_category@std@@E.?AV_Facet_base@std@@E.?AV_Locimp@locale@std@@E.?AVfacet@locale@std@@E.?AU_Crt_new_delete@std@@E.?AVcodecvt_base@std@@E.?AUctype_base@std@@E.?AV?$ctype@D@std@@E.?AV?$codecvt@DDU_Mbstatet@@@std@@E.?AVbad_exception@std@@E.HE.?AVfailure@ios_base@std@@E.?AVruntime_error@std@@E.?AVsystem_error@std@@E.?AVbad_cast@std@@E.?AV_System_error@std@@E.?AVexception@std@@ base_address: 0x00472000 process_identifier: 800 process_handle: 0x000003cc	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 800 process_handle: 0x000003cc	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $LjÈe¦6¦6¦6¼W6¦6¼U6£¦6¼T6¦6s"6 ¦6«a6 ¦6Zc£76¦6Zc¢7)¦6Zc¥7¦6s56¦6§6O ¦6¥b¯7l¦6¥bY6 ¦6¥b¤7 ¦6Rich¦6PEL+C¼gàr&dM@ØÜJÐ¬<pæ8Hç¨æ@ü.text[qr `.rdataæv@@.data,^ @À.rsrcÜJL@@.reloc¬<Ð>^@B base_address: 0x00400000 process_identifier: 1796 process_handle: 0x0000040c	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿCopyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED. ÿÿÿÿ ßEâEßE..!G6G6G6G6G6G6G6G6G6G!G6G6G6G6G6G6G6G!GÿÿÿÿâE¨"G¨"G¨"G¨"G¨"G!GäEæEìEè!G'GCPSTPDT°"Gð"Gÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'GþÿÿÿþÿÿÿuÿÿÿÿÏ!tåa¾e¸Â¢z»^ âÈ¨3ØØF²HAäØFRKAðØFwHAE.?AVtype_info@@E.?AVbad_alloc@std@@E.?AVbad_array_new_length@std@@E.?AVlogic_error@std@@E.?AVlength_error@std@@E.?AVout_of_range@std@@E.?AVerror_category@std@@E.?AV_Generic_error_category@std@@E.?AV_Facet_base@std@@E.?AV_Locimp@locale@std@@E.?AVfacet@locale@std@@E.?AU_Crt_new_delete@std@@E.?AVcodecvt_base@std@@E.?AUctype_base@std@@E.?AV?$ctype@D@std@@E.?AV?$codecvt@DDU_Mbstatet@@@std@@E.?AVbad_exception@std@@E.HE.?AVfailure@ios_base@std@@E.?AVruntime_error@std@@E.?AVsystem_error@std@@E.?AVbad_cast@std@@E.?AV_System_error@std@@E.?AVexception@std@@ base_address: 0x00472000 process_identifier: 1796 process_handle: 0x0000040c	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 1796 process_handle: 0x0000040c	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2760 process_handle: 0x00000380	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2084 process_handle: 0x00000380	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 3008 process_handle: 0x00000380	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2664 process_handle: 0x00000364	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 828 process_handle: 0x00000364	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 2696 process_handle: 0x00000364	1	1

Code injection by writing an executable or DLL to the memory of another process (2 events)

Time & API	Arguments	Status	Return	Repeated
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $LjÈe¦6¦6¦6¼W6¦6¼U6£¦6¼T6¦6s"6 ¦6«a6 ¦6Zc£76¦6Zc¢7)¦6Zc¥7¦6s56¦6§6O ¦6¥b¯7l¦6¥bY6 ¦6¥b¤7 ¦6Rich¦6PEL+C¼gàr&dM@ØÜJÐ¬<pæ8Hç¨æ@ü.text[qr `.rdataæv@@.data,^ @À.rsrcÜJL@@.reloc¬<Ð>^@B base_address: 0x00400000 process_identifier: 800 process_handle: 0x000003cc	1	1	0
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $LjÈe¦6¦6¦6¼W6¦6¼U6£¦6¼T6¦6s"6 ¦6«a6 ¦6Zc£76¦6Zc¢7)¦6Zc¥7¦6s56¦6§6O ¦6¥b¯7l¦6¥bY6 ¦6¥b¤7 ¦6Rich¦6PEL+C¼gàr&dM@ØÜJÐ¬<pæ8Hç¨æ@ü.text[qr `.rdataæv@@.data,^ @À.rsrcÜJL@@.reloc¬<Ð>^@B base_address: 0x00400000 process_identifier: 1796 process_handle: 0x0000040c	1	1	0

Creates a windows hook that monitors keyboard input (keylogger) (1 event)

Time & API	Arguments	Status	Return	Repeated
SetWindowsHookExA March 31, 2025, 12:08 p.m.	thread_identifier: 0 callback_function: 0x00409d0a hook_identifier: 13 (WH_KEYBOARD_LL) module_address: 0x00400000	1	1114591	0

Harvests credentials from local email clients (6 events)

registry	HKEY_CURRENT_USER\Software\Microsoft\Internet Account Manager\Accounts
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
registry	HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
registry	HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
registry	HKEY_LOCAL_MACHINE\Software\Mozilla\Mozilla Thunderbird
registry	HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts

Used NtSetContextThread to modify a thread in a remote process indicative of process injection (16 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2704 called NtSetContextThread to modify thread in remote process 800
Process injection	Process 148 called NtSetContextThread to modify thread in remote process 1796
Process injection	Process 1796 called NtSetContextThread to modify thread in remote process 2760
Process injection	Process 1796 called NtSetContextThread to modify thread in remote process 2084
Process injection	Process 1796 called NtSetContextThread to modify thread in remote process 3008
Process injection	Process 1796 called NtSetContextThread to modify thread in remote process 2664
Process injection	Process 1796 called NtSetContextThread to modify thread in remote process 828
Process injection	Process 1796 called NtSetContextThread to modify thread in remote process 2696
NtSetContextThread March 31, 2025, 12:08 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4410724 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003f4 process_identifier: 800	1	0	0
NtSetContextThread March 31, 2025, 12:08 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4410724 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000002bc process_identifier: 1796	1	0	0
NtSetContextThread March 31, 2025, 12:08 p.m.	registers.eip: 1995571652 registers.esp: 1900256 registers.edi: 0 registers.eax: 4483372 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000378 process_identifier: 2760	1	0	0
NtSetContextThread March 31, 2025, 12:08 p.m.	registers.eip: 1995571652 registers.esp: 2488820 registers.edi: 0 registers.eax: 4583992 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000378 process_identifier: 2084	1	0	0
NtSetContextThread March 31, 2025, 12:08 p.m.	registers.eip: 1995571652 registers.esp: 719396 registers.edi: 0 registers.eax: 4334086 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000378 process_identifier: 3008	1	0	0
NtSetContextThread March 31, 2025, 12:08 p.m.	registers.eip: 1995571652 registers.esp: 654448 registers.edi: 0 registers.eax: 4483372 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000384 process_identifier: 2664	1	0	0
NtSetContextThread March 31, 2025, 12:08 p.m.	registers.eip: 1995571652 registers.esp: 3013068 registers.edi: 0 registers.eax: 4583992 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000384 process_identifier: 828	1	0	0
NtSetContextThread March 31, 2025, 12:08 p.m.	registers.eip: 1995571652 registers.esp: 654580 registers.edi: 0 registers.eax: 4334086 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x00000384 process_identifier: 2696	1	0	0

One or more non-whitelisted processes were created (1 event)

parent_process

powershell.exe

martian_process

"C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe"

Resumed a suspended thread in a remote process potentially indicative of process injection (16 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2704 resumed a thread in remote process 800
Process injection	Process 148 resumed a thread in remote process 1796
Process injection	Process 1796 resumed a thread in remote process 2760
Process injection	Process 1796 resumed a thread in remote process 2084
Process injection	Process 1796 resumed a thread in remote process 3008
Process injection	Process 1796 resumed a thread in remote process 2664
Process injection	Process 1796 resumed a thread in remote process 828
Process injection	Process 1796 resumed a thread in remote process 2696
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000003f4 suspend_count: 1 process_identifier: 800	1	0	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000002bc suspend_count: 1 process_identifier: 1796	1	0	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x00000378 suspend_count: 1 process_identifier: 2760	1	0	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x00000378 suspend_count: 1 process_identifier: 2084	1	0	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x00000378 suspend_count: 1 process_identifier: 3008	1	0	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2664	1	0	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 828	1	0	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x00000384 suspend_count: 1 process_identifier: 2696	1	0	0

The process powershell.exe wrote an executable file to disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe

Executed a process and injected code into it, probably while unpacking (50 out of 115 events)

Time & API	Arguments	Status	Return
CreateProcessInternalW March 31, 2025, 12:07 p.m.	thread_identifier: 2708 thread_handle: 0x000004c8 process_identifier: 2704 current_directory: C:\Users\test22\AppData\Local\Temp filepath: track: 1 command_line: "C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe" filepath_r: stack_pivoted: 0 creation_flags: 0 () inherit_handles: 1 process_handle: 0x000003a4	1	1
NtResumeThread March 31, 2025, 12:07 p.m.	thread_handle: 0x0000037c suspend_count: 1 process_identifier: 2544	1	0
NtResumeThread March 31, 2025, 12:07 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread March 31, 2025, 12:07 p.m.	thread_handle: 0x00000150 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread March 31, 2025, 12:07 p.m.	thread_handle: 0x0000018c suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x0000025c suspend_count: 1 process_identifier: 2704	1	0
NtGetContextThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000000e0	1	0
NtGetContextThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000000e0	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000000e0 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000002ac suspend_count: 1 process_identifier: 2704	1	0
CreateProcessInternalW March 31, 2025, 12:08 p.m.	thread_identifier: 2908 thread_handle: 0x000003f4 process_identifier: 2904 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003fc	1	1
CreateProcessInternalW March 31, 2025, 12:08 p.m.	thread_identifier: 2964 thread_handle: 0x000003b0 process_identifier: 2960 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\gFnEPEuEhX.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003e8	1	1
CreateProcessInternalW March 31, 2025, 12:08 p.m.	thread_identifier: 3004 thread_handle: 0x000003a4 process_identifier: 3000 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmp581D.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003fc	1	1
CreateProcessInternalW March 31, 2025, 12:08 p.m.	thread_identifier: 1728 thread_handle: 0x000003f4 process_identifier: 800 current_directory: filepath: C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe track: 1 command_line: filepath_r: C:\Users\test22\AppData\Local\Temp\tmpF8C7.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x000003cc	1	1
NtGetContextThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000003f4	1	0
NtAllocateVirtualMemory March 31, 2025, 12:08 p.m.	process_identifier: 800 region_size: 528384 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x00400000 allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) process_handle: 0x000003cc	1	0
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: MZÿÿ¸@º´ Í!¸LÍ!This program cannot be run in DOS mode. $LjÈe¦6¦6¦6¼W6¦6¼U6£¦6¼T6¦6s"6 ¦6«a6 ¦6Zc£76¦6Zc¢7)¦6Zc¥7¦6s56¦6§6O ¦6¥b¯7l¦6¥bY6 ¦6¥b¤7 ¦6Rich¦6PEL+C¼gàr&dM@ØÜJÐ¬<pæ8Hç¨æ@ü.text[qr `.rdataæv@@.data,^ @À.rsrcÜJL@@.reloc¬<Ð>^@B base_address: 0x00400000 process_identifier: 800 process_handle: 0x000003cc	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: base_address: 0x00401000 process_identifier: 800 process_handle: 0x000003cc	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: base_address: 0x00459000 process_identifier: 800 process_handle: 0x000003cc	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: ÿÿÿÿ±¿DNæ@»ÿÿÿÿCopyright (c) by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED. ÿÿÿÿ ßEâEßE..!G6G6G6G6G6G6G6G6G6G!G6G6G6G6G6G6G6G!GÿÿÿÿâE¨"G¨"G¨"G¨"G¨"G!GäEæEìEè!G'GCPSTPDT°"Gð"Gÿÿÿÿÿÿÿÿÿÿÿÿ ¤`y!¦ß¡¥àü@~ü¨Á£Ú£ þ@þµÁ£Ú£ þAþ¶Ï¢ä¢å¢è¢[þ@~¡þQQÚ^Ú _ÚjÚ2ÓØÞàù1~þ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'GþÿÿÿþÿÿÿuÿÿÿÿÏ!tåa¾e¸Â¢z»^ âÈ¨3ØØF²HAäØFRKAðØFwHAE.?AVtype_info@@E.?AVbad_alloc@std@@E.?AVbad_array_new_length@std@@E.?AVlogic_error@std@@E.?AVlength_error@std@@E.?AVout_of_range@std@@E.?AVerror_category@std@@E.?AV_Generic_error_category@std@@E.?AV_Facet_base@std@@E.?AV_Locimp@locale@std@@E.?AVfacet@locale@std@@E.?AU_Crt_new_delete@std@@E.?AVcodecvt_base@std@@E.?AUctype_base@std@@E.?AV?$ctype@D@std@@E.?AV?$codecvt@DDU_Mbstatet@@@std@@E.?AVbad_exception@std@@E.HE.?AVfailure@ios_base@std@@E.?AVruntime_error@std@@E.?AVsystem_error@std@@E.?AVbad_cast@std@@E.?AV_System_error@std@@E.?AVexception@std@@ base_address: 0x00472000 process_identifier: 800 process_handle: 0x000003cc	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: base_address: 0x00478000 process_identifier: 800 process_handle: 0x000003cc	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: base_address: 0x0047d000 process_identifier: 800 process_handle: 0x000003cc	1	1
WriteProcessMemory March 31, 2025, 12:08 p.m.	buffer: @ base_address: 0x7efde008 process_identifier: 800 process_handle: 0x000003cc	1	1
NtSetContextThread March 31, 2025, 12:08 p.m.	registers.eip: 0 registers.esp: 0 registers.edi: 0 registers.eax: 4410724 registers.ebp: 0 registers.edx: 0 registers.ebx: 2130567168 registers.esi: 0 registers.ecx: 0 thread_handle: 0x000003f4 process_identifier: 800	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000003f4 suspend_count: 1 process_identifier: 800	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000003e8 suspend_count: 1 process_identifier: 2704	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000002a8 suspend_count: 1 process_identifier: 2904	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000002fc suspend_count: 1 process_identifier: 2904	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x00000458 suspend_count: 1 process_identifier: 2904	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000004b8 suspend_count: 1 process_identifier: 2904	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000002f8 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x00000458 suspend_count: 1 process_identifier: 2960	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000004b8 suspend_count: 1 process_identifier: 2960	1	0
CreateProcessInternalW March 31, 2025, 12:08 p.m.	thread_identifier: 2232 thread_handle: 0x000001fc process_identifier: 148 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\ProgramData\Tencent\process.exe track: 1 command_line: "C:\ProgramData\Tencent\process.exe" filepath_r: C:\ProgramData\Tencent\process.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000204	1	1
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000000dc suspend_count: 1 process_identifier: 148	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x00000154 suspend_count: 1 process_identifier: 148	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x00000198 suspend_count: 1 process_identifier: 148	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000002a4 suspend_count: 1 process_identifier: 148	1	0
CreateProcessInternalW March 31, 2025, 12:08 p.m.	thread_identifier: 2736 thread_handle: 0x000003f8 process_identifier: 2716 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Tencent\process.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000404	1	1
CreateProcessInternalW March 31, 2025, 12:08 p.m.	thread_identifier: 2604 thread_handle: 0x000003b4 process_identifier: 2612 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\test22\AppData\Roaming\gFnEPEuEhX.exe" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x000003ec	1	1
CreateProcessInternalW March 31, 2025, 12:08 p.m.	thread_identifier: 2372 thread_handle: 0x000003a8 process_identifier: 2784 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\schtasks.exe track: 1 command_line: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gFnEPEuEhX" /XML "C:\Users\test22\AppData\Local\Temp\tmpB0BD.tmp" filepath_r: C:\Windows\System32\schtasks.exe stack_pivoted: 0 creation_flags: 67634192 (CREATE_DEFAULT_ERROR_MODE\|CREATE_NEW_CONSOLE\|CREATE_UNICODE_ENVIRONMENT\|EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 0 process_handle: 0x00000404	1	1
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000003a8 suspend_count: 1 process_identifier: 148	1	0
NtGetContextThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000000e8	1	0
NtGetContextThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000000e8	1	0
NtSetContextThread March 31, 2025, 12:08 p.m.	registers.eip: 1914186628 registers.esp: 2876848 registers.edi: 2876900 registers.eax: 80 registers.ebp: 2876928 registers.edx: 109071 registers.ebx: 498689 registers.esi: 70264496 registers.ecx: 154 thread_handle: 0x000000e8 process_identifier: 148	1	0
NtResumeThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000000e8 suspend_count: 1 process_identifier: 148	1	0
CreateProcessInternalW March 31, 2025, 12:08 p.m.	thread_identifier: 1792 thread_handle: 0x000002bc process_identifier: 1796 current_directory: filepath: C:\ProgramData\Tencent\process.exe track: 1 command_line: filepath_r: C:\ProgramData\Tencent\process.exe stack_pivoted: 0 creation_flags: 134217732 (CREATE_NO_WINDOW\|CREATE_SUSPENDED) inherit_handles: 0 process_handle: 0x0000040c	1	1
NtGetContextThread March 31, 2025, 12:08 p.m.	thread_handle: 0x000002bc	1	0

pdf.ps1

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All